Oh those Russians!
...or Chinese, or North Koreans, or Iranians, or Israelis, or GCHQ...
Why does the western media always accept the default of Russia bad, America good and always blame them accordingly?
Rhetorical. I know why they do it. Sigh.
Microsoft president Brad Smith said the software giant's analysis of the SolarWinds hack suggests the code behind the crack was the work of a thousand or more developers. Speaking on US news magazine program 60 Minutes, Smith labelled the attack "the largest and most sophisticated attack the world has ever seen." "When we …
Really, wake up. MSFT of 2020 is not MSFT of 1995. There's a huge amount of support for Open Source in Azure, and throughout MSFT in general. The MSFT IT department even supports MacBooks (I'm typing this on my MSFT provided MacBook, and no, it isn't running Windows) and iPhones.
Disclaimer -- I've worked there since 2018.
Exactly. They don't now because it suits them. But this might change in a day.
I haven't forgiven IE6, or the nasty no-linux "discounts" for PC manufacturers, or the ISO bribery to get their close document format called open, or the many competitors they maneuvered to kill in a dodgy manner, or the W10 spying, or the PCs bricked after forced W10 updates, and so much more.
Heck I haven't forgiven them for pissing all over their customers by ramming the ribbon and then the metro interfaces down their throats.
Such disdain for your customers is deeply ingrained.
I am old enough to remember MSFT's shitty days, and the kein mitleid fur microsoft website, and linux = cancer, and all that. And you know what? The extent of the purge under Satya to get rid of all that crap was breathtaking. Ballmer, gone. Elop, gone. Sinofsky, gone. The infamous political infighting between divisions, gone. One Microsoft is the mantra.
Now, you may still dislike MSFT's products, but the truth is, Linux *won*, MSFT knows it, and it's all cool. Time to look forward.
Free stuff won.
Not anything to do with Linux or Windows, giving it away is what made LInux the "winner".
Where "winner" means "platform exploited by Google, Amazon and many others to make themselves richer than small countries while giving nothing back."
Well done.
No really, well done.
Why look abroad at all?
Isn't the hack DIRECTLY attributable to poor development processes in the organisation which was attacked?
Exactly how easy is it to insert an extra 4000+ lines of code into a process where multiple teams are delivering "new code" with every two week "sprint"? Maybe too easy!!!
>But that doesn't diminish the interest in knowing who it was that took advantage of it.
Absolutely, and this should be investigated and the results duly presented to the public. But this interest does not give anyone rights to defame, libel or put unfounded blame on others. If Russia were an evil country, Microsoft president accusing it of criminal conduct would find himself and the company under criminal investigation and sure, Microsoft has a lot to lose in Russia.
The funny aspect is that Russia does not mind punches from other countries and does not really respond to them, in other words, has a horrible PR department. Unlike China, where the official WHO delegation investigating coronavirus origins were denied access to the first 174 coronavirus patients and their medical history, had to accept China's assurances that no traces of _this_ coronavirus were found inside Wuhan Institute of Virology (which afaik has the world's largest collection of live coronaviruses and was in the past singled out for poor safety practices) and had to agree to stopping investigation into whether the virus could leak from the Institute's lab. That's what strongmen do.
Anyway, as long as accusations of Russia do not result in bombing it as other countries were bombed following accusations before and Russia not retaliating with nuclear bombs, we all should be safe.
"Isn't the hack DIRECTLY attributable to poor development processes in the organisation which was attacked?"
From various forums, it appears that the build system was remotely accessible, either directly or via VPN with no 2FA or strong password requirements. The reason it appears to be the build server is that public statements indicate the source code and other systems were not compromised. BUT that only allowed access AND should have been discovered at some point in the ~7 months the malicious code was present. Where were the checks to make sure the build system was producing the code that was expected? That isn't an agile issue - thats a "we throw it at the build system and fix any errors, otherwise its good to ship" problem.
And then there is the question of how 18,000 organisations (based on Solarwinds published details), many of whom had the resouces and security infrastructure in-place to detect this, managed to download the compromised code and use it and it only gets discovered by accident when a second phone number is added to a Microsoft account of a FireEye employee and a vigilant Microsoft security person questioned it.
How did everyone miss this for so long?
>How did everyone miss this for so long?
The average time to detect an implant/breach/intrusion is between 3-6 months; depending on when the attack started FireEye seem to catch it well within industry norms. Solarwinds is a different matter, apparently very bad at security.
"Why does the western media always accept the default of Russia bad, America good and always blame them accordingly?"
You're reading those words wrong. For 'good' read 'us*', and for 'bad' read 'them'. It's not 'good versus bad', it's 'us versus them'. The good/bad wording is just marketing spin by governments. If you were born on the other side of the planet, the marketing is flipped.
(* for 'us' read: countries in the orbit of Uncle Sam, not Uncle Boris**?)
(** no, not our Boris, their 'Boris').
#onemansterrorist...
