I'm not optimistic about the US Gov's ability to defend and maintain these networks. Yeah they have a lot of money to throw at the problem but eventually you have to put the best, most knowledgeable people in front of those computers and do work. They can't hire the best and brightest though, and are otherwise unwilling to make the policy changes necessary to be able to. When security professionals can make 2-3x in the private sector and smoke as much weed as they want (in this case the stereotype has some truth to it; a lot of devs/engineers use marijuana) what incentive is there to work for one of these alphabet-soup government agencies?
Even if the positions paid more and had more modern drug testing policies, I have never, NOT ONCE, met someone who works in software at a government agency or at a company doing government contract work who wasn't a massive fuddy-duddy-boomer.
These breaches will continue to happen until the Gov takes a more pragmatic approach to it's technology and brings it's culture more in line with the private sector.
I don't even think many devs are 'stoners' in the sense of using marijuana daily. I don't think you could code at a high level if you were actually smoking weed every day, but it just feels invasive for a job to tell me I can NEVER touch it and they will monitor me to check.
I am not a huge fan of alcohol, but if a job told me I could never drink again and they will test me to see if I have been drinking it would feel super invasive and be a huge turn off.
I think you'd be surprised. I smoke pretty much every day, at least. That said, only in the evening when I'm done work and I'm not exactly programming control systems for SpaceX or whatever.
> I don’t think you could code at a high level if you were actually smoking weed every day
Ah, but on the contrary, I can confirm, based on what I consider a “high level” of coding, that some people cannot code without smoking weed every day. I can also assure you that many, many devs are daily users, quality of code output not withstanding.
It probably affects everyone a little differently, I know if I start smoking every day my brain is noticeably slower. I can still get by but I cannot visualize and store as much code in my mind at one time.
Adversely tons of sleep, creatine and coffee seem to expand my context and I can hold a lot more simultaneously.
Life is also not about being the best programmer though, so I would definitely trade ability for comfort if weed was offering that.
There are a lot of things to do outdoors around Maryland: there are a lot really good MTB (or just hiking) places, like Rockburn and Patapsco State Park; beaches are within two hours away; ski / snowboarding places within two hours away; and then there's the Chesapeake Bay.
CSIA isn't part of NSA. It's part of Homeland Security.
That's probably worse for doing anything technical. NSA has a track record of solving hard problems. Homeland Security is a collection of police departments gathered together for political reasons.
Reminds me of an article that got posted here several months back about the UK government having issues hiring a high level IT worker (I think it was some sort of director). While everyone else was talking about pay, one user pointed out that in such a position they’d be effectively neutered by the bureaucracy and politicians (and others) chasing other interests that would effectively be against the positions missions.
There is lots of evidence that the "best and brightest" are also totally incapable of defending and maintaining networks against skilled individuals, let alone skilled organizations, let alone state actors. I can not think of a single commercial organization which would even dare to claim they could protect against state actors or even provide any legally binding, quantitative assessment of their security that should inspire any confidence in their ability to defend against a single competent individual. You can just look to Google Project Zero to see a continuous stream of evidence of singular skilled professionals breaching these systems within mere weeks to months. Hardly comparable to the resources of state actors who can deploy hundreds or thousands of skilled professionals for years. To go from being unable to defend against skilled individuals to being able to defend against state actors would require on the order of a 100,000% improvement in capability by the "best and brightest".
You're oversimplifying the issue to unnecessarily devalue the "best and brightest", whoever you appear to be referring to, and are giving too much credit to state actors.
When organizations rely on hundreds to thousands of platforms to operate, and those platforms are under the weight of hundreds and thousands of dependencies, it's not unlikely one could discover and quickly take advantage of randomly sprinkled secrets in some github repository. Humans, weak passwords, and improperly configured ACL are often the common denominator in the majority of recent breaches, not the systems themselves. People get lazy and start overlooking well established protocols that could have prevented these attacks. It's hard to do this right unless you hire red teams to perform monthly audits of every possible leakage or attack vector.
