114 comments

[ 3.3 ms ] story [ 175 ms ] thread
> It's nice that Microsoft is admitting that the open-source approach is the right one for security -- something I and other open-source advocates have been saying for decades. But, inner source isn't the same thing as open source.

I thought this was common knowledge, but in a previous related thread my comment saying the same was downvoted with some replies about how MS engineers are security gods or some such. Interesting to contrast mainstream tech coverage with HN's RSU echo chamber.

I did notice that the initial coverage of the hack blamed open source tools ( which was interesting in itself ). I am not sure if I can ascribe it to malice though.
I was under the impression the argument against OSS from MS was not due to software security, but due to protecting IP.
https://en.wikipedia.org/wiki/Solar_Winds the correct definition of solar winds
It's also the name of a company. https://www.solarwinds.com/
Kinda apt to name it after a phenomenon that causes communications outages
Yes, like people using Icarus as a company/product name in the aerospace sector.
Or the Trojan condom
Maybe Solarwinds is just another Crypto AG? The name a bad joke, who knows ;->
Yes I didn't miss that crucial part of the title...

I just wanted to throw back to a childhood game :)

Most every .gov workshop is a windows shop, and will mandate windows software, been here many times. Solarwinds is a good microsoft slave, and not horrible for network management software, but not so much up on security as selling software. I know several Solarwinds shops including 2 current customers struggling with whether to crap can it, or rebuild and move forward until the next atrocity. Dealing with Solarwinds for some 15 years, it's typical Windows software - not so much security, but sell more of all our things, get paid.
It's worth to note that from the perspective of the involved companies all this incident was much ado about nothing and no incentive to change anything.

Sure, some of their customers or customers' customers got exposed to attackers, and some government secrets may have been lost, and some of their tech employees had to do a bit of overtime and "reputation was harmed", but so what, why should they care? Is there any material impact on the company finances? Currently it does not seem that it's going to destroy their future sales and ongoing licencing revenue, and it does not seem that they are going to have any huge liabilities for negligence.

If anything, the consequences (or lack of them) to SolarWind and other historical breaches are a good illustration that in the current business environment intentionally cutting corners on security is a smart move as it saves you money but if you get used to harm many others then you just shrug, do some apologetic PR and move on, and the impact of reputation damage is small and fleeting.

I've started realizing this since the Exquifax breach. There is no point for companies to take security seriously because what the flip does it matter for them? They'll bohoo about how bad it was, fire their security people bring in new ones and nothing will change.

In short if you are in the security field at this point you aren't being brought in to secure or stop anything you're there for upper management to point the blame at when the attack does occur. Because spending money on security cuts into revenue and profits and unlike not investing in paying off technical debt this has no material consequences.

Security deficiencies are technical debt
They are technical debt with no monetary impact however. If my servers crash and I have downtime because customers can't use my website or product that's a problem. If I suffer a massive security breach and loose all of my customers personal information, I am not going to face any consequences.
Except for customers that drop you, eg, Target.
That's the whole point - if we look at the consequences of historical major breaches, they generally don't result in large number of customers actually leaving the company.

And on some level that's even appropriate as generally the whole industry is vulnerable, it's reasonable to expect that the competitors have just as bad security as the breached company, they just didn't get breached because they weren't targeted by this particular attacker or because their breaches aren't (yet) detected or because they managed to hide and not publicize that breach.

The 2013 data breach at Target is a good example of the worst case scenario because it was the first major widely publicised case, all the newer ones had far less effect because people start to understand that the breached company is not unique (like they thought in 2013 about Target) and even then they lost just ~2.5% of customers, and regained the customer confidence after 2-3 quarters. So even in the worst case scenario, 97.5% customers won't drop you, and any effect is short term, as the Target case demonstrates.