There's a little bit of us vs them when it's government vs government exfiltrating secrets, but more often, there are moral judgements involved.
Not much outcry from the West when Russians were breaking into and disrupting ISIS computer system.
Ther would be plenty of outcry from all corners if the US Gov got caught breaking into a private company to steal trade secrets (which is China's current modus operandi).
There have been outspoken concerns about this possibility from allies: https://en.wikipedia.org/wiki/ECHELON#Concerns
>Because one is an open democracy, with the oversight of a free press and independent judiciary
I'd recommend a short course in government, say by watching a few episodes of "Yes, Minister", to get a perspective about how the UK actually works. It likes to compare itself to the US but its nothing like it because the basis of freedom in the US is decentralization -- its not that our institutions work any differently but there's a lot more of them and they get in eech others' way.
>he other is Putin's little puppet show.
Russia is also de-centralized. I daresay its instituions are as hidebound and conseravtive as ours.
>Because one is an open democracy, with the oversight of a free press and independent judiciary, and the other is Putin's little puppet show.
Do I understand correctly that crimes committed under the flag of democracy somehow justify themselves and the same crimes under the flag of authoritarianism cannot be forgiven?
P.S. Could you finally close Guantanamo please, people are being illegally incarcerated there without trial for almost 20 years?
A marvel of software engineering. Able to get 1000 developers all working as a team, producing a bug-free product to a half-decent schedule and none of the developers jump ship to a conpeting outfit (taking bits of code with them).
Maybe these Russians would like to develop a few other bits of softwre -- a 'track and trace' system, perhaps?
Who says it is bug free? It just has to work well enough to reach its goal but doing so doesn't mean there aren't bugs that make it work less well than it could have, or able to be discovered and/or have its origin discovered more easily than a completely bug free bit of software would have been.
Probably everyone reading this owns a smartphone that undoubtedly has hundreds or perhaps even thousands of undiscovered / unfixed bugs in its code. But they make calls, browse the web, send text messages, take photos, run apps and so on more than well enough for us to use them despite those bugs.
"Maybe these Russians would like to develop a few other bits of softwre -- a 'track and trace' system, perhaps?"
Reports would suggest the issue with track and trace isn't the software - the meat layer has memory capacity issues and there appears to be a significant trust issue with government staff. While health workers are significantly more trusted, demand outstrips supply and dressing people up as nurses doesn't seem to fool anybody.
I could buy perhaps the Chinese as a potential source, but NORK? Really? One of the serious problems that country has is that it discourages talent and merit. The Iranians might be a source, and they have the motives to be. But, on the balance, when you see the similarities to the Ukraine episode, the Russians are easily the best, immediate choice. They are also seriously handicapped by external sanctions that limit their ability to trade. Their agriculture has taken repeated serious hits several years in a row, and last, as a kleptocracy, their PTB are quite unhappy that their money launderer was turfed out of office before he could complete his work. China is in agricultural difficulties too (so's the US as far as that goes), but China is tremendously better off than Russia and has a vast array of legitimate overseas investments that can cover a lot of their short fall. So Russia is number one on the short list.
I never trust these kinds of guesses, how many times have they claimed something uncrackable only for it to be cracked that same day? *cough* Fairlight *cough*
Mind sure they would of been using code from all over the place, pointless redesigning the wheel unless it needs todo something new.
Yeah, must be those pesky furry Russians:
"The attack used a backdoor in a SolarWinds library; when an update to SolarWinds occurred, the malicious attack would go unnoticed due to the trusted certificate. In November 2019, a security researcher notified SolarWinds that their FTP server had a weak password of "solarwinds123", warning that "any hacker could upload malicious [files]" that would then be distributed to SolarWinds customers."
" SolarWinds did not employ a chief information security officer and employee passwords had been posted on GitHub in 2019".
"Insiders at the company had sold approximately $280 million in stock shortly before this became publicly known, which was months after the attack had started. A spokesperson said that those who sold the stock had not been aware of the breach at the time".
Seriously, half the stock market, many teenage boys and any UK/Iran/Mossad/Russia/Chinese hackers would want stock market intelligence like this.
It's the kind of password I would use to secure my public library book account with (hell I have probably done worse).
But for a password dedicated to FTP distribution of sensitive files, controlling network software for major corporations.....? I'm trying to decide if that is a fireable offence.
Between 1000 Mshaft engineers causing havoc and the perpetrators of the solar winds attack, is that the Havoc1000 approach is chaos based, whereas the solarwinds attack was highly defined,seemingly well executed and didn't appear to rely on frequent patching.
So, maybe a hundred devs.....
4.5K lines of core code and 1000 different developers identified. So supposedly a handful of lines of code is enough of a 'DNA sample' to distinguish one developer from another. How does that work? (None of them ever linted of course.) Perhaps they put their names in the in-line comments? // And a big shout-out to Vladimir Ruskyname for his trapdoor.
Biting the hand that feeds IT © 1998–2021