I do not see how that is disagreeing with my statement. If the security architecture of your IT system can be compromised by stupid mistakes in some selection of hundreds to thousands of dependencies and that selection was not audited then the security architecture can not protect from simple attacks which, almost definitionally, means the security process is largely useless as attackers do not care to attack only where the systems are strong. If auditing dependencies is viewed as "too hard" or "too expensive" I do not see how that has any bearing on the security of the system. It merely demonstrates that improving the security is not worth the cost tradeoff, it does not somehow magically improve the objective security of the system.
The objective evaluation of a comprehensive security architecture depends on its holistic effectiveness, not merely the effectiveness of the parts the designers thought about. By that metric, I am not aware of any commercial IT system that even meets the low bar of protecting against an attack with a mere $10M in funding, let alone the billions a state actor has access to. So, a question for you, are you aware of any commercial IT system in the entire world that you think would survive a $10M open bounty let alone $1B? If so, what objective, empirical evidence do you have to justify that claim? Hopefully one day I might get a convincing response to this question.
You are conflating the human failings to the failings of the security architecture. If you dropped the pair of keys to the world's most cryptographically secure bank vault, impossible to crack open with any other possible means, and the bad actor picked it up, credentially spoofed a valid identity, and used it to breach into hypothetical bank vault, then the processes emplaced were largely useless in the first place? That's completely out of the scope of reason.
Obviously if you magically had such a secure bank vault and the analysis is limited to only that singular aspect one could make an objective claim that it fulfills certain objective, quantitative requirements which could make it a useful component of an overall security architecture. However, in terms of the entire system, human failings are process/system failings. If there is a process which would routinely drop a pair of keys to the world's most cryptographically secure bank vault then the whole system is, in fact, still terrible despite some of the components being competently done. In fact, if this were to actually occur, I would say the process is beyond amateurish as it somehow created an insecure system out of such an amazing component.
Even if we restrict ourselves to only consider the magic bank vault, it is still unreasonable to completely ignore everything else. It is a common problem for systems to be so hard to use or configure that it is nearly impossible to effectively use them. It would be like the magic bank vault requiring you to leave the keys unprotected on the ground at which point it would be unreasonable to claim the magic bank vault is a secure component since it can only be effectively integrated in an insecure fashion. Any claim that it was, in fact, integrated securely would need to positively demonstrate this fact against the common expectation of insecure integration.
Frankly, this is also getting very unrealistic. If any company had a system with even 10x that number of critical, trivial flaws I would be amazed. From my experience there are hundreds to thousands of such flaws which run through components at every level of design. Any system with hundreds of stupid flaws across hundreds of different components each of which can cause critical compromise is so poorly designed as to be anti-redundant and also hopelessly insecure. It is not even worth it to quibble over factors of 10 as by my reckoning these systems must improve by a factor of 1,000 to pose any real obstacle to a dedicated state actor unless somebody can actually point to a system that can withstand a $10M open prize with meaningful verifiable evidence for that claim.
It seems that Russia's cyber prime directive is to ceaselessly attempt to penetrate USG contractor's systems, which, to a layperson seems like an obvious cybersecurity flaw.
How are these systems secured in other Western countries? How do France and the UK, for example, secure their critical infrastructure networks? The U.S. strategy of just contracting out all these essential service is revealing its pressure points. Seems that the USG insists on just cutting checks to these companies like SolarWinds, which are more interested in gaining clients, generating revenue, and marketing than effectively engineering durable solutions. Another factor is probably NIST's questionable practices about password hygiene (requiring them to be changed every 30-60 days).
Russia is getting one heck of bang for its buck. Its a declining regional power with a GDP the size of Texas [1,2] who our media blames all of our problems on. Imagine if a comparable adversary decided to mess with the United States.
Giving you the benefit of the doubt: you've conflated the Russian yearly budget with Maryland's GDP. Russian GDP of 2 Trillion would be the second in the US, between California and Texas
It's a declining global power, but a rising regional power. It's nowhere what it was in the soviet days, but it certainly has been growing since the post 90s collapse.
> with a GDP the size of Texas [1,2]
That's only on a nominal basis, but on a PPP basis, they are the 6th largest economy in the world.
Not public AFAIK. But multiple news agencies cite US officials who make the claim it was Cozy Bear / APT29 [1].
Microsoft claims [2], "We believe this is nation-state activity at significant scale ... Because of the sophistication of the techniques and operational security capabilities of the actor, we want to encourage greater scrutiny by the broader community..."
