This seems an unfair leap. The most common cause of a checksum mis-match is going to be a partial download or something similar.
It's also not relevant to the current attack since the code was legitimately included in the official release and, as such, baked into the valid checksum results.
Is the proper response to tell a customer to install the package anyway because it's just a partial download or something similar? Regardless, it seems irresponsible.
Regardless of the motivation, cause, mechanism of #2 - #3 is not the appropriate way to handle the problem. Attack is indistinguishable from unintentional corruption. And #3 trains customers to do the wrong thing when they encounter an attack.
The malicious file was signed with the right certificate. So yeah you should ideally be more careful with checksums but there already was a much more robust and secure authentication mechanism and it was defeated.
My employer has a knowledgebase on the public internet that is littered with lists of softwares and practices. There are thousands of employees. Name dropping software should be a risky thing to do, but that isn’t the world we live in.
An employee, possibly. The whole company, unlikely. And either way, even if someone was bribed to introduce the attack there's zero reason to allow the hacked software to be downloaded now.
I work at a large and highly regulated (HIPAA) company and we have the equivalent of Electric Dylan/Pete Seeger with the axe: if someone at the VP+ level declares a major incident, our infosec team has a script that will lock down all inbound/outbound traffic, snapshot all our running machines for later forensics, lock our AWS IAM access down to a single incident response account, and move DNS for our web properties to a "we've been hacked" page. (OK, it obviously doesn't say that, but something similar that has been heavily vetted by legal and marketing ;-)). We've drilled and timed it out and can stop the ship in ~5 minutes.
Either SolarWinds doesn't have a major security incident response plan, or they don't have the stomach to pull the trigger. Neither is promising.
Sounds like a solid information security incident response mechanism!
The only missing piece is making sure that VP+ level folks are not incentivized in any way to suppress incidents. However, that’s beyond infosec—in that treacherous area between information security, shareholder interests and organizational politics.
I wish business continuity planning (which would include infosec procedures but has a much wider overall scope) was paid more attention and more widely scrutinized.
This doesn’t sound like a good incident response plan to me at all, precisely because it provides a very clear incentive to not activate it. If you have to be so sure that you’re having a serious incident that you’re prepared to put a stop to all operations in the organization, then you can be pretty sure that plan is never going to be used.
You’re not going to turn the business off because somebody’s inbox got compromised, or because there’s some unexplained event in the SIEM, and those are the sort of events you’re actually going to have to respond to.
> You’re not going to turn the business off because somebody’s inbox got compromised, or because there’s some unexplained event in the SIEM,
duh, those get handled several pages before "press the red button" is even discussed. You think "turn off the business" is the only page in the playbook?!
> and those are the sort of events you’re actually going to have to respond to.
Tell that to SolarWinds.
You need a IR plan that has appropriate responses to the threats you are facing. But at the scale and impact of a company like SolarWinds it's actually rather reassuring to have a "stop the world" backstop because your threat model absolutely includes catastrophic levels of risk.
And "you won't be incentivized to push the button"? Come on. When things get to "state level adversary on your network, using your software to attack DHS and the Treasury" bad, you're going to absolutely push the button because in a few months when your CEO is answering questions in Congress they'll want to be able to talk about something that went right.
In the real world, you're never going to know that you have a "state level adversary on your network, using your software to attack DHS and the Treasury" until after all the damage has already been done, and you've had enough time to assess the total impact. That's presuming you're even alerted to it in a timely manner. In that scenario, the appropriate response almost certainly not going to be "turn off the business" and even if it is, it's not going to matter whether you can do it in 5 minutes or 5 hours.
The only scenarios in which you'll have enough information to justify activating this plan, are scenarios where you'll also have enough information to respond to the actual threat, rather than just shutting everything down.
It's something that might sound impressive to people who aren't experienced with incident response, but it's practical uses are so close to non-existent, that any time that was spent developing this solution was most certainly wasted in lieu of doing something actually useful.
Considering HIPAA, upper management could see how not invoking this plan, and correspondingly risking more damage by leaving systems open, on balance could be worse than saving pennies and winging it. If the procedures described make it possible to lock everything down fast and gradually resume operations smoothly, the downtime could be short enough.
The situation would have to be so out of hand by that stage that I can’t imagine being able to do it in 5 minutes would matter. For this scenario to make sense, you’d have to know things were really bad, but not know enough about how bad they are to only isolate the systems you need to.
If you don’t know what’s happened, I can’t imagine you’d know enough about the impact to justify turning the business off. The only scenario I can think of where this plan would make sense is if you find out somehow that you’ve already been the victim of a major breach that you failed to detect, so you think it would be worthwhile to just turn everything off while you figure out what happened (because how much worse can it get at that stage, really?...).
Nothing about this seems impressive to me. It sounds like a plan for people who don’t have a plan.
Also, as a side note, anything that needs executive approval to be done during an incident is (as a general rule of thumb) never going to be done during an incident.
Nah. If we ever had to pull this specific trigger we're already in "mandatory disclosure to individuals whose data was breached, the federal government, and possibly the media" territory.
It's one thing to try to duck bad publicity, it's another to not act quickly and risk the ire of the federal government.
> The Cliff Notes version is Dylan, whose latest album Bringing It All Back Home had upset many folk purists with its amplified accompaniment, performed at Newport on July 25 with amplified backing by the Paul Butterfield Blues Band, who played the festival on their own. As an offended audience booed Dylan performing with Butterfield's band (minus Butterfield himself), an incensed Seeger, outraged at his friend's apostasy, wanted the audio shut off and sought an axe to cut the cables as Dylan and the band ripped through "Maggie's Farm" and "Like A Rolling Stone," Dylan's just-released single.
You'll be surprised at how technically illiterate most corporations are and how marketing and not engineering are responsible for the success for some of the software companies.
Clearly whoever is the CIO/CISO could care less? I find it hilarious that people get these positions without seemingly a care in the world. Or maybe they do care and the CEO didn't? Hardly anyone ever gets fired in these circumstances.
Is it possible that there could be SolarWinds customers who are not vulnerable because, for whatever reason, they did not enable/install updates. Were updates to the Orion software necessary for the original software to continue to function or were they optional.
1) The OPM hack and now this all illustrate - if govt gives itself the big backdoors into everything, it's likely they will give it to russia, criminals, ex-boyfriends stalking ex-girlfriends etc.
