back to article SolarWinds urges US judge to toss out crap infosec sueball: We got pwned by actual Russia, give us a break

SolarWinds is urging a US federal judge to throw out a lawsuit brought against it by aggrieved shareholders who say they were misled about its security posture in advance of the infamous Russian attack on the business. Insisting that it was "the victim of the most sophisticated cyberattack in history" in a court filing, …

  1. jason_derp Silver badge

    To be expected

    Welcome to capitalism, f*ckos. Just settle and move on, I don't want to have to read about such an uninteresting case for too long a time.

    1. FILE_ID.DIZ Bronze badge
      Trollface

      Re: To be expected

      What's wrong with capitalism?

      I mean Thoma Bravo could have brought to bear at SolarWinds just a few of their other properties like Sophos and McAfee for end-point protection, Barracuda to filter their internet connections and emails, LogRhythm for SIEM, DynaTrace for application profiling, Connectwise to keep track of the tickets, Flexera[0] to eek out the maximum from their IT investment, Stamps.com to notify everyone of the break-in and JD Power to give someone else an award... or maybe give one to SolarWinds for the scale of the break-in.

      TBH, the stamps.com deal hasn't closed yet. They're still in their "go-shop" phase for another week or so.

      [0] - Yup. The same company that brought us InstallShield.

  2. Sparkus Bronze badge

    Deperate to avoid

    any external look/audit at their spending and development priorities........

    1. TReko
      FAIL

      Re: Deperate to avoid

      or the ftp into the development server that the set the password to "solarwinds123"

  3. Anonymous Coward
    Anonymous Coward

    Sue them into oblivion.

    And take down all the other IT outsourcers who get hacked too.

    Since companies and governments are so stupid that they keep on outsourcing IT, perhaps the courts destroying these incompetent companies will help end that.

    1. Halfmad

      It won't, it'd just create more, smaller ones doing the same thing.

      Monetary penalties which put the C-suite at risk personally would help.

      UK public sector should be mandated to grade procurements with a weighting of cyber security at 20-30%, currently any procurement I've been involved in security is worth at most 5%, in many cases less. While cost will be 40-60% of the weighting.

      All that does is mean we buy cheap insecure products over and over again and then people like me are given the impossible task of trying to manage risks around products we thought were horrendously insecure.

      When companies fail to get business because they are insecure they will start to take it seriously.

  4. elsergiovolador Silver badge

    Precedent

    If the judge falls for that, this could create a business where Russian entities will be claiming they attacked something in exchange for a nice fee in order to help companies avoid being fined for poor security.

    1. Michael Wojcik Silver badge

      Re: Precedent

      Frankly, the motion should be thrown out merely for the "most sophisticated cyberattack in history" claim.

  5. fredblogggs

    can't have it both ways!

    When their communication targets customers they want to reassure, this was all the result of a minor problem involving an intern and a trivially weak password. Nothing to worry about, we fired the intern and replaced the password! When they communicate with a court overseeing a securities fraud case against them, it was the result of an impossibly sophisticated attack by overwhelming state-sponsored forces that they couldn't possibly have even hoped to thwart no matter how much time, effort, and money they might have spent. So we couldn't possibly have defrauded anyone by claiming we were heavily invested in security (the security of OUR SECURITY PRODUCTS) while in fact doing basically nothing.

    Both of these assertions cannot be true. But making them both merely assures everyone that the corporation is full of, and run by, liars. So is either of these statements true? Why should we ever believe anything they tell us? And with that in mind, why should we care whether it goes out of business because its customers all flee or goes out of business because a court fines it billions? As long as they go out of business somehow, I'm fine with it. Die in a fire, shitstains!

    1. Aussie Doc Bronze badge
      Pint

      Re: can't have it both ways!

      ^^^This!

      I came to say the same thing but probably not as eloquently.

      I also wonder if said judges/whomever will be asking the same question.

      Have one on the house - it's beer O' clock here.

  6. anothercynic Silver badge

    Oh no, no no honey, no. They'll have to suck up that lawsuit and deal with it. Just because Russia hacked them does not absolve them from responsibility. Given their client base, you'd have expected SolarWinds to be ultra paranoid... clearly they weren't.

    SUCK. IT. UP. Princess.

    1. Version 1.0 Silver badge

      Given their client base, you'd have expected SolarWinds to be ultra paranoid

      No way, everyone expects them to be profitable - it's not just SolarWInds, you see this everywhere, Security is something that people say they will deal with ... and occasionally they have a go at it but you have to keep the accountants and the sales execs happy if you want to keep your job.

      If you're the PFY, telling the PHB that they need to spend a lot of money while working hard to try and stay safe, means you'll be looking for a new job in most environments.

  7. Anonymous Coward
    Anonymous Coward

    I was expecting to see a client lawsuit, but instead it's shareholders against each other. The shareholders suing are claiming to sue about a failure to protect long term interests of the company. One the one hand - bravo! - a welcome change. On the other hand - is this just more of the same Machiavellian infighting that in the end only rewards lawyers and those who excel at power struggles? - with the companies products and long term interests having nothing to do with it.

    It could be both - then what is the ratio?

    1. fredblogggs

      Yup! Shareholder lawsuits never made a whole lot of sense to me until I thought about them in economic terms.