Also, with tech companies... growth is such a huge part of valuation and business plan that they will focus on acquiring new customers rather than retaining existing ones. If you are growing 5-10% quarter over quarter, loosing the 2.5% isn't really going to hurt that bad. It also is easy to explain churn if you have a breach, the board will go "oh, that makes sense" and move on.
Have you heard of ransomware? Expired certificates? DDoS?
That's why I bought EFX stock on the dip after the hack, I knew there would be no consequence to their business. I've made 60% off of that bet, beating the S&P 500 over the same time frame.
This comment is a fantastic window into just how distorted the world has become.

(No shade being thrown; good on you for recognizing the opportunity and acting on it)

Tangent: I've noticed very few people are able to separate personal positions from personal insights. Refreshing to see your insight and "no shade" acknowledgement here.
And today $SWI is still just barely under their IPO price, and not even at an all-time low.
This is part of why I love working in the Bitcoin industry. Security there actually matters in a tangible way. Slipping on security can result in irreversible monetary theft of epic proportions. Potentially losing other peoples’ money is much higher stakes than losing their magic social security number.
This is the IT world's version of too big to fail. If it happened to our smallcap company I'm almost certain we'd lose all our government contracts overnight.
The article makes many jumps and some false claims.

Example: "Russia, we now know, used SolarWinds' hacked program to infiltrate at least 18,000 government and private networks. The data within these networks, user IDs, passwords, financial records, source code, you name it, can be presumed now to be in the hands of Russian intelligence agents."

Reality from the linked source: "The breach is far broader than first believed. Initial estimates were that Russia sent its probes only into a few dozen of the 18,000 government and private networks they gained access to when they inserted code into network management software made by a Texas company named SolarWinds. But as businesses like Amazon and Microsoft that provide cloud services dig deeper for evidence, it now appears Russia exploited multiple layers of the supply chain to gain access to as many as 250 networks."

There's a big difference between 250 and 18000.

Further it claims that the source code access is significant. As noted in this thread: https://news.ycombinator.com/item?id=25599210 all major Governments have had read access to the source code for Microsoft products for years.

The hack is extremely serious and for that reason it merits accurate claims, response, and technical actions. Fearmongering like this article does to push an opinion piece is not it.

18000 customers downloaded the backdoored version so the attackers got access and could have gone into any and all of these networks. As far as we know, they did move forward in 250 or so and did not proceeed with the others (presumably because of resource constraints) - but still all those 18000 networks were infiltrated by the malware, and if I was one of these 18000 companies then I would not just assume that we got skipped - so at the very least that should result in 18000 careful audits to verify if the potential intrusion happened.
There was a 10~14 day time delay before it connected to its CNC. It minimized network traffic and was probably only activated for targets deemed worthy. People with a weapon like that don't want to be detected unless there is a viable target.
The malicious version had items in place that would cause it to not activate if certain anti-malware software is present or other environmental conditions were not met (like not joined to an active directory). This reduces the number from 18k to something less (still probably huge) but 18k is the max if perfect conditions are present.

As for why the attackers did not proceed, resourcing probably had nothing to do with it and more along the lines of many of those customers were not interesting. Proceeding to load further malware stages in those uninteresting customers increases the chance of getting detected and given that the attacker was targeting long term persistent access to highly valuable targets, the attacker by design more likely simply left targets without valuable information alone.

It's probably both. Additional exploitation of targets was typically required to reach data of interest, and at a certain point you do get resource constrained having to deal with a high number of targets. It takes time to exploit them, it takes time to ingest and parse the discovered data, and even basic things like managing all the resulting shells takes time.

Based on this, as you say there were likely a high number of targets who probably were not worth the time to exploit, especially when every exploitation action increases the risk of detection and cessation of the op.

>There's a big difference between 250 and 18000.