2) My own impression of govt IT is largely security theatre in the area I was involved. In particular such massive complexity that agency staff think going around the rules is normal, because it's the only way to actually get work done. And then such glaring weaknesses that no one cares to fix. With google I've had one password for 20 years (my google account) which allows a hardware key for 2FA or google authenticator with what I imagine is sensible monitoring, new device authentication etc (I find this pretty secure).
Govt you are forced to write down these insanely long passwords with super complexity that cannot be cut and pasted that change very 30 or 60 days.
Because lost passwords are so common in these settings, the password reset process is usually a MASSIVE weakspot. I've seen it just be a phone call to a third party, you give them your username, they give you a new temp password - that's literally it. And the passwords end up everywhere. In lots of documents that float around, emailed around etc etc. And lots of password sharing when you get locked out of a tool and it will take a long time to get a new account setup (months). Pretty soon the procedures manual also gets you root access to everything.
The insistence on the stupidly long passwords and 30-60 day expiration times created so many weaknesses. People choose obvious patterns for their passwords to get around it. Like `1q2w3e4r!Q@W#E$R`. Then they shift by one each time they have to update, by the time they get across the keyboard they can restart (or twice, in which case you swap the shift to the first half instead of second half). Or, this was fun, my first gov't job the guy had stored passwords on a sticky underneath the keyboard (I changed them all). They also used a shared account for admin stuffs, even though we were all given an admin token (like the smart card or CAC for regular login, but with admin credentials and issued separately).
In theory, the DOD CAC system (they've gotten better over the years) eliminates the need for passwords entirely, but somehow most teams never tie their system to it properly.
NIST no longer suggests such a rotation policy. They have accepted that it weakens security.
Anecdotally, colleagues have successfully lobbied to drop (or not enforce) password expiration policies from other government bodies on the strength of this recommendation from NIST.
Yeah, I know it's not actually recommended anymore, but the policy makers don't care. They're doing CYA policy. They do whatever seems to be the strongest possible thing, users and reality be damned.
I was in a team whose security group eliminated the use of DVD drives for reading (not writing) data except for a few permitted individuals. Creating a massive chokepoint in every process where data had to come from off-network. Security didn't care, it took the realization of the cost (delays, people too busy moving data to do their actual jobs) for management to step in and end the nonsense.
The same will be required for things like password policies. Until the issue becomes realized (weak/written passwords lead to a compromise), these policies will stay in place within organizations and teams. It doesn't help that the majority of the policy setters are not IT professionals (or only in the loosest sense, they can install software but have no real understanding of IT systems). In DoD, most come from a physical security background (retired/separated security forces).
> They do whatever seems to be the strongest possible thing
It's not that, it's inertia and poor incentive structures.
In a large organization, if a policy was set in place by someone else, then, even when you know it's a sub-par policy, it's still in your interest to leave it alone. Doing so gives you a way to deflect blame in the event of a breach related to that decision. You can just blame the policy itself. If, on the other hand, you change the policy, you're more likely to be held personally accountable.
That said, you're also absolutely right about the expertise problem. I don't know much about government, but, in private industry, I've observed that the best way to get put in charge of cybersecurity is to start from somewhere completely outside of IT, and become good friends with the CEO.
It's certainly possible that in some cases that's true, but there are a lot of government check-box security people who genuinely believe complex passwords rotated frequently are a good security control. There's also a general heuristic with many people in security that the more convenient something is, the less secure it is. Therefore smart card auth must be worse!
> It's not that, it's inertia and poor incentive structures.
This is the psychological/economics point of view, and I think it's the correct one for this problem. The other tricky issue, besides the CYA prioritization, is that being a dynamic entity requires other entities to do the same. If you start changing procedures in your section, other sections that rely on you need to adapt to these, and they may have the CYA attitude and resist that change.
You are allowed to use the NIST Guidance as a reason to change that to a longer timeframe. I have a couple of clients that are using 365days as of 2019.
Yes, but as far as I have seen, not auditing/compliance frameworks have updated their recommendations yet. Maybe its not the frameworks, but the individual auditors and their templates, but I have seen it a 'requirement' for PCI, sarbenes-oakly, etc.
its much easier to keep it in place to make the auditors happy than remove it, and risk exceptions on your report that you have to defend.
None the less, until the pandemic hit the US in March, at least one large government agency still had silly password complexity requirements and expired passwords every 60 days. They seems to have suspended password rotation at some point since I haven't had to change my password since March, but it's not clear whether it's going to come back at some point or not.
"Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically)."
Should be noted that NIST’s current recommendations are meant to be part of a number of mitigation’s including checking passwords against known-breach databases, rate-limiting, etc.
Without those other mitigations, pw rotation may still help more than it hinders, although I am definitely not a fan of it and recommend implementing all of the NIST’s recs instead.
For those looking to head that route, haveibeenpwned offers an API to check hashes against previous breaches. For a pw strength meter, have a look at zxcvbn.
Harmj0y, who is probably the best public AD hacker right now suggests 3 month rotations, IIRC.
My guess is the idea is to mitigate compromise of very old passwords, spray attacks using breached site creds, reduce insider threat and at least offer some mitigation for compromised hashes.
I think this is wise compared in work environments - 90 days, 180 or even 360 would be a good mitigation over _none_ to too many.
I think those concerns are better addressed elsewhere with tools like MFA, automatically disabling inactive accounts, or monitoring public services like HIBP to deactivate accounts quickly. Attackers can move quickly so you hit diminishing returns on rotation policies trying to avoid usability issues incentivizing worse passwords while not rotating long after the account has been compromised.
Indeed. Sports Team + Year, Season + Year, Company + Year or some other such combination should get you a good 10% or more of your users with only a few dozen permutations.
They wrote 60 days into FEDRAMP I believe, something I jaw-droppingly realized last year sometime. Whoever is writing these policy frames don't know what they're doing. NIST did away with those periodic password change recommendations for a very good reason but IMO they need to now recommend the opposite, directly, because the constant password changes are doing real harm.
> It's right there in section 5.1.1.2: "Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically)."
