back to article Microsoft says it found 1,000-plus developers' fingerprints on the SolarWinds attack

Microsoft president Brad Smith said the software giant's analysis of the SolarWinds hack suggests the code behind the crack was the work of a thousand or more developers. Speaking on US news magazine program 60 Minutes, Smith labelled the attack "the largest and most sophisticated attack the world has ever seen." "When we …

Page:

  1. Ryba Zfrytkami

    Oh those Russians!

    ...or Chinese, or North Koreans, or Iranians, or Israelis, or GCHQ...

    Why does the western media always accept the default of Russia bad, America good and always blame them accordingly?

    Rhetorical. I know why they do it. Sigh.

    1. Anonymous Coward
      Anonymous Coward

      Re: Oh those Russians!

      But doesn't M$ view Open Source and its Contributors as a bigger threat than Communism?

      1. PghMike

        Re: Oh those Russians!

        Really, wake up. MSFT of 2020 is not MSFT of 1995. There's a huge amount of support for Open Source in Azure, and throughout MSFT in general. The MSFT IT department even supports MacBooks (I'm typing this on my MSFT provided MacBook, and no, it isn't running Windows) and iPhones.

        Disclaimer -- I've worked there since 2018.

        1. Anonymous Coward
          Anonymous Coward

          Re: Oh those Russians!

          Leopards, spots and corporate culture. There'll be an attempt at embrace and extend at some point. All you can say is your employer might be a bit rusty when it happens.

          1. Anonymous Coward
            Anonymous Coward

            Re: Oh those Russians!

            Exactly. They don't now because it suits them. But this might change in a day.

            I haven't forgiven IE6, or the nasty no-linux "discounts" for PC manufacturers, or the ISO bribery to get their close document format called open, or the many competitors they maneuvered to kill in a dodgy manner, or the W10 spying, or the PCs bricked after forced W10 updates, and so much more.

            Heck I haven't forgiven them for pissing all over their customers by ramming the ribbon and then the metro interfaces down their throats.

            Such disdain for your customers is deeply ingrained.

            1. Rol Silver badge

              Re: Oh those Russians!

              And don't forget the 500,000 8 yard skips filled to overflowing with A4 flatbed scanners, and every other peripheral that relied on twain.

            2. Anonymous Coward
              Anonymous Coward

              Re: Oh those Russians!

              I am old enough to remember MSFT's shitty days, and the kein mitleid fur microsoft website, and linux = cancer, and all that. And you know what? The extent of the purge under Satya to get rid of all that crap was breathtaking. Ballmer, gone. Elop, gone. Sinofsky, gone. The infamous political infighting between divisions, gone. One Microsoft is the mantra.

              Now, you may still dislike MSFT's products, but the truth is, Linux *won*, MSFT knows it, and it's all cool. Time to look forward.

              1. Anonymous Coward
                Anonymous Coward

                Re: Linux *won*

                Free stuff won.

                Not anything to do with Linux or Windows, giving it away is what made LInux the "winner".

                Where "winner" means "platform exploited by Google, Amazon and many others to make themselves richer than small countries while giving nothing back."

                Well done.

                No really, well done.

                1. zuckzuckgo Bronze badge

                  Re: Linux *won*

                  I would say that complex licencing practices and booby traps pushed many organizations away from proprietary solutions.

    2. Anonymous Coward
      Anonymous Coward

      Re: Oh those Russians!

      Why look abroad at all?

      Isn't the hack DIRECTLY attributable to poor development processes in the organisation which was attacked?

      Exactly how easy is it to insert an extra 4000+ lines of code into a process where multiple teams are delivering "new code" with every two week "sprint"? Maybe too easy!!!

      1. veti Silver badge

        Re: Oh those Russians!

        The poor processes that created the opportunity have been widely recognised. But that doesn't diminish the interest in knowing who it was that took advantage of it.

        "Oh look, I left the door open. No point in looking for the thief, then" - said no one, ever.

        1. Muppet Boss
          Mushroom

          Re: Oh those Russians!

          >But that doesn't diminish the interest in knowing who it was that took advantage of it.