18,000 networks were backdoored, but the Russians only chose to actively attack ~250 of the most "interesting" targets. Avoiding detection for as long as possible was deemed more important than e.g. exfiltrating data from cancer clinics in Indiana.

the old rule in espianoge is that some times the source is more important than the information, where using the information from the source reveals the source which means the source is no longer useful. whether that's a spy that gets jailed/killed or a patch applied to a vuln.
If you do not claim a state actor as the culprit you would be considered negligent, doing so removes any whiff of guilt since who could compete against a state? Claiming 'Russia hacked me' is the new dog ate my homework. Reality is that it COULD be a state actor, but there is no proof ever presented in these attacks.
It's cost prohibitive for a small group to pull this off unless they are financed by a large criminal org. You're talking about a small company's worth of people to design the software, QA it, stand up and monitor the infrastructure, perform the follow on exploitation, manage the shells, parse discovered data from hundreds of targets, etc. That's probably millions of dollars in salary alone.

The attack pattern also makes no sense for a criminal organization with this level of access. Why wouldn't you go after resources you could trivially monetize or data you would want to know about like customer data, IP, financial resources, law enforcement, etc? Reading government emails seems like a waste of time unless you are trying to resell the intelligence to interested parties. Going after FireEye red team tools seems like a very high risk waste of time.

Lastly, you're taking on American intelligence with above the wire capabilities. You're telling me a group of this size has the opsec capabilities to evade the NSA? No one made a mistake?

For the sake of discussion, let's say this must be a state actor of some kind. Has there been any evidence provided that this must be Russia?
The methods utilized in this compromise are consistent with methods utilized in other attributed breaches not disclosed.
>> Has there been any evidence provided that this must be Russia?

> The methods utilized in this compromise are consistent with methods utilized in other attributed breaches not disclosed.

I am unable to understand what meaning I should extract from your comment.

My expectation is that an answer to my question must be one of: Yes, No, or Unknown (and possibly accompanied by additional commentary).

Would a proper interpretation of your answer be either of these?:

- "No, there has not been any evidence provided that establishes that this must be Russia."

- "There has not been any evidence provided that establishes that this must be Russia, therefore it is UNKNOWN whether this is Russia."

No, and they're not going to release that data while the investigation is ongoing.
Does it seem odd at all that everyone is not just willing but eager to accept repeated claims of Russian responsibility for this or that, despite significant evidence for the repeated claims rarely being released? Even asking a question is essentially guaranteed to be met with at least downvotes, if not a stern lecture, despite there being no evidence.
> Does it seem odd at all that everyone is not just willing but eager to accept repeated claims of Russian responsibility for this or that, despite significant evidence for the repeated claims rarely being released?

Not particularly. It is no secret that Americans really don't like the Russian government, and there is precedence for APT groups associated with the Russian government attacking the US. I agree though that there is no publicly available data to support the assertion that Russia is responsible for this at this time. My earlier post was simply pointing out the low likelihood of an individual or independent group performing this attack. The high level of sophistication combined with their risky target selection suggests it is a nation state.

It does indeed suggest that it is a nation state - my problem is with the repeated (evidence-free) assertions that the nation state is(!) Russia - and also that hardly anyone seems to care about what is Actually True, on matters this dangerous.
(comment deleted)
The original reports from the us government stated that only 40 organizations got a secondary payload .. now they've upped it to 250.

That's a 5x increase, and is pretty substantial, especially because each of these organizations are generally large, important, and were likely specially targeted for a reason.

It's also important to get this message out because so many people are out there thinking that since they weren't on the initial list, that they are safe.

That is not the case. The attack was much wider than reported, and this is a huge deal because it means there are likely still breaches that have not been found yet.

> only 40 organizations got a secondary payload .. now they've upped it to 250

Yeah, the more I know about USG cyber, the more I'm convinced the delta is simply those who have gotten around to a) finding the payload, and b) actually annotated it in their reporting system.