I would partially agree with this. It's not wrong to write down passwords. It is wrong to write them down and not secure them. Securing them is the same step that happens (or is intended to happen) with password managers. The passwords are, themselves, encrypted in some fashion so that they're not (easily) accessible to others. If these passwords were at least put in a locked cabinet, I'd have felt better about it. A safe would've been even better (and this is assuming that they needed to be shared, we had security tokens that, if used properly, meant we didn't need the passwords at all and each person would have a unique access token for better accountability).
It is moronic to write passwords down and stick them underneath the keyboard.
It depends entirely on your security and threat model. Me, working from home? I'll write down the password for my netflix account and wifi - sure.
In an office? Absolutely not, never, not once. Offices are not private and not secure and in any kind of even vaguely sensitive setting allowing a colleague to have access to your password and impersonate you is a massive risk.
Yeah, it really depends - in many cases an attacker gaining local access is game over anyway & less technical users will at least have harder to guess passwords. In other cases it's indeed a bad idea.
I wonder if they use password managers. All the household-name corporations and small startups alike where I worked for the last decade used a password manager.
Selling a subscription to a government org should look like a tasty enough piece of revenue pie to attract multiple bidders, I assume.
What’s preventing more rapid uptake of integrating with the CAC system? I can use my CAC when going through TSA for ID (and verification is sub 10 seconds) but other agencies keep dragging their feet.
It seems to be laziness on the part of the IT system makers. There are (mostly) standardized ways to authenticate a CAC and associate it with a user for an information system. But people seem to prefer to roll their own. Either using traditional username/password combos, or a worse solution.
The worse one is this (seen a few times): Username/password and then you register your CAC with it. They only check the CAC itself for the cert expiration date. When it does finally expire (or gets revoked, say you need a new one early like happened to me a couple times, not to loss just became unreliable in the CAC reader), then you have to use the username/password combo (the password has been getting updated every 60-90 days during all this time) and register your new CAC.
But, since they aren't checking revocation data a stolen CAC + PIN (say it's weak, beaten out of you, or they observe you using it) even revoked would still be able to authenticate against that system until the cert expires or the admin (usually) manually removes the revoked CAC.
As an IAM/trust systems enthusiast with a passing interest in the CAC system (and tangentially, Login.gov), this is disappointing to hear. Thanks for the context. I’ll keep my eye out for opportunities to contribute to improving the situation (USDS or 18F).
For what it's worth NIST password guidance SP800-63b no longer advises the arbitrary expiration, so hopefully this is something that will change.
>“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”
I think it's new as of the 2019 revision, though it wouldn't surprise me if it's been ignored for a while. I don't think CMMC requirements specifically call out expiration periods, so hopefully a good sign.
Microsoft seems to be fairly forward thinking[1] on passwords, doing away with expiration requirements and focusing more on their risk based MFA stuff.
You are allowed to use the NIST Guidance as a reason to change that to a longer timeframe. I have a couple of clients that are using 365days as of 2019.
Has this shown up everywhere. Govt agencies still had it in contract docs. That might mean fedramp or PCI or some other standard still mandates it.
Enforces minimum password complexity of case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type;
Enforces at least 5 changed characters when new passwords are created:
Stores and transmits only cryptographically-protected passwords;
Enforces password minimum and maximum lifetime restrictions of 60 days;
Prohibits password reuse for 10 generations
...
Incompetence runs through every facet of American government, corporations and even private businesses. There's an insane amount of bureaucracy and people doing IT who have no business doing IT. As for the corporations, the established ones get taken over by the MBA types who have no clue about software or security nor do they care as long as the numbers look good for the next quarter.
I'd bet dollars to donuts that firms run by professional managers almost certainly have better security practices than family or founder run firms. I say this because research shows that professionally managed firms excel in virtually every other facet of operations and management[1].
Although I do not disagree with your comment, I would do a double take befpre accepting the source you cite because they are very much incentived to proclaim the result they proclaim.
Neither of these hacks involved "back doors" as they are normally defined. One was an authentication bypass; the other was a supply chain attack. Neither involved any sort of deliberate covert access mechanism.
Let me be cystal clear. I've worked in domestic violence. Cops will use various tools to stalk their ex'es despite your claims that back door or priveleged access will not be abused.
Jump over to healthcare, the worker with full access to the govt it system for cases WILL lookup their friend / family members / neighbors / famous person if they see them on site or realize they are in system.
I have one experience with a private health HMO. A close relative, senior doctor, absolutely knew they would be immediately fired if they looked up family records. It was crazy, they would not do ANYTHING related to family stuff even by request of person involved. Obviously this place had some type of audit trail, some type of monitoring team for non-assigned patient record lookups etc.
My govt IT job, to do billing you had to be able to see case notes, and the system was integrated across of a ton of agencies, so everyone basically had access to everything and because you had to share logins and passwords (it took like 6 months to get a new account setup) there wasn't any accountability (not that I think they monitored anyway).
I came away very unimpressed. We had to use outdated IE / Java combos etc. as well and block all system updates. The default landing page was an unregistered domain name.
I don't think OP meant to imply that backdoors had anything to do with this. It's meant to underscore the argument against backdooring encryption by pointing out that when you trust some entity with a backdoor, you're potentially opening that backdoor to anyone who can break that entity's security, which may be very, very flawed.
That's unrelated to backdoors (deliberate covert access mechanisms). All parties with access to data, regardless of whether it is via a backdoor, can put that data at risk due to their own security.
This is only unrelated if you don't consider government-mandated master key escrow a "backdoor," which seems deliberately obtuse to me. Regardless, the OP's point was that this is an additional argument against governments mandating a way to access your encrypted data, because you shouldn't be compelled to trust anyone else with a "don't worry, only we will have access" sort of system.
US gov guidance from NIST no longer suggests regular password resets, but that guidance hasn't gotten out yet.
> Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
I hated this part of being on-call for government customers. I had to go through some crazy adjudication process all for the privilege of having to change my passwords every 60 days. And even though I used a password manager for them I couldn't paste them in because the VM I was required to use to access the systems didn't allow pasting from the outside.
So I just typed them into notes on the VM and left them there.
>> In lots of documents that float around, emailed around etc etc.
The amount of fortune 500 and fortune 100 companies that I worked at where this is commonplace is staggering. The amount of businesses that never change their passwords is quite frankly, shocking. I left a fortune 500 company two years ago and I just tried my login on their external facing portal - and it still worked.
