I assume Fred Voccola is aware of the history of the three envelopes, and has already progressed to retrieving envelope three from the Company safe.
Beleaguered IT management software vendor Kaseya has delayed the restoration of its SaaS services until Sunday, July 11. An update to the company’s incident guidance report includes a video message from CEO Fred Voccola, who took personal responsibility for the delay. “It is my decision to do this to pull the release from …
Friday 9th July 2021 09:36 GMT Pascal Monett
“This was the hardest decision of my career,”
I'm pretty sure that there will be harder ones in the future.
That said, I have come to believe that Kaseya should have the benefit of the doubt. White hats have pointed out that Kaseya reacted swiftly and properly to vulnerability alerts, and did everything it could to plug the holes as swiftly as possible.
Unfortunately, the criminals got in first. You cannot guard against bad luck.
I'm now convinced Kaseya is doing what it can to pick up the pieces and put everything back together again. All the noises being made point to a team that is working its ass off and trying its best to recover from the situation.
I no longer think that Kaseya was asleep at the wheel. I feel sorry for everyone involved, and I really wish someone could stop those despicable criminals.
Good luck, Voccola.
Sunday 11th July 2021 18:35 GMT Anonymous Coward
Re: “This was the hardest decision of my career,”
"You cannot guard against bad luck."
Yes and no. You cannot prevent criminals exploiting aspects of your product where they don't comprise part of the threat model, and you cannot entirely prevent bugs exploited by the people who find them. However, you can move more quickly than taking 3 months to fix a bug someone told you about, especially one that has obvious customer security implications. Move faster. It's worth taking some risk when stuff like this happens: you should have a good regression test suite already, and if the fix passes, you probably want to publish the patch, not after the 90 days the reporter gave you but NOW! Always assume that criminals and states (same thing really) are actively exploiting the bug. Quick quick quick! If you aren't sure the fix is right, tell your customers anyway and give them some other mitigation. The bad guys are always way ahead of you; don't convince yourself otherwise.
It's not just bad luck; it's hopeful assumptions. If you are a vendor and someone reports a security-relevant bug, you must assume that someone somewhere is already exploiting it against *YOUR CUSTOMERS*. If you love your customers, if you respect and care for them, you must move as fast as humanly possible or faster. 3 months is a crime. They could have done better, and should have. Assuming that the reporter was the first or only discoverer, or that the knowledge won't leak, is just naive optimism. MOVE FASTER.
Friday 9th July 2021 11:20 GMT sitta_europea
When this company approached my company about providing a service, I said "Over my dead body."
I will continue to say that to all these "me too" outsourcing suppliers as long as this body has life left in it.
We don't let engineers audit the accounts, and with good reason.
For the life of me I cannot understand why we let accountants make engineering decisions.
It's fucking crazy.
Friday 9th July 2021 11:21 GMT Doctor Syntax
Friday 9th July 2021 20:09 GMT HildyJ
Sunday 11th July 2021 16:50 GMT Anonymous Coward
Re: Exponentially - explanation
Not true. Zero raised to the zeroth power is usually held to be 1, though admittedly in some branches of mathematics it's considered to be undefined. It's almost certainly not 0. The unreliable source's article on it is moderately informative. Also, zero to any negative power would be infinite (of whatever cardinality any other division by zero is).
Going from level 0 security to 1 would be a very significant improvement!