The title claims it’s worse as we learn more. I personally didn’t learn anything from that article which wasn’t announced when the breach was initially discovered. The public still knows very little. It could certainly be bad, but no one is telling us how bad.
The largest leap is claiming Russia in particular.
I mean it's 50/50 between them and China.
You also have regional powers putting resources into these things; Iran, Turkey, Israel, even North Korea and so-forth. All a nation needs is a few hundred smart, well organized people in a building with fast Internet and a lot of machines. Any hacking tool or approach can be stolen or emulated. If you are well organized, you leave the "finger prints" of other groups as well as their tools.
This is the m.o for a lot of these blog content mills. Link to well sourced and thorough original reporting (in this case[0]) and attach some unfounded and outdated greybeard stroking opinion around it and then file your piece for that day.

This article is _terrible_ - from the "security through obscurity" sections through to Microsoft not taking security seriously (ask anybody who was around in the late 90s when they had issues - they essentially pivoted the entire company around securing their products) and complete ignorance to "dumping" Orion

[0] https://www.nytimes.com/2021/01/02/us/politics/russian-hacki...

> Russia, we now know, used SolarWinds' hacked program to infiltrate at least 18,000 government and private networks.

The question of whether it was Russia is not that interesting.

This thing of countries blaming other countries for attacks is getting boring. In cyber, there are no borders. If something is vulnerable, it's vulnerable. You don't need the prerequisite of APTs or 'sophisticated nation state cyber threat actors' or whatever. Attribution is boring these days and so much emphasis on Russia as if we don't know already they have their fingers in so many American pies.

Sure it might be boring to find out any specific hack is China or Russia, etc... but where that becomes important is the fact that whatever secrets that get stolen, the country does in fact matter. Think of it this way - if the government of the country you live in places a bounty of say ($2000 USD or that country's equivalent) for each top secret document - it both places a high value target on us, as well as revealing the things that they DONT know. I mean, specifically do you know of the latest in Fort Knox's security protocols? Do you know the latest in high powered microwave weapons that we're developing (and how to make them)?

These are things we really don't want additional countries knowing how to make.

The real threat is the IP obtained about leaders in key positions that will be used to blackmail the same. While that’s more of a Chinese tactic, Russia and others dabble here as well. One could say they simply instituted Assange doctrine for institutional purposes.
> This thing of countries blaming other countries for attacks is getting boring. In cyber, there are no borders.

Technically correct, and very wrong in all other ways.

Who performs the attack is a very real concern, because unlike some of us, the attackers likely have lofty goals in the real world which are aided greatly by their successes in "cyber."

(I maintain that anyone who uses the word "cyber" seriously today doesn't understand what they're talking about, in virtually all cases. It's fine to not understand stuff, by the way. Just be open to learning more.)

If Russia is able to find holes in Windows, the OS used by nearly every business on the planet, they will use those vulnerabilities to their advantage in whatever ways they require. They will obtain personal information about people, blackmail them, maybe. Who knows. Russia and others WANT to take down those who disapprove of them quite strongly. They potentially want to bring low anyone who has spoken bad about them publicly (if so, I'm screwed) or anyone who could have helped them in some way and chose not to. North Korea, Iran, Saudi Arabia, Russia (perhaps to a lesser extent) have real beefs with the US.

Information gained via incredibly catastrophic breaches like this one give real countries with real weapons real leverage against others, potentially. Especially if the vulnerability opens more doorways that would otherwise not have been accessible.

I've been divorced twice. DO NOT UNDERESTIMATE the lengths that people will go for revenge for even the smallest slights. Some people get absolutely drunk on the slightest bit of power they have over others, and they know that, so they accumulate leverage against their enemies, real or imagined, continually in anticipation of a time when it will be useful.

In short: this is a big deal. It matters who is behind it.

You are absolutely correct. However, as a US citizen, I am much more concerned with harm caused by domestic intelligence services than by foreign actors. Unscrupulous people are everywhere, not just in the “axis of evil” Russia/Iran/NK etc.

Furthermore, I am ashamed of some of the things my government has done with my tax dollars and in my name around the world, and I won’t be duped into defending my abuser in some state-level blackmail game.

I see your point.

I'm not afraid of the CIA or NSA or any other three letter agency in the US. They are doing what Congress has allowed them to do (mostly.)