I've seen passwords being passed around in word docs and internal blog posts. At one place they were mixing development information with financial information. The idea you had several folders of corporate contracts mingling with developer docs on a sharepoint server was a real eye opener for me.
Nobody else seemed to care when I brought up the fact you just gave a bunch of developers access to facebook contracts and other financially important docs they have no reason to have access to. Their reason? It was too hard to set up a new folder with access restricted.
After a few years of experiencing these, I just became kind of apathetic to it. If nobody in authority cares, then why should I??
Spot on, humans are always the weakest link. You must assume your users will invoke every worst practice imaginable and make your system secure anyway.
> With google I've had one password for 20 years (my google account) which allows a hardware key for 2FA or google authenticator with what I imagine is sensible monitoring, new device authentication etc (I find this pretty secure).
I too hope this is not just security theater as well.
“SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. We are tracking the trojanized version of this SolarWinds Orion plug-in as SUNBURST.”
“ Multiple trojanzied updates were digitally signed from March - May 2020 and posted to the SolarWinds updates website. The trojanized update file is a standard Windows Installer Patch file that includes compressed resources associated with the update, including the trojanized SolarWinds.Orion.Core.BusinessLayer.dll component. Once the update is installed, the malicious DLL will be loaded by the legitimate SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe. After a dormant period of up to two weeks, the malware will attempt to resolve a subdomain of avsvmcloud[.]com.”
“This actor prefers to maintain a light malware footprint, instead preferring legitimate credentials and remote access for access into a victim’s environment.”
“In observed [trojan] traffic these HTTP response bodies attempt to appear like benign XML related to .NET assemblies” “Command data is spread across multiple strings that are disguised as GUID and HEX strings.”
> Malicious code added to an Orion software update may have gone undetected by antivirus software and other security tools on host systems thanks in part to guidance from SolarWinds itself. In this support advisory, SolarWinds says its products may not work properly unless their file directories are exempted from antivirus scans and group policy object restrictions.
It's not just shady stuff. Recently, on a customer's Windows server, antivirus software randomly decided to permanently delete some our DLLs (!). We weren't doing anything remotely shady; it was a normal ASP.NET Core app.
Also, any task that involves reading or writing files will, in the presence of cutomer antivirus software, turn into a random number generator on whether the read/write goes through at all, how long it takes, etc. We are constantly having issues with customer AV because of this.
So far I've seen ZERO EVIDENCE. Reuters and the Washington Post have breathless claims of Russian hackers "according to officials familiar with the matter." Uh huh.
Saying "APT29" or "CozyBear" doesn't make the accusation any more credible.
If multiple US agencies are trumpeting the same story, you really must ask yourself "Why? Why this? Why now?"
It's pretty amusing, in a depressing way, to see how quickly so many otherwise intelligent people can be made to snap to attention and fight the Russian Menace with a few anonymous government claims.
We've got like 12 years of historical records tracking the evolution of internal tooling and infrastructure that Cozy Bear uses. Yeah attribution is hard, yeah someone could have been trying to frame them, but in general these groups tend to use a lot of in-house tools and consistent infrastructure and techniques.
The evidence was absolutely overwhelming. It isn't like someone saw an IP in Russia and assumed it must be Russians. The intelligence agencies had been tracking them for years. They knew exactly who was doing exactly what within the Fancy Bear organization. They know when people joined up and how they were introduced to their GRU handlers. The idea that these attributions are just thrown around whimsically is pure ignorance.
Here's the article I was trying to remember last night about how Dutch intelligence actually hacked security cameras and watched the DNC hack go down live.
Misattributions happen, but Fancy Bear / Cozy Bear is extremely well understood, and they don't generally make much of an effort to hide the fact that it was them that did it. For them, it's often about sending a message.
According to Charles Carmakal, senior vice president and chief technical officer at Mandiant, FireEye’s incident response arm
“There will unfortunately be more victims that have to come forward in the coming weeks and months,” he said. While some have attributed the attack to a state-sponsored Russian group known as APT 29, or Cozy Bear, FireEye had not yet seen sufficient evidence to name the actor, he said. A Kremlin official denied that Russia had any involvement.
I'm curious, are people saying that "Russia doesn't do any hacking" or that "there isn't yet enough evidence that this specific attack is by Russia". Those are two very different claims.
I don't think there's any doubt about the former claim, personally. The latter though, I think it's too early to tell, especially since we've seen recently how certain hackers have explicitly started putting bait signs from other nation-states to misdirect.
> The latter though, I think it's too early to tell, especially since we've seen recently how certain hackers have explicitly started putting bait signs from other nation-states to misdirect.
Has there been any indication at all that it was Russia in particular? A lot of people believe it was a state-level attacker based on the sophistication of the attack, but even conceding that doesn't make Russia the only alternative.
He's not denying Russia does hacking. He's saying there is no evidence that ties this to Russia over any other group. Maybe Russia is most likely based on priors, but I don't think the average HN commenter has an accurate estimate of nation-state hacking frequencies.
Russians do a lot of hacking. It doesnt mean its the government or any official body, though. The non-stop, partially unfounded russia bashing and excessive repeated sanctioning is pissing off a LOT of highly skilled russian programmers.
I dont think the russian goverment is behind most attacks.
The beauty, from a nefarious standpoint, is that you don't have to pay people to spread disinformation. You just have to use the right psych techniques on them and ensure they get proper reinforcement.
These are the techniques that have turned my family and many of their friends (and clearly a measurable percentage of Americans) into the exact opposite of the values they taught me and demonstrated for decades.
They truly believe virtually anything spoken by people like Limbaugh, Glenn, Orielly, Carlson, etc.
If you try to use some logic or evidence, even showing two conflicting statements made by one of those idols, they just shut down. The cognitive dissonance is too uncomfortable.
Krebs: Update, 8:30 p.m. ET: An earlier version of this story incorrectly stated that FireEye attributed the SolarWinds attack to APT29. That information has been removed from the story.
Given the scope of this product — basically everyone runs it — any chance that this is some sort of hoax will be mitigated by the “too large to be a hoax” thing. Probably some sort of fallacy whose name I don’t know.
See: moon landing. Of course we went to the moon otherwise, what, 50,000 people are keeping a perfect and scandalous secret for half a century?
The best proof that the United States went to the Moon is that there was extensive Russian spying going on at the time, but Russia never claimed that the US was lying about the Apollo program.
