Who knew Uncle Sam had strike teams for SolarWinds, Exchange flaws? Well, anyway, they are disbanded The US government's response groups for dealing with recent SolarWinds and Microsoft Exchange vulnerabilities have reached the end of the road. In a statement on Monday, US Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger said the two Unified Coordination Groups (UCGs) formed in January and …
Citation please ? Where are the numbers that support this conclusion ?
It's not because you finally patched two Department Of Defense servers that were waiting for that since 1995 that all of a sudden the numbers of victims have vastly decreased. And it's not because Microsoft and other vendors are publishing patches regularly that anything changes.
SolarWinds123 was not a patching problem, it was a bloody fucking stupid security problem that never should have happened in the first place.
They've eliminated a government program to protect computer systems, probably at the behest of NSA who runs government programs to undermine computer security. Why pay for both?
Also, why do you feel a citation is needed in a government press release. The reasons given are almost certainly not the real ones.
You are reading that wrong, or wilfully misunderstanding what you read.
Admins have patched SolarWinds installs to remove the malware code, reducing the number of active victims.
Nothing to do with DoD, MS, vendor patch publishing practices, 5G, Covid or Billy Gates.
They did not claim that the SolarWinds hack was caused by a lack of patches but to remove the malware you need to install a patch, duh. (or competely remove SolarWinds but I doubt many organisations who rely on it can do that quickly)
This is not a declaration of surrender, nor is it an indication of cuts in staff or budget.
The two task groups were focused on two specific hacks for which patches have been published along with procedures, detection software, and some removal software. Beyond the FBI's warrant to remove certain instances (which has been discussed elsewhere in these forums). Under current laws and regulations they have nothing else that they can do.
The staff and budget are going back to to their CISA work.
Will there be zero day attacks in the future? Yes.
Does the NSA know about many of them already? Yes.
Will the NSA tell anybody? No.
Can developers be punished by the Feds for bad code? No.
Can companies be punished by the Fed for not patching code? No.
The problem will be with us always.
Ed Skoudis spoke thusly: "It’s a really hard problem to solve given the complexity of modern software development environments..."
*
Maybe Ed should do a bit of historical research. One 1984 item (yup....1984) which he could read and ponder on is here:
Link: https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf
I'm sure that the people responsible for the SolarWinds debacle have been through Ken THompson's essay a few times!!!
Maybe Ed should have left the word "modern" out of his statement?
.... and the blessings in the course of the curse
At the same, Skoudis remains concerned that improved response capabilities won't help detect or prevent attacks of this sort."It’s a really hard problem to solve given the complexity of modern software development environments and the subtlety of very advanced nation-state attackers," he said.
Now that is certainly a clear prime jackpot prize winner for any understatement of the week/month/year prize.
And regarding the inherent dangers and difficulties in complex subtleties, whenever some great defenders are also to be routinely suspected and treated as possible stealthy renegade rogue agents and feared as almighty attackers, what lessons do