What scares me is people like Mitch Mcconnell who somehow continue to get elected when polls show nearly the entire state of Kentucky wants him out. That is keep-me-awake-at-night level of scary.

Source? I could only find one 2020 poll on FiveThirtyEight that didn't have McConnell in the lead. In that one, his opponent only had a 1% lead, and in most of the other ones McConnell led by 5+ points. That's a far cry from "nearly the entire state of Kentucky" wanting him out.

EDIT: Source: https://projects.fivethirtyeight.com/polls/kentucky/

Do we even really know it was Russia? Everything I've seen so far seems to assume that rather than have a confirmed link.

edit: source seems to be Washington Post article "according to people familiar with the matter, who requested anonymity"

https://web.archive.org/web/20201213220635if_/https://www.wa...

Not that I've been able to discern. But why live in a world of ambiguity when you can blame everything you don't like on a central antagonist'
I treat anonymously sourced news articles as a coin toss nowadays—assume a 50% chance that the claims in the article are unqualified truth.
Wow, I guess CIA only needs pay for two pieces to convince you of the Truth™.
If you believe that's how coin tosses work, you could believe almost anything.
That's not how probabilities work
Not a good read - more like a rant, light on substance, and stretches some things.
This is a terrible article. It is just a rehash of information that was public 2 weeks ago with a couple of scare quotes. I should have known better than to expect news from zdnet though.
> Russia, we now know, used SolarWinds' hacked program to infiltrate at least 18,000 government and private networks. The data within these networks, user IDs, passwords, financial records, source code, you name it, can be presumed now to be in the hands of Russian intelligence agents.

Yep. I'm SURE it was just Russia. It's not like our government is perfectly happy squirreling away CVEs so our own intelligence agencies can exploit them themselves.

I'm glad there are others who are challenging the Russian narrative in here. I'm sure many of us watched the original SANS broadcast (which wasn't for public release; youtube-dl is a great tool. I download everything before I start watching it now before it disappears).

In the SANS report a research tries to discredit people who claim this is CIA or a US state sponsored operation, yet also claim there is clear evidence of a "signature" from "Cozy Bear" ... what is this signature? Shell code? A known compiler flag? FireEye and SANS have released zero information on this or anything that connects things to Cozy Bear.

Also from that report, there were excluded IP ranges that were all Microsoft IPs (not all of the Microsoft IPs, but all the ranges belonged to Microsoft).

Vault 7 shows the NSA and CIA are involved in domestic operations (and if you go back far enough Church Committee) and there is a chance this was a US based State Actor. Let's not forget about STUX.

The level of this attack was incredibly sophisticated. It had built-in delays for several days to avoid network sandboxing tests in the CI/CD pipeline. It was signed and released from Solarwinds CI/CD pipleine as well.

Let's not dismiss Snowden so easily and not realize this could have been an American state actor as well (or even the UK, the EU or any other "allay" or enemy).

So your theory is, because they didn't release the Cozy Bear signatures, that it must be CIA/NSA? That's a huge stretch to the opposite side of the conspiracy. How do you explain the hacking of the Treasury and other government agencies in your scenario?
I'm just wondering what the hell a "signature" is in this context? You think Cozy Bear is leaving their name in the binary? It's just a lot of security-by-obscurity hand waving. It's FireEye spewing out stuff as "facts" with very little evidence.
A signature in this context nearly always means an IoC: https://en.wikipedia.org/wiki/Indicator_of_compromise

Which in weak cases can be an artifact observed throughout the attacks though not necessary for the behaviour to occur (e.g. compiler timestamp), and in strong cases the artifact is tied directly to the malicious behaviour (e.g. explicit registry key or anti-infection marker)

Or obfuscating your C&C communications in mundane hash functions that appear to be routine periodic checks of file integrity. Exfiltrating your data the same way. They lived off the land and modified code. Pure genius, yet they poked a beehive. Wait for the full disclosure on this one. Impacted agencies and businesses are still assessing the scope of compromise. If you look around and see government businesses that were down over the holidays “upgrading their environment”, that would be a clue. What is frustrating is the number of agencies fully compromised in every respect yet they’ve not disclosed anything. Congress is gonna mindblow in about 6 months. And quite a few state legislative bodies as well. All those orgs hiding what we already know.
You can’t seriously expect intelligence gatherers to disclose something like that to the general public. It would become worthless. They’d never be able to use it again.
Oh "they" can and will dream up stuff like this and then hash it over and over again, even though there was a post about this just yesterday how rehashing things over and over is pretty pointless.