That's difficult for people with poor science educations to fully grasp. For example, they might think that the moon's surface itself could reflect the laser light, etc...
Not to mention that unmanned probes could also have placed reflectors without humans ever being sent to the Moon!
Scientists have reflected lasers just off the surface, and there are unmanned probes (Russian ones) that placed reflectors on the moon.
But the point should still be that, if anyone cares to learn about the difference, and how we know the difference between all these different types of reflectors, that information is freely available and could easily be understood by most people.
Why even go to those lengths? If they lied about the moon landing surely they are lying about lasers even hitting the moon, or it not being made of cheese...
Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon [0]
The US Government has spent two decades and hundreds of millions of dollars building tools to undermine the security of systems around the world, and withholding information from "Industry" that would help harden those systems.
I have no idea who "did" this, I don't really care. The NSA has been loading this footgun for decades.
One of the core themes in the latter half of the book was how the government obtains zero-days, and then has a "committee of government and industry experts" that think about responsible disclosures, assuming the government is willing to "concede" the "national security advantage" of not disclosing the vulnerability.
Most vulnerabilities don't get disclosed.
Most systems go unpatched.
Just so the USG can exploit foreign systems.
It's very possible this particular vulnerability was found, but it's potential for spying outweighed the concern for patching.
Since this is a supply chain attack on software downloads, I think it's interesting to consider the implications for the security posture of a cloud-native organization.
While cloud-native is commonly recognized as less secure (because the cloud provider could be hacked!), there are a few categories of attacks exclusive to onprem software deployments:
1. You misconfigure the onprem software, making it more insecure than the alternatives. This does not occur with SaaS products.
2. The software delivery system is tampered with, and you download and run malicious code on your systems with high privileges. If you don't run it, this can't happen.
Cloud deployments aren't obviously safer, but they have clear advantages unless you are willing to pay top people to work on and secure each onprem deployment full-time.
NB: I don't actually believe "the cloud" is fundamentally more or less secure than onprem deployments.
Rather, I frequently hear people argue that a website being hacked - or the potential for it - justifies a movement to onprem, and I think this is (usually) false.
> While cloud-native is commonly recognized as less secure (because the cloud provider could be hacked!)
That's not a common recognition by any means. Cloud providers are more secure and spend more on infosec than any business managing their own tech & data centers. Pretending that the cloud provider being the point of entry is in the same ball park of risk (or greater risk) is a strange talking point in 2020
Things aren't black or white, but SaaS typically removes one layer of security (the corporate firewall). Misconfigurations are then typically exposed to the whole world.
Whilst not being a "cloud is someone else's computer" adherent, the notion SaaS products can't be misconfigured into opening up security holes not present / so serious in some on-prem environments doesn't hold water - see the last decade's stories of accidentally open S3 buckets, plaintext secrets pushed to public GitHub repos, and all manner of other "minor misconfigurations"
This is true but there’s a big difference in how easy it is to audit. You can enable Security Hub and Guard Duty on AWS organization-wide in a few minutes and have a pretty solid baseline for hardening your infrastructure and flagging suspicious activity. Doing the same with on-premise infrastructure takes months and entails significant risk since things weren’t designed around APIs and low-privilege IAM.
(GCP is similar but SCC is earlier in the development cycle and their threat detection isn’t well designed.)
So, am I reading this right? the Russian government had the ability to impersonate the credentials of ANYONE in the marjoity of the fortune 500, the US Government, the US DOD, and our telecomm infrastructure... and they likely had this access for a while.
Well, that is very similar to asking how it is that conventional spying is not an act of war. It isn't, because everyone is going to be doing it anyway, so if you make that an act of war we have war all the time, rather than nations not doing it.
US imposed individual sanctions and explicitly named hackers from the GRU after the DOD investigated 2016 election hacking, effectively authorizing their arrest if stepping on western soil. This will be handled diplomatically through the State Dept. first. There is little incentive to starting a war with Russia I don't think.
I may be wrong, but I thought members of the security apparatus weren't allowed to leave the country in Russia? I may be horrendously wrong, but I thought someone mentioned that when these sanctions came out about Guccifer 2 and such.
There are ways for US to retaliate through espionage, such as doing a mass round up of minor russian spy assets that usually aren't worth the effort to go after, going after russian operations in places in which neither country have jurisdiction in, exposing blackmail of some random oligarch, stirring up unrest with plausible deniability, etc.
Essentially make life difficult for the people who actually run Russia.
You risk destroying your leverage if you do this, but some partial retaliation is indeed a good idea. It might be the case that those avenues for retaliation are already almost saturated.
The US Government does stuff like this to other countries all. the. time.
We don't hear about it much. But if this is an "act of war" the US has conducted dozens of these kinds of "attacks" on others over the last ten or fifteen years.
Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon [0]
Because Russia has somewhat of an oil monopoly in Europe and the US doesn't like that. We've been being fed Russia war propaganda for at least a decade. If it even feels like a "Russia kind of thing" to the general public that is just the result of intentional conditioning by warmongers.
It could have been literally any major world power, including our allies. No evidence has been presented whatsoever as to who the culprit is.
Yes, one must see the most recent coverage to know the current story. ISTR someone had retired from CIA and was shopping a memoir around; apparently the only exploit he could mention on the record was that one time he got sick. Just his bad luck that in late 2020 we're mostly thinking about a different illness.
The only common element among USA facilities in Havana, Guangzhou, and Tashkent is the USA facilities themselves. Much like the situation described in TFA, those facilities were built by the most corrupt bidders. It will surprise no one when it is revealed that some corner was cut, and American personnel were exposed to harmful amounts of some ghastly chemicals, radiations, etc.
It is literally a conspiracy theory to reject this simplest possible explanation in favor of some outlandish three-way joint venture among the Cubans, the Chinese, and the Uzbeks, three nations not known for ever having done anything together.
Psychological conditioning is my theory. If you think about it, has this not been a rather popular news item for many years? If people should not get their perception of world affairs from the news, then from where should they get it?
We (the public) have not been provided evidence that this was Russia. Let's not get ahead of ourselves. Some anonymous people claimed it's Russia. That is meaningless.