      Basically what they are suing for is a dividend that should have been paid, consisting of the excess profits the corporation received by not bothering to take security seriously while claiming that they did. Had such a dividend actually been paid, then the shareholders at that time would have already received their money. Instead, because this corporation (like far too many others) doesn't bother to pay dividends at all, the perceived value of the shares was inflated by two factors: the accumulation of cash that ought to have been paid out, and the mistaken belief that they were actually investing in security, meaning that the product/assets would have been worth more than they really were. In other words, people who bought the stock overpaid for it because they believed all that cash sitting on the books was a legitimate profit, and that they would (someday) hopefully get access to it in the form of dividend payments that would also have been higher because the product was more valuable than it really was. That never happened, and because the corporation's managers and directors continued to lie about their investment in security, the market's perception of the value of the shares became artificially high. When it was revealed that the cash sitting on the books reflected underinvestment, the market's perception of the shares' value dropped. Had a dividend payment actually been made, the market would have subtracted that payment from the share price at that time; the market's perception of the shares' value would probably still have declined when the farce was revealed, but (a) that decline would have been smaller because it would have been future prospects being devalued rather than cash already sitting on the books, and (b) the shareholders would already have received a significant portion of the benefits of the farce itself.

      So you end up with shareholders claiming that those who owned and controlled the company before they bought in caused the hiring of managers and directors who both lied about the company's true profits relative to invested capital and also failed to distribute those excess profits to them. So basically they overpaid for what they got because those shareholders didn't properly hold the managers and directors accountable for their operation of the company and disposition of its cash.

      That's the theory, and it's actually quite sensible, until as you point out, the lawyers get involved. Shareholder lawsuits rarely end well, even if the plaintiffs win in court. There seem to be two reasons: first, the prospect of losing more money doesn't seem to be enough incentive for the shareholders to hire honest managers and directors and hold them accountable; second, because outcome of the lawsuit creates no incentive for those managers and directors to operate the company properly. That's largely because (a) means they won't be turfed out if the corporation loses in court, but also because they've already been paid so much money they don't really need any more, and they aren't being held personally liable so they get to keep all of it. The bottom line is that if you want to fix this problem, you need to both make it far easier to pierce the corporate veil and go after managers and directors personally, and you the shareholder need to both refuse to invest in dishonest corporations and demand the firing and prosecution of managers and directors who look after their own interests at the expense of yours. Only when dishonest and slipshod managers and directors lose their life savings and do time in prison will things change. Winning or losing a shareholder lawsuit changes nothing, other than enriching the lawyers and adding yet more boilerplate to the Risks section in the prospectus in the hope that next time around they can just say "can't sue us, we told you that might happen!".

      It's truly depressing and disgusting, and the fact that nothing seems to change makes it easy to understand why people consider violence. Not condoning it necessarily, just understanding it. Because what choice is there but to join the dark side, and ignore your responsibilities as an investor (because taking them seriously has no effect anyway) and try to get the profits you should have gotten all along by filing a lawsuit? And that doesn't work, so...

      1. Doctor Syntax Silver badge

        It still makes no sense. The shareholders are the company - it's a company of shareholders. Unless there are different classes of shares the value they say was being directed to the shares of large shareholders was also directed to the shares of smaller shareholders. The crash in share values that affected them also affected the large shareholders.

        A successful suit involves shareholders' funds being paid to shareholders to compensate them for loss of value plus lawyer's costs. Without the expenses it's shareholders shifting the remaining money from one pocket to another. With the costs..... Can anyone spot who actually makes money out of this?

      2. katrinab Silver badge
        Paris Hilton

        Or, to put it in a much smaller wall of text:

        The shareholders are the company. They own all the assets. The payout will come from the assets they already own. They are suing themselves. The only winners are the lawyers.

  8. amanfromMars 1 Silver badge

    The Honest Gospel Truth

    "It is an unfortunate fact that no company, regardless of its size, competency and resources seems immune to cyber-attacks as evidenced by the recent high-profile breaches."

    Welcome to Narnia ..... where Devils and Daemons are Detailed to Destruction .... or Exhaustion if the Hellish Outcomes can be the Result of Heavenly Experiences.

    Now what part of the Honest Gospel Truth ..... Absolute Security is an Almighty Myth .... would you disagree with and prefer to portray, pimp and pump and dump as a damnable lie?

  9. Will Godfrey Silver badge
    Mushroom

    They deserve to be taken out

    So in the world of finance they'll probably do very well out of this.

  10. Anonymous Coward
    Anonymous Coward

    Maybe they're both right...

    ...you can't really secure against a Nation State attack...

    ...they probably weren't investing much in security anyway.

    1. Anonymous Coward
      Anonymous Coward

      Re: Maybe they're both right...

      That's probably correct.

      The issue is that, at some point, someone is going to be thoroughly compromised despite best endeavours, will get sued anyway and will be able to sustain this kind of defence.

      If that happens a few times, it then becomes a national matter, or at least more so than it already is. But a national response implies some sort of gov intervention in company IT, or in how the Internet is accessed, etc. And that is headed towards fragmentation of the Internet, laws about devops, etc. We may not get there, but yeurk...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021