          Absolutely, and this should be investigated and the results duly presented to the public. But this interest does not give anyone rights to defame, libel or put unfounded blame on others. If Russia were an evil country, Microsoft president accusing it of criminal conduct would find himself and the company under criminal investigation and sure, Microsoft has a lot to lose in Russia.

          The funny aspect is that Russia does not mind punches from other countries and does not really respond to them, in other words, has a horrible PR department. Unlike China, where the official WHO delegation investigating coronavirus origins were denied access to the first 174 coronavirus patients and their medical history, had to accept China's assurances that no traces of _this_ coronavirus were found inside Wuhan Institute of Virology (which afaik has the world's largest collection of live coronaviruses and was in the past singled out for poor safety practices) and had to agree to stopping investigation into whether the virus could leak from the Institute's lab. That's what strongmen do.

          Anyway, as long as accusations of Russia do not result in bombing it as other countries were bombed following accusations before and Russia not retaliating with nuclear bombs, we all should be safe.

      2. Anonymous Coward
        Anonymous Coward

        Re: Oh those Russians!

        "Isn't the hack DIRECTLY attributable to poor development processes in the organisation which was attacked?"

        From various forums, it appears that the build system was remotely accessible, either directly or via VPN with no 2FA or strong password requirements. The reason it appears to be the build server is that public statements indicate the source code and other systems were not compromised. BUT that only allowed access AND should have been discovered at some point in the ~7 months the malicious code was present. Where were the checks to make sure the build system was producing the code that was expected? That isn't an agile issue - thats a "we throw it at the build system and fix any errors, otherwise its good to ship" problem.

        And then there is the question of how 18,000 organisations (based on Solarwinds published details), many of whom had the resouces and security infrastructure in-place to detect this, managed to download the compromised code and use it and it only gets discovered by accident when a second phone number is added to a Microsoft account of a FireEye employee and a vigilant Microsoft security person questioned it.

        How did everyone miss this for so long?

        1. Muppet Boss

          Re: Oh those Russians!

          >How did everyone miss this for so long?

          The average time to detect an implant/breach/intrusion is between 3-6 months; depending on when the attack started FireEye seem to catch it well within industry norms. Solarwinds is a different matter, apparently very bad at security.

    3. Anonymous Coward
      Anonymous Coward

      Re: I know why they do it.

      Are they covering up for the fiendish machinations of that usually little known independence group, the West of Lothian Free Separatists?

      1. Anonymous Coward
        Anonymous Coward

        Re: I know why they do it.

        West of Lothian Free Separatists

        Splitters!

      2. Doctor Syntax Silver badge

        Re: I know why they do it.

        "the West of Lothian Free Separatists?"

        I question that.

        1. Anonymous Coward
          Anonymous Coward

          I question that.

          Hmm. A false-flag operation by the Lothian East Organized Peoples Alliance of Republican Democrats, then?

      3. JimboSmith Silver badge

        Re: I know why they do it.

        the West of Lothian Free Separatists?

        The Cornish National Liberation Army?

    4. Anonymous Coward
      Anonymous Coward

      Re: Oh those Russians!

      "Why does the western media always accept the default of Russia bad, America good and always blame them accordingly?"

      You're reading those words wrong. For 'good' read 'us*', and for 'bad' read 'them'. It's not 'good versus bad', it's 'us versus them'. The good/bad wording is just marketing spin by governments. If you were born on the other side of the planet, the marketing is flipped.

      (* for 'us' read: countries in the orbit of Uncle Sam, not Uncle Boris**?)

      (** no, not our Boris, their 'Boris').

      #onemansterrorist...

      1. rcxb Silver badge

        Re: Oh those Russians!

        There's a little bit of us vs them when it's government vs government exfiltrating secrets, but more often, there are moral judgements involved.

        Not much outcry from the West when Russians were breaking into and disrupting ISIS computer system.

        Ther would be plenty of outcry from all corners if the US Gov got caught breaking into a private company to steal trade secrets (which is China's current modus operandi).

        There have been outspoken concerns about this possibility from allies: https://en.wikipedia.org/wiki/ECHELON#Concerns

      2. Anonymous Coward
        Anonymous Coward

        Re: Oh those Russians!