This may have been a valid assertion in a time where news media could be trusted
I, and many others, no longer have any faith or trust in the news media. Time and time again the news media has been caught spreading lies and disinformation so sorry I am no longer going to "take their word" for it, and trust they have properly vetted their sources
Also They do not lead themselves to credibility by having a Matrix style photo with "hooded hacker" trope prominent in the article
Do you remember when a named source, Colin Powell, showed some photoshops of "weapons lab trucks" to the UN leading to us going to war in multiple countries resulting in millions of dead people? That was a named person with claimed evidence. This is even less credible than Powell.
It's hard to get less credible than unnamed sources with no evidence.
As I'm forced to speculate, because it is inconvenient for us to call it an act of war. We routinely conduct cyber espionage missions on other countries and "probe" their cyber defenses. If we were to call this an all out act of war, then we would also be found guilty of unprovoked acts of war on many other countries, including allied countries. So, too, would many other countries. This is the new spywork.
If it wasn't Russia (and the evidence supporting that it was hasn't been released yet) it would be literally anyone else. North Korea. Iran. Even our allies. Some 400lb dude sitting in his parents basement in New Jersey. And the US is doing this, or attempting to do this, to many other countries.
Ultimately, the hack is the practical responsibility of the victim.
And how many such tools have been employed by CIA? So are all the other countries supposed to wage war against US?
Govt's all over the world do shady shit, constantly. Sometimes they get caught, sometimes they dont. Men in power use tensions to stay in power, waging wars against more powerful/equal, wont help men in power neither of the sides.
Anyone calling for war between the the largest nuclear power and second-largest nuclear power is insane or ignorant. To even suggest something like that is obscene given the incomprehensible loss of life it would entail. I think most people who can remember it would agree that it's a good thing the Cold War stayed cold.
According to Charles Carmakal, senior vice president and chief technical officer at Mandiant, FireEye’s incident response arm
“There will unfortunately be more victims that have to come forward in the coming weeks and months,” he said. While some have attributed the attack to a state-sponsored Russian group known as APT 29, or Cozy Bear, FireEye had not yet seen sufficient evidence to name the actor, he said. A Kremlin official denied that Russia had any involvement.
Because hacking isn’t considered an act of war. If they turned off our infrastructure that is an act of war because it would have caused material harm.
I do not want to go to war over this, and generally I have friends from a number of countries in the east but make no mistake: if my country asks me to defend its borders or even NATO borders I'll be there[1], even if it is many years since I finished draft and I know have a family. The alternative will probably be worse.
Anyways, no sane, decent person should wish a war.
[1]: I am a whole lot less interested in defending us around the middle East and in Afghanistan though.
Tense is wrong, they have this ability RIGHT NOW to a very high degree of certainty.
Just because the tip of the iceberg has been discovered doesn't mean its mitigated. Even Fireeye is probably still compromised. It will take a while to understand the actual scope of this.
And in the meantime new attacks are likely happening also.
Everyone country does this to every other country that they can. Not like the US doesn't (or at least try to) pull off stuff like this too. So if it's an act of war then every major power has pretty much at some point declared war on every other major power, even allies.
Digital war? Sure. We are probably hitting back right now. Traditional war? I hope not. 1) I don't have enough bottle caps saved up. and 2) in all seriousness, most humans would not survive WW3, not even those with bunkers.
This isn’t an attack _yet_. This is potentially a part of the process of developing the capabilities for a later attack.
Crimea is the first time a nation state has meaningfully changed its borders that I know of since WW2. As a result I would consider Crimea a much more egregious attack on American values and western interests than a software vulnerability that hasn’t been leveraged to cause actual harm.
> Crimea is the first time a nation state has meaningfully changed its borders that I know of since WW2.
I took a look out of curiosity, and there have been a lot more border changes in the world than I was expecting. Lots due to decolonization in Africa. The partition of India in 1947 was huge. Lots of European changes, of course. Many small border cleanups. The changes go on for page.
Russia has a policy where they allow "patriotic hackers" to operate freely while turning a blind eye to their actions. The Kremlin even mentioned this in their disavowal.
While I disagree with the claim that merely having the capacity is an act of war, doing something that would be an act of war through privateers rather than official state forces doesn’t make it any less an act of war than it otherwise would be.
Edit: Had a thought - Since the NetFlow Traffic Analyzer tool stores historical network traffic data, I wonder if Dominion traffic was pulled before the breach was closed.
The entire Trump administration's been an act of war. They got classified intel, private phone calls with the president, numerous concessions, everything they could have possibly wanted in terms of foreign policy, including an abrupt and chaotic withdrawal from Syria where Russian troops literally took over American bases, and a significant number of GOP congressional representatives visiting Moscow on July 4th together, with no American press there to cover the event or tell us who they met with, what they discussed, or why they went.
There's also evidence that Russia infiltrated the Treasury in 2015, unrelated to the election interference afterwards.
It's been war for a long time, and we have not been winning.
It is. Hope, after new administration takes office, "hell sanctions" package would be approved, as well as closing Russian embassies and increasing military pressure to its borders. Sanctions already work, and Russian regime does not enjoy a variety of options to oppose it.
You sure about that? "They" have been claiming Russia is the boogie man for years, but it's never been proven. In this case, it does appear like a complex hack. Wouldn't be surprised if it's China, Iran, North Korea, Russia, U.S. Government (yes, hacking itself), etc.
Just to add, 15 mins ago Chris Bing from Reuters and other journalists confirmed the U.S. Department of Homeland Security to be the 3rd agency to be impacted [1].
I suspect there will likely be further agencies and of course private companies to come forward in the upcoming weeks/months.
This is why all this bullshit about "let's add a backdoor to all encryption just for the government" is just that: bullshit. A year or so after it is added, it will be available to every government on earth this way, and a year after, on your favourite warez site...
There was a fun one a few years ago when someone realized that Maven Central didn't require https so anyone could MITM arbitrary amounts of open source Java code. But I think this problem could be even more pervasive. Think about that giant green lock icon you see on secured sites. And then think about all the apps and devices making requests with no UI and we have no idea what they're all talking to until you have the patience and knowhow to operate wireshark.
Off the top of my head, the only real solution is to feed a lot of this arbitrary traffic through trusted brokers which is going to make us even more dependent on Google, Microsoft or whoever else takes up that mantle.
I think what you describe seems entirely reasonable. Though more so for software than hardware; that way a single exploit can't take down our whole government.