Even if US intellegence is pinning it on Russia or it was someone else, there's no way we're going to know about it right now.

This event will be a central security topic in academic studies for years to come. It is a literally fascinating design.
The cloud is seriously the most irrational thing we've done to ourselves and the investors merrily agreed to it's fascinating design and threw money at it makin the problem worse, maybe.
At the moment, this is an active incident with response still going on. The attackers likely have persistence in multiple places in target networks.

Releasing attribution evidence right now will not happen as that would intrude on the response. Instead you will get signatures for specific pieces of malware or generalized yara rules to look for indicators of compromise. The specific indicator that allowed for attribution may never be released as then this particular adversary could work around it.

FireEye is a reputable security organization that is publicly traded. If they were lying and it was discovered as a company their business would go away rapidly and some of their executives might even go to prison. If you have legitimate evidence that casts doubt on their statements please share it. Finding something that significant would shake up the industry.

Attribution is most likely a combination of evidence and forensic data collected both from the initial breach (SolarWinds) and other breached entities. Things like how data was exfiltrated and to where to who purchased and setup the domain names, any other malware that was loaded (was it signed, compiled, contain a certificate, etc).

While Snowden did reveal interesting things, there is zero basis to support anything other than a Russian state actor at this time.

>FireEye is a reputable security organization that is publicly traded. If they were lying and it was discovered as a company their business would go away rapidly and some of their executives might even go to prison.

I think a more likely outcome would be their stock price would drop for a few weeks, maybe executives would resign, and then it would be forgotten.

> FireEye is a reputable security organization that is publicly traded

So was RSA when they accepted $10 million from NSA to backdoor their crypto library. As long as FireEye keeps the customers who pay the bills happy they'll be fine, just like RSA was.

It's hilarious to say that RSA were ever reputable - they were the butt of every insider infosec joke for decades.

We _knew_ at the time that Dual EC_DRBG was bad - there is an entire openssl mailing list archive from the moment it was announced/proposed talking about it being bad

FireEye / Mandiant are _the_ team within infosec who are experts in the field of attributing state threat actors - you won't find many experts who openly disagree with them

It could be that no one disagrees with them because they're always right. Another possibility is that there's only so much "attribution" business to go around, and the customer is always right. The very idea of worrying more about who walked in the open door than about closing the door is a sure sign that "politics" has taken over completely.
Given the fact their CEO is former USAF OIS and has handled this event magnificently using ethics and morals as a guide I seriously doubt they’re hiding anything. They discovered the biggest cyber espionage campaign in the 21st century. And took a few punches to the gut in the process. They are setting a model disclosure example. Unlike the other compromised organizations that won’t admit a damn thing until they’re seated in front a legislative board of inquiry or grand jury.
Weird that you're on this thread saying it's not the SVR, and you're on the vaccine thread saying that's a bunch of nonsense. I'm sure that's just random though.

SANS isn't some secret government group - I have a colleague who is an instructor there. Those recordings aren't some top secret briefings. I and a lot of other industry professionals attended them

> " It's FireEye spewing out stuff as "facts" with very little evidence."

An APT has certain TTPs that allow you to start to figure out who is behind attacks. FireEye has tracked the attacker as UNC2452, which means it is "uncategorized" in their view. Others have come forward pointing fingers at the SVR.

Finally, just a tip: if you want to sound like you know what you're talking about, it's not a "CNC" it's a "C2".