        Why Russia. I'd love to tell you, but I signed an NDA.

    5. The Man Who Fell To Earth Silver badge
      FAIL

      Re: Oh those Russians!

      There's are reason even the Russians historically suspect their fellow Russians first.

      1. Lunatic Moonshiner

        Re: Oh those Russians!

        "I'm finished. I trust no one, not even myself."

        -- Joseph Stalin

    6. ZanzibarRastapopulous

      Re: Oh those Russians!

      > Why does the western media always accept the default of Russia bad, America good and always blame them accordingly?

      Because one is an open democracy, with the oversight of a free press and independent judiciary, and the other is Putin's little puppet show.

      1. martinusher Silver badge

        Re: Oh those Russians!

        >Because one is an open democracy, with the oversight of a free press and independent judiciary

        I'd recommend a short course in government, say by watching a few episodes of "Yes, Minister", to get a perspective about how the UK actually works. It likes to compare itself to the US but its nothing like it because the basis of freedom in the US is decentralization -- its not that our institutions work any differently but there's a lot more of them and they get in eech others' way.

        >he other is Putin's little puppet show.

        Russia is also de-centralized. I daresay its instituions are as hidebound and conseravtive as ours.

      2. Anonymous Coward
        Anonymous Coward

        Re: Oh those Russians!

        Which one is which?

      3. teknopaul Silver badge

        Re: Oh those Russians!

        I see what you did there

      4. Muppet Boss

        Re: Oh those Russians!

        >Because one is an open democracy, with the oversight of a free press and independent judiciary, and the other is Putin's little puppet show.

        Do I understand correctly that crimes committed under the flag of democracy somehow justify themselves and the same crimes under the flag of authoritarianism cannot be forgiven?

        P.S. Could you finally close Guantanamo please, people are being illegally incarcerated there without trial for almost 20 years?

      5. Anonymous Coward
        Anonymous Coward

        Re: Oh those Russians!

        When one has nothing to say, he types "Putin", because the name is so telling...

    7. martinusher Silver badge

      Re: Oh those Russians!

      A marvel of software engineering. Able to get 1000 developers all working as a team, producing a bug-free product to a half-decent schedule and none of the developers jump ship to a conpeting outfit (taking bits of code with them).

      Maybe these Russians would like to develop a few other bits of softwre -- a 'track and trace' system, perhaps?

      1. DS999

        Re: Oh those Russians!

        Who says it is bug free? It just has to work well enough to reach its goal but doing so doesn't mean there aren't bugs that make it work less well than it could have, or able to be discovered and/or have its origin discovered more easily than a completely bug free bit of software would have been.

        Probably everyone reading this owns a smartphone that undoubtedly has hundreds or perhaps even thousands of undiscovered / unfixed bugs in its code. But they make calls, browse the web, send text messages, take photos, run apps and so on more than well enough for us to use them despite those bugs.

        1. very angry man

          Re: Oh those Russians!

          Come on a bug free piece of software would have stood out like dogs watsits

      2. Anonymous Coward
        Anonymous Coward

        Re: Oh those Russians!

        "Maybe these Russians would like to develop a few other bits of softwre -- a 'track and trace' system, perhaps?"

        Reports would suggest the issue with track and trace isn't the software - the meat layer has memory capacity issues and there appears to be a significant trust issue with government staff. While health workers are significantly more trusted, demand outstrips supply and dressing people up as nurses doesn't seem to fool anybody.

    8. Marshalltown

      Re: Oh those Russians!

      I could buy perhaps the Chinese as a potential source, but NORK? Really? One of the serious problems that country has is that it discourages talent and merit. The Iranians might be a source, and they have the motives to be. But, on the balance, when you see the similarities to the Ukraine episode, the Russians are easily the best, immediate choice. They are also seriously handicapped by external sanctions that limit their ability to trade. Their agriculture has taken repeated serious hits several years in a row, and last, as a kleptocracy, their PTB are quite unhappy that their money launderer was turfed out of office before he could complete his work. China is in agricultural difficulties too (so's the US as far as that goes), but China is tremendously better off than Russia and has a vast array of legitimate overseas investments that can cover a lot of their short fall. So Russia is number one on the short list.