Russia's hacking/software capabilities have always fascinated me. I might be out of the loop, but it very much feels like this "online cold-war" is very one-sided towards Russia, which is ridiculous given US capabilities. Though, this could be attributed to the US simply not getting caught.
Nonetheless, everything I've read points to Solarwinds conduct being borderline negligent. For example, they not only told customers to ignore inaccurate checksums but they also failed basic server security.
In US/western-centric media, you aren't likely to hear a lot of exploits of new malware that the US deployed in Russia or China. The targets of hacking by the US are not countries that publicize when they are infiltrated.
Adding snake oil usually adds more attack vectors rather than removing them. Look at all the "endpoint protection" and AV exploits surfacing almost every week.
Yes. Security vendors have to add a bunch of snake oil products.
If they just did "consulting" and trained the staff against social security attacks, and improved a company's policies, how could managers that authorized the expense justify it? Where's the shiny "product" that "keep us safe"?"Do you mean we have to periodically expend money to keep ourselves safe? I'll go with Vendor B, they have a blockchain-based Machine Learning tool that's going to safeguard us against current and future threats!"
Thanks now my skin's crawling again from the all too familiar cesspool feeling.
Salesmen (external or even worse internal) convincing inexperienced CTOs or VPs that they need <this exact software> regardless of any real world factors...
These are the people I would throw out with their own bathwater.
For the last 15 years, I keep pushing information about Multi Level Secure Systems every time another incident like this happens. The fact that we haven't been using them since the 1970s everywhere drives me nuts!
Their are Operating Systems in existence which could prevent this and almost every other breach. However, most technical people aren't even aware of the fact that they CAN exist, and actively believe the opposite.
Hopefully Genode.org will have something useable for the average programmer like me, in a year or two, and I can use that as an existence proof.
Also, there are Data Diodes to help restrict what goes where.
The "Russia" allegation sounds like an extremely weak & repetitive claim made by people on a certain political side to divert attention away from their bad press for criminal behavior (to include all of the Chinese compromises that were recently revealed).
They're playing a VERY dangerous game, as if they would rather the entire world be destroyed before facing the possibilities of justice (Gitmo, military court tribunals, and everything else that the EO from 9/18 outlined).
The bottom line: the MSM has been full of $&@T for quite some time, and this claim in Reuters is most likely more of the same.
I see where they claim it's a sophisticated / state-sponsored attack, but could you share where they attribute it to Russia in particular? If that's a political assessment made by the media that's one thing, but if these sourced have some sort of technical data that inherently links it to a particular nation... that's something I haven't seen.
Yeah, I think that every time someone/some org knee jerks "it was russia" without at least acknowledging there could be a variety of well funded actors interested in compromising the US Treasury [or any other target] for a variety of reasons and/or having the incentive to make it look like someone else could have done it, just pours more fuel on the attribution fire.
I wonder scanning their own uploads and validating checksums via cron job would have prevented or at least would give an early alert
Shameless disclosure: i was doing something similar (I do not have a plan to maintain long time) but would love to hear better solutions:
https://github.com/getsumio/getsum
To summarise it roughly: A software company (SolarWinds) whose software (Orion) is used by thousands of companies and government agencies worldwide, was hacked and a backdoor inserted into an update. An update which was subsequently installed by 16000 customers including the US Treasury and Commerce departments.
This happened months ago and there is no telling how much data the attackers have exfiltrated from these companies.
I wonder if this unintended transparency actually makes for a safer world. The cold war might have been shorter if both sides would have been able to see that their enemy does not intend to escalate the situation.
For a minute I misparsed the title and thought that the US Treeasury and Commerce departments' staff hacked their way around a SolarWinds compromise. That would have been cooler.
Let's assume this is a case of state sponsored attack.
If I was in charge of organising such an attack, I would make sure my employer would be on top of the list of victims. Would not do any actual damage to steal my own information and would tremendously help with attributing the attack to my enemy.
Though it should be noted those “4 random word” passwords are strong only if the words are truly random (and the string is less likely to be memorable in this case).
A password generator that allows retries means people will hit that button until the string is memorable, reducing the entropy.
As a simplifying assumption, assume everyone agrees about which of any 2 strings are more memorable.
If someone takes m random samples, and of those, takes the one they find most memorable, how much does this reduce the entropy? If there are N possible strings, and so with a uniform distribution there would be, uh, -log_2(1/N) bits of entropy, I think(?) (because, summing over the N terms of -(1/N) * log_2(1/N) , gives a total of log_2(N) )
If one takes the maximum of m samples, what does that look like? The cdf of the uniform distribution over the terms (identified with their order in the list ordered by memorability) would be P[x \le a] = a/N , and with m independent samples , P[max(x_1,x_2,...,x_m) \le a] = (P[x \le a])^m = (a/N)^m = (1/N)^m a^m,
and so the pdf would be, around (1/N)^m * m * a^(m-1) (approximating it as continuous because N is large. I am not sure that this is a reasonable approximation.)
Then, the sum becomes, uh, again approximating as continuous, integrating from a from 0 to N, (1/N)^m * m * a^(m-1) * (-1) * log_2((1/N)^m * m * a^(m-1)) da ,
which is integral of (1/N)^m * m * a^(m-1) * (-1) * ( mlog_2(1/N) + log_2(m) + (m-1)log_2(a)) da
which is, (mlog_1(1/N) + log_2(m)) + integral of (1/N)^m m(m-1) a^(m-1)*log_2(a) da ...
uh..... ok I just threw wolframalpha at it, and I got, -log_2(m/N) + ((m-1)/(m ln(2)))
which, subtracting that from the initial -log_2(1/N) , gives log_2(m) - ((m-1)/(m ln(2))),
and that "((m-1)/(m ln(2)))" is about like, 1 or 2 or therabouts (it is 0 if m=1 of course).
so, if all the perhaps questionable approximations I made didn't mess this all up (and I didn't mess this up in some other way), I think that says that, if you pick the most memorable out of m random strings, by doing so you reduce the entropy by about log_2(m) + 1 bits.
That doesn't sound too bad to me, really. Well, I suppose it depends how many bits you have to spare, and how big of an m you pick.
Love this! Thanks, it was a casual idea of mine that I didn’t really think through before.