Reuters was the first to claim the attack was attributed to russia based on "3 sources close to the investigation" but presented no evidence.
The Washington Post claimed it was specifically APT29/CozyBear, also based on "3 anonymous sources familiar with the hack" with no supporting information.
Neither FireEye nor the US government have officially attributed the attack to any state actor, nonetheless russia, though it would be unusual to make an attribution this quickly anyways.
FireEye makes no note of any tools used in the hack that have been previously associated with either APT29 or Russia in general. Their countermeasures [0] seem to suggest all injected code was either in english or encrypted, but it would be pretty dumb to leave unencrypted russian (or any other language) text in your hack of a US program.
The security group Intel 471 apparently [1] found a russian-language actor trying to sell access to the solarwind network in April 2020, but it is unclear if they actually had that access, if that access was connected with this hack, or if this individual was anything more than a middleman. I just googled the name, and there is a facebook page for someone with no friends or activity who is signed up for a couple of ukrainian groups (a support group for the mayor of a town, a public transit department, etc) so the facebook page is clearly a bot but there may be no association.
That's the closest thing I could find to evidence.
Is anyone else expecting an eventual leak that one of the US cyber security agencies is behind this backdoor, never expecting someone else to abuse it? Too much of what the company has said in the past just echoes intel agencies opinions, and the response seems hyper focused on the "enemy" rather than those responsible for the breach. Their "solution" is just to turn off machines with SolarWinds, something they know will be a huge problem for anyone impacted.
I don't. It's sloppy work on solarwinds part. US agencies aren't know for using sloppy risks, they want clean, precise, and small footprint attack tools.
There's also the incident of the CIA using unencrypted communications that you could Google for leading to numerous agent deaths, so it's not like such things are too sloppy for US intelligence.
They talk about what a challenge it will be to remove the malware from the systems. In our municipal IT department, whenever we've had a major infection the users will just have to feel the pain for a day while we pull the systems for reimaging, which takes about an hour to do, with up to another hour to redeploy and install and configure software.
In some cases, we had systems standing by ready to swap out. Trying to find and remove the malware can be a needle in a haystack and next to impossible to find, and take longer that just swapping them.
In many cases, the D.o.D will just remove all tech in the stack and replace with new hardware. They simply can't trust it given the advanced persistence tools in use.
I imagine we're going to see a lot of equipment sold off next year to try and recoup after being decomissioned.
Will government still have the nerve to propose backdoor encryption after this? I mean, of course they will but will it still have the same effect over regulators?
We need to go back to paper, typewriters, and pneumatic tube systems. Or at least not rely on private, profit-seeking companies to protect our most critical infrastructure. How are they protecting critical infra in the U.K., France, and Germany? I would imagine that those governments use more centralized systems and are less reliant on private contractors.
44 comments
[ 4.5 ms ] story [ 107 ms ] threadhttps://www.cisa.gov/news/2020/12/16/joint-statement-federal...
Even if the positions paid more and had more modern drug testing policies, I have never, NOT ONCE, met someone who works in software at a government agency or at a company doing government contract work who wasn't a massive fuddy-duddy-boomer.
These breaches will continue to happen until the Gov takes a more pragmatic approach to it's technology and brings it's culture more in line with the private sector.
I am not a huge fan of alcohol, but if a job told me I could never drink again and they will test me to see if I have been drinking it would feel super invasive and be a huge turn off.
Ah, but on the contrary, I can confirm, based on what I consider a “high level” of coding, that some people cannot code without smoking weed every day. I can also assure you that many, many devs are daily users, quality of code output not withstanding.
Adversely tons of sleep, creatine and coffee seem to expand my context and I can hold a lot more simultaneously.
Life is also not about being the best programmer though, so I would definitely trade ability for comfort if weed was offering that.
It's not California, but it's nothing either.
That's probably worse for doing anything technical. NSA has a track record of solving hard problems. Homeland Security is a collection of police departments gathered together for political reasons.
