Microsoft says it found 1,000-plus developers' fingerprints on the SolarWinds attack

Re: Oh those Russians!

Really, wake up. MSFT of 2020 is not MSFT of 1995. There's a huge amount of support for Open Source in Azure, and throughout MSFT in general. The MSFT IT department even supports MacBooks (I'm typing this on my MSFT provided MacBook, and no, it isn't running Windows) and iPhones.

Disclaimer -- I've worked there since 2018.

Re: Oh those Russians!

The poor processes that created the opportunity have been widely recognised. But that doesn't diminish the interest in knowing who it was that took advantage of it.

"Oh look, I left the door open. No point in looking for the thief, then" - said no one, ever.

Re: Oh those Russians!

"Isn't the hack DIRECTLY attributable to poor development processes in the organisation which was attacked?"

From various forums, it appears that the build system was remotely accessible, either directly or via VPN with no 2FA or strong password requirements. The reason it appears to be the build server is that public statements indicate the source code and other systems were not compromised. BUT that only allowed access AND should have been discovered at some point in the ~7 months the malicious code was present. Where were the checks to make sure the build system was producing the code that was expected? That isn't an agile issue - thats a "we throw it at the build system and fix any errors, otherwise its good to ship" problem.

And then there is the question of how 18,000 organisations (based on Solarwinds published details), many of whom had the resouces and security infrastructure in-place to detect this, managed to download the compromised code and use it and it only gets discovered by accident when a second phone number is added to a Microsoft account of a FireEye employee and a vigilant Microsoft security person questioned it.

How did everyone miss this for so long?

Re: I know why they do it.

West of Lothian Free Separatists

Splitters!

Re: I know why they do it.

"the West of Lothian Free Separatists?"

I question that.

Re: I know why they do it.

the West of Lothian Free Separatists?

The Cornish National Liberation Army?

Re: Oh those Russians!

There's a little bit of us vs them when it's government vs government exfiltrating secrets, but more often, there are moral judgements involved.

Not much outcry from the West when Russians were breaking into and disrupting ISIS computer system.

Ther would be plenty of outcry from all corners if the US Gov got caught breaking into a private company to steal trade secrets (which is China's current modus operandi).

There have been outspoken concerns about this possibility from allies: https://en.wikipedia.org/wiki/ECHELON#Concerns

Re: Oh those Russians!

Why Russia. I'd love to tell you, but I signed an NDA.

Re: Oh those Russians!

"I'm finished. I trust no one, not even myself."

-- Joseph Stalin

Re: Oh those Russians!

>Because one is an open democracy, with the oversight of a free press and independent judiciary

I'd recommend a short course in government, say by watching a few episodes of "Yes, Minister", to get a perspective about how the UK actually works. It likes to compare itself to the US but its nothing like it because the basis of freedom in the US is decentralization -- its not that our institutions work any differently but there's a lot more of them and they get in eech others' way.

>he other is Putin's little puppet show.

Russia is also de-centralized. I daresay its instituions are as hidebound and conseravtive as ours.

Re: Oh those Russians!

Which one is which?

Re: Oh those Russians!

I see what you did there

Re: Oh those Russians!

>Because one is an open democracy, with the oversight of a free press and independent judiciary, and the other is Putin's little puppet show.

Do I understand correctly that crimes committed under the flag of democracy somehow justify themselves and the same crimes under the flag of authoritarianism cannot be forgiven?

P.S. Could you finally close Guantanamo please, people are being illegally incarcerated there without trial for almost 20 years?

Re: Oh those Russians!

When one has nothing to say, he types "Putin", because the name is so telling...

Re: Oh those Russians!

Who says it is bug free? It just has to work well enough to reach its goal but doing so doesn't mean there aren't bugs that make it work less well than it could have, or able to be discovered and/or have its origin discovered more easily than a completely bug free bit of software would have been.

Probably everyone reading this owns a smartphone that undoubtedly has hundreds or perhaps even thousands of undiscovered / unfixed bugs in its code. But they make calls, browse the web, send text messages, take photos, run apps and so on more than well enough for us to use them despite those bugs.

Re: Oh those Russians!

"Maybe these Russians would like to develop a few other bits of softwre -- a 'track and trace' system, perhaps?"

Reports would suggest the issue with track and trace isn't the software - the meat layer has memory capacity issues and there appears to be a significant trust issue with government staff. While health workers are significantly more trusted, demand outstrips supply and dressing people up as nurses doesn't seem to fool anybody.

Re: How many of those fingerprints

Microsoft probably needs 100+ people to produce Hello world.

Re: "SolarWinds did not employ a chief information security officer"

It's the kind of password I would use to secure my public library book account with (hell I have probably done worse).

But for a password dedicated to FTP distribution of sensitive files, controlling network software for major corporations.....? I'm trying to decide if that is a fireable offence.