I'd appreciate it if you kept arguments to the topic on this thread. Looking up other topics and condemning people for their opinions is not cool. It's becoming a large problem in a lot of online forums. All of us have a lot of different opinions and they vary. This isn't Reddit.

> SANS isn't some secret government group

I understand that, but the video/livestream they released at the time was Unlisted on YouTube and had a watermark saying it wasn't for general release. I realize they didn't intend to have it up permanently and am familiar with the roles SANS has in the security industry. I was just commenting on the video and things I think they got wrong.

> Finally, just a tip: if you want to sound like you know what you're talking about

No need to be insulting. I've heard them called Command and Control servers before. I don't currently work in security; haven't in years. I'm just speaking as as developer/sysadmin.

(comment deleted)
> I'm just wondering what the hell a "signature" is in this context?

If you genuinely don't know how companies like FireEye do attribution then one has doubt the level of insights you have.

Notably in this case FireEye said they COULD NOT attribute the attack to any group initially:

"FireEye wouldn't confirm the APT29 attribution and gave the group a neutral codename of UNC2452, although several sources in the cyber-security community told ZDNet the APT29 attribution, done by the US government, is most likely correct, based on current evidence"

https://www.zdnet.com/article/microsoft-fireeye-confirm-sola...

and there's serious planning right now on appropriations to fix this... e.g. buying a huge amount of new computers and hardware + staff time

seems very very far fetched. i guess if i got caught breaking a ton of laws against my own government I might want to misdirect too

this seems like the same trolling type comment farm crap we see anytime these countries come up

Do you think that if FireEye shared with the public how they attributed it to Russia, Russia would make the same attributable mistakes again?
(comment deleted)
Attribution is to UNC2452 and not Cozy Bear, although there are certain shared characteristics making the source region clear.
Does it strike anyone as odd that SolarWinds has a Vice President of security? Note that this company develops network and infrastructure management software and their updates are automatically pulled and installed by their customers. Every VP at such a company needs to be a VP of security, and every engineer needs to be a security engineer. Not understanding that is problem #1. Having a Vice President of Security at a company like this is a bit like having a "Vice President of Profit". Just as profit is everyone's job, so should security, at a company like this. If Target or Costco has a VP of Security that's understandable because security is not integral to their products, but for SolarWinds it should have been.
It's probably a matrixed organization. There is just a VP with this focus because it is "very important".
This article seems to be poorly written. For example, I have no idea what the author wanted to say here:

For decades, one of proprietary software's stupid assumptions is that "security by obscurity" works. While it can help -- no, really it can if used intelligently -- that's not the case with proprietary code.

Level of reporting in this article seem to target unicellular protists. Congratulations ZDNet, real journalists of the past must be turning in their graves.
This appears to be fake news or clickbait. So many false info.

This event appears not related to any country. Someone interested on sell private data would do something like this.

This is what happens when you put all your eggs in one basket. Centralization and emphasis on scale comes with risk; especially when technology and security are involved.

It was only a matter of time.

Has there been any evidence released to the public that shows how and why the Russians are being attributed to the SolarWinds hack?

I’ve looked at the source code that Microsoft and others have realeased of the initial backdoor but I don’t see anything in those few lines that can positively attribute to anyone.

In fact, the only thing that looked familiar was the crypto that was used to create the sub domains on the fly that hid the victims Fingerprints looked similar to what has been used in mobile malware created by China but that is still too flimsy to attribute anyone to as well.

Methods utilized in this compromise are consistent with known attributed methods used in breaches not disclosed.
The Dominion company (behind the voting machine software in the US) used Solarwinds. It was plastered on many of their websites.

It was removed the day this hack went public.

I don't believe in coincidences.

What exactly are you implying?
You can put the pieces together. Why aren't we hearing about this on the news?
(comment deleted)
Stop vagueposting. If you've got a point, state it. Don't make us guess.
Since you can't actually figure out the most obvious point ever made in a comment. The Dominion company used Solarwinds, which could have directly affected our elections after multiple companies were breached from the hack.