When organizations rely on hundreds to thousands of platforms to operate, and those platforms are under the weight of hundreds and thousands of dependencies, it's not unlikely one could discover and quickly take advantage of randomly sprinkled secrets in some github repository. Humans, weak passwords, and improperly configured ACL are often the common denominator in the majority of recent breaches, not the systems themselves. People get lazy and start overlooking well established protocols that could have prevented these attacks. It's hard to do this right unless you hire red teams to perform monthly audits of every possible leakage or attack vector.
The objective evaluation of a comprehensive security architecture depends on its holistic effectiveness, not merely the effectiveness of the parts the designers thought about. By that metric, I am not aware of any commercial IT system that even meets the low bar of protecting against an attack with a mere $10M in funding, let alone the billions a state actor has access to. So, a question for you, are you aware of any commercial IT system in the entire world that you think would survive a $10M open bounty let alone $1B? If so, what objective, empirical evidence do you have to justify that claim? Hopefully one day I might get a convincing response to this question.
Even if we restrict ourselves to only consider the magic bank vault, it is still unreasonable to completely ignore everything else. It is a common problem for systems to be so hard to use or configure that it is nearly impossible to effectively use them. It would be like the magic bank vault requiring you to leave the keys unprotected on the ground at which point it would be unreasonable to claim the magic bank vault is a secure component since it can only be effectively integrated in an insecure fashion. Any claim that it was, in fact, integrated securely would need to positively demonstrate this fact against the common expectation of insecure integration.
Frankly, this is also getting very unrealistic. If any company had a system with even 10x that number of critical, trivial flaws I would be amazed. From my experience there are hundreds to thousands of such flaws which run through components at every level of design. Any system with hundreds of stupid flaws across hundreds of different components each of which can cause critical compromise is so poorly designed as to be anti-redundant and also hopelessly insecure. It is not even worth it to quibble over factors of 10 as by my reckoning these systems must improve by a factor of 1,000 to pose any real obstacle to a dedicated state actor unless somebody can actually point to a system that can withstand a $10M open prize with meaningful verifiable evidence for that claim.
Uh oh.
[1] https://www.nationmaster.com/country-info/compare/Russia/Uni...
[2] https://en.wikipedia.org/wiki/List_of_states_and_territories...
It's a declining global power, but a rising regional power. It's nowhere what it was in the soviet days, but it certainly has been growing since the post 90s collapse.
> with a GDP the size of Texas [1,2]
That's only on a nominal basis, but on a PPP basis, they are the 6th largest economy in the world.
https://en.wikipedia.org/wiki/List_of_countries_by_GDP_(PPP)
It's not rising in any sense.
Microsoft claims [2], "We believe this is nation-state activity at significant scale ... Because of the sophistication of the techniques and operational security capabilities of the actor, we want to encourage greater scrutiny by the broader community..."
[1] https://en.wikipedia.org/wiki/Cozy_Bear
[2] https://blogs.microsoft.com/on-the-issues/2020/12/13/custome...
The Washington Post claimed it was specifically APT29/CozyBear, also based on "3 anonymous sources familiar with the hack" with no supporting information.
Neither FireEye nor the US government have officially attributed the attack to any state actor, nonetheless russia, though it would be unusual to make an attribution this quickly anyways.
FireEye makes no note of any tools used in the hack that have been previously associated with either APT29 or Russia in general. Their countermeasures [0] seem to suggest all injected code was either in english or encrypted, but it would be pretty dumb to leave unencrypted russian (or any other language) text in your hack of a US program.
The security group Intel 471 apparently [1] found a russian-language actor trying to sell access to the solarwind network in April 2020, but it is unclear if they actually had that access, if that access was connected with this hack, or if this individual was anything more than a middleman. I just googled the name, and there is a facebook page for someone with no friends or activity who is signed up for a couple of ukrainian groups (a support group for the mayor of a town, a public transit department, etc) so the facebook page is clearly a bot but there may be no association.
That's the closest thing I could find to evidence.
[0] https://github.com/fireeye/sunburst_countermeasures [1] https://twitter.com/Intel471Inc/status/1339233255741120513
https://www.techdirt.com/articles/20201215/13203045893/secur...
In some cases, we had systems standing by ready to swap out. Trying to find and remove the malware can be a needle in a haystack and next to impossible to find, and take longer that just swapping them.
I imagine we're going to see a lot of equipment sold off next year to try and recoup after being decomissioned.