Here’s a slightly different approach to this. Let’s instead assume that the set of “memorable” strings is constant (say of size N/M where N is the number of all strings) and the user hits as many retries as needed to get a string from the memorable set. If the number of retries is a random variable X, then if we know the distribution of X we know M. Since the number of bits lost is something like \log_2(M), we just want to find out how X relates to M.
EX = \sum_{i\geq 0}i(1-1/M)^i(1/M)
= WolframAlpha :) = M - 1
So it matches: if your average number of tries is M - 1, you lose something like \log_2(M) bits of entropy.
Makes me feel better about all those times when I hit retry a dozen times.
These breaches will continue to happen, and happen...and happen until our limp-dick federal government gives a shit and starts to punish companies for their malicious malfeasance regarding IT security.
You can't punish lack of ability, just like you don't punish someone for scoring a B at school.
Everything happens after the fact, and no one knows what the next breach will be. And that will continue until the your average Joe's system no longer has 100 vendors each ordained by high management that basically acts as malware themselves.
Someone even started blaming the H1Bs, the mentality is amusing - fix nothing and find blame first and (often) blame it on the wrong thing - I'm glad I don't work for an organization that has the same mentality. Though I can certainly see many of the largest companies and a large percent of people have the exact MO. That also needs to change.
Hugo Chavez hacked our election from the grave. Oh and he also manufactured millions of paper ballots that match the electionic tabulation almost perfectly.
> It is not an ad hominem attack when accurately describing the well known attribute of the source.
That is literally what an ad hominem attack is. Attacking the source instead of the claim.
> The story also turned out to be not necessarily true, from another comment.
The other comment doesn't actually contradict the story, though it is pertinent information.
The story discusses the problems with Orion and points out that Dominion uses SolarWinds software, with a link to the page where they use SolarWinds Serv-U. That doesn't necessarily mean they also use Orion, but the article doesn't claim that.
Interestingly (?) they just changed the linked page in response to the story. It no longer contains the SolarWinds logo when it did earlier:
I don't understand why people think doing things like that helps them. Of all the election fraud claims, the Dominion Hugo Chavez bit is the furthest out in conspiracy theory land, and then they do things like that which are just going to end up on Glenn Beck's nightly rant.
So was the election hacked too? I'm a little confused how Biden can get 80 million votes, and almost no one watched his acceptance speech today. 40k views on youtube.
The 6k vote flipping in Michigan was claimed to be some sort of computer error. But why were the logs deleted? that seems like a hacker thing to do to delete the logs. A judge just released the audit report.
This is what we're being told, among other things like Trump voters did not vote by mail, at sometimes like 9 to 1 ratio. But we are told to accept these things as True at face value.
Likewise, we are to Trust and accept the results on Dominion Machines. When the only audit that was permitted to be performed, uncovered a 68% error rate, and logs deleted.
Trust but verify. The verify part has not really been done. We are only told to Trust.
So basically, Russians had the highest level of access to every large company and most government agencies in the US? (Including defense, DOD, pentagon)
If so, this is on scale with the OPM hack in 2015. This is huge.
Smart to use the election timing while authorities were focused elsewhere.
No, not at all. It's political theatre the media is playing. Russia has been the big bad wolf since 2016. It's far more likely China than Russia, although it could be a variety of different states/parties.
I still cannot help but laugh at the intentional ignorance by a lot of people in the US right now. They have for some reason (we all know why) gotten the notion that Russia is some kind of innocent nation that does nothing at all and that US is unreasonably antagonistic against Russia.
Russia is in NO uncertain terms a hostile and aggressive nation that we all need to be wary of.
This is content-free. It's the equivalent of replying to somebody who says "I don't think X committed this murder" with "So you think that X is a saint and can do no wrong?"
It’s not fully confirmed yet but its probable it’s the same 'Cozy Bear' Russian hack group that hacked the State Department and White House email servers during Obama administration.
Attribution is very difficult in this space. According to most articles I've read, senior officials believe it's Russia (and it makes sense given the scope/scale) but smoking guns are hard to find.
The Russia attribution track record is not very good. E.g. that Afghanistan bounty story appears doubtful and many of the earlier allegations of ties between the Trump administration and Russia were not substantiated.
Not that Russia is not a threat to the US, but there is a sizable part of the federal bureaucracy that wants to pin things on Russia for various reasons (it's not all anti-Trump either).
Edit: Downvoters, feel free to prove me wrong. Here's one source for my claims[0]
It seems pretty likely that SolarWinds' SAML authentication was bypassed or escalated by this issue with Go's encoding/xml, and then used that to generate and distribute the trojaned SolarWind's updates.
When will people realize that slapping yet another startup's tech stack onto yours isn't going to magically fix anything and in fact just adds complexity and points of failure.
I've always done my best to err on the side of "let's try not to add yet another level of complexity" and this strategy has yet to fail me.
SolarWinds is a 21-year-old publicly-traded company.
They're not really "yet another startup".
I also don't think that the departments of the US Government are all going around all willy-nilly dropping tools from "yet another startup" into their core infrastructure.
While your overall point may be valid, it's tough to come to the conclusion that it is applicable here.
I believe that you have mis-read their comment - they aren't saying Solar Winds is "yet another startup", they're saying that SolarWinds is incorporating 3rd party technology (the so-called supply chain attack on their build) without vetting it.
And, if we're being honest, those technologies probably are based off startup tech; SolarWinds purchases and incorporates startup companies (such as Vivid Cortex recently).
That's very true, In my limited experience, they are tools sold to non-technical leadership that are either thrown to technical staff to deal with and implement or require letting yet another vendor have network access to manage. It adds up to a hot mess.
My favorite comment from a (authentication system) vendor, during a meeting where we were trying to figure out why users were having trouble logging into an internal app: "Do I have a charge code for this?"
I agree with the point, but that's not what happened here. SolarWinds Orion isn't some VC-backed panacea sold by SV hucksters to cure all your infrastructure's ills, it's a monitoring stack like Zenoss or Zabbix or (...) and is correctly marketed as such.
https://twitter.com/KyleHanslovan/status/1338360093767823362
Back in 2019 apparently their FTP server credentials were exposed on GitHub, allowing automated updates being pushed
https://twitter.com/vinodsparrow/status/1338431183588188160/...
Edit: If updates failed due to signature not matching, SolarWinds recommended downloading the package and installing it manually, LOL
https://twitter.com/KyleHanslovan/status/1338419999665508354...