In Georgia, a security professional proved that machines were not only attached to the Internet, but were getting updates from servers outside the country and had the ability to be updated in real-time.

This was never investigated.

Thank you. I could figure out most of that, but I resent the "I ask questions and expect you to figure it out" format, no matter who does it and what point they're pushing. And in fact you supplied some details that I did not know and would not have guessed.
Those claims were dropped because they were wishful thinking and didn’t stand up to even the slightest scrutiny. The non-expert who made those claims caused the author of the tool he misinterpreted to write an entire blog post about it:

https://medium.com/@micallst/misusing-osint-to-claim-electio...

The other key thing to understand is that Georgia had a full hand recount of the paper ballots which those machines tabulated. Even if they were completely hacked, they couldn’t rewrite the paper records and there’s no credible evidence of even a single ballot being changed much less the many thousands of them which would have been needed to make the electronic and hand counts match.

A random person on a blog is not an investigation. We needed a full audit after 100s of people came out with allegations. This would have put it to rest.

There were other allegations that Dominion machines were attached to local networks for updates during election night. Were they? I have no idea. There as no investigation. Only denial.

I personally have used dead people's names (with DoB and city) in a few of the battleground states and I could see they not only received a ballot on election night, but sent it back. How could this possibly happen?

This was passed off as 'fake news'.

I'm not going to repeat all of the other claims, but we had a bigger investigation on Trumps Russian collusion, which had a fraction of the evidence.

If I could put in a handful of names into a government site and see this, I can't imagine the amount actually in these databases.

The sickest part is that people just aren't curious. They hate Trump so much, they want to win at all costs.

After so much time has passed and state leaders have rejected any and all calls for investigation (and big tech sites have censored anyone that questioned it), even if there was evidence at one point in time, it would be long gone by now. These investigations should have been immediate.

The Democrats are now going to usher in some of the worst laws imaginable for free speech. It has already started with the de-platforming of Parler.

At some point talking time will indeed be over, and it will be a time for action.

> I personally have used dead people's names (with DoB and city) in a few of the battleground states and I could see they not only received a ballot on election night, but sent it back. How could this possibly happen?

Who gave you the list of dead people? How did you verify its accuracy and rule out things like that case with an older woman voting as “Mrs. [dead man]”? What did reporters say when you contacted them?

> I'm not going to repeat all of the other claims, but we had a bigger investigation on Trumps Russian collusion, which had a fraction of the evidence.

That’s just silly: we have a mountain of evidence from multiple governments’ investigations into Russia’s activities and it’s had extensive hostile cross-examination. In contrast, we have a pile of unsupported allegations rife with errors and bad faith claims which the president’s own lawyers kept dropping because they knew that they didn’t have a case. That’s why Trump had to pressure people to manufacture fake votes because the real ones didn’t give the answer he wanted.

Interesting that the US would outsource tasks critical in terms of national security to an external private company even though the American Department of Defense is the largest employer in the world, public or private. Don’t they have enough people in the payroll to write their own remote management software?
Not that we have public evidence to prove whether it was a nation-state or not, but in my experience as a vulnerability researcher, finding high-impact flaws in popular tools (closed + open source) and government services is much more easier than people realize.

Take a look at the number of vulnerabilities reported to US Department of Defense via Hackerone: https://hackerone.com/deptofdefense/hacktivity?filter=type%3... (and these are just the ones publicly disclosed, a lot of them remain undisclosed, you can change the filter to see how many are reported in last few days/hours)

And taking this single report as example: https://hackerone.com/reports/761790

Reported at: December 19, 2019 4:19pm +0000 Resolved: 1 Month ago

And this is when there is no bounty attached to these, just some Hackerone points which help you gain higher reputation and possibly win some private program invitations. Imagine how many reports a monetary reward would bring in. I would really be surprised to know that adversaries are not already hoarding the flaws, especially when this is their daily business.