  2. Steve Davies 3 Silver badge

    How many of those fingerprints

    are there because of the fashion for 'cut/paste' from sites like stackoverflow.com?

    Thinking of it another way...

    How else would MS be able to fingerprint so many if it wasn't for repositories like stackoverflow?

    1. stiine Silver badge
      Facepalm

      Re: How many of those fingerprints

      Seems to me that Microsoft is one of the companies with over a 1000 developers.

      1. find users who cut cat tail

        Re: How many of those fingerprints

        Microsoft probably needs 100+ people to produce Hello world.

        1. Blazde Bronze badge

          Re: How many of those fingerprints

          One code monkey to write the Hello World program and 99 to issue a steady stream of Hello World updates over several years to fix most of the critical bugs and introduce some new ones, amirite?

          1. teknopaul Silver badge

            Re: How many of those fingerprints

            "4,032 lines of code were at the core of the crack."

            So Microsoft presume that over 1000 developers were involved. I can only presume that is a fair metric inside Microsoft, I knocked out 4000 lines last week myself.

    2. Anonymous Coward
      Anonymous Coward

      Re: How many of those fingerprints

      There was a reason for buying gihub: fingerprint the world's code!

      1. sreynolds
        WTF?

        Re: How many of those fingerprints

        M$ is full of shit.

    3. Anonymous Coward
      Anonymous Coward

      Re: How many of those fingerprints

      "First learn computer science and all the theory. Next develop a programming style. Then forget all that and just hack." - George Carrette

  3. TheSkunkyMonk

    Figures

    I never trust these kinds of guesses, how many times have they claimed something uncrackable only for it to be cracked that same day? *cough* Fairlight *cough*

    Mind sure they would of been using code from all over the place, pointless redesigning the wheel unless it needs todo something new.

  4. low_resolution_foxxes Bronze badge

    Yeah, must be those pesky furry Russians:

    "The attack used a backdoor in a SolarWinds library; when an update to SolarWinds occurred, the malicious attack would go unnoticed due to the trusted certificate. In November 2019, a security researcher notified SolarWinds that their FTP server had a weak password of "solarwinds123", warning that "any hacker could upload malicious [files]" that would then be distributed to SolarWinds customers."

    " SolarWinds did not employ a chief information security officer and employee passwords had been posted on GitHub in 2019".

    "Insiders at the company had sold approximately $280 million in stock shortly before this became publicly known, which was months after the attack had started. A spokesperson said that those who sold the stock had not been aware of the breach at the time".

    Seriously, half the stock market, many teenage boys and any UK/Iran/Mossad/Russia/Chinese hackers would want stock market intelligence like this.

    1. Pascal Monett Silver badge

      "SolarWinds did not employ a chief information security officer"

      You don't need a 'chief information security officer'.

      You do need an admin that's doing his job properly.

      Solarwinds123 didn't even have that.

      1. low_resolution_foxxes Bronze badge

        Re: "SolarWinds did not employ a chief information security officer"

        It's the kind of password I would use to secure my public library book account with (hell I have probably done worse).

        But for a password dedicated to FTP distribution of sensitive files, controlling network software for major corporations.....? I'm trying to decide if that is a fireable offence.

        1. very angry man

          Re: "SolarWinds did not employ a chief information security officer"

          YES!

  5. Chris G Silver badge
    Trollface

    The difference

    Between 1000 Mshaft engineers causing havoc and the perpetrators of the solar winds attack, is that the Havoc1000 approach is chaos based, whereas the solarwinds attack was highly defined,seemingly well executed and didn't appear to rely on frequent patching.

    So, maybe a hundred devs.....

  6. Peter Prof Fox
    WTF?

    ...And your lucky colour is puce.

    4.5K lines of core code and 1000 different developers identified. So supposedly a handful of lines of code is enough of a 'DNA sample' to distinguish one developer from another. How does that work? (None of them ever linted of course.) Perhaps they put their names in the in-line comments? // And a big shout-out to Vladimir Ruskyname for his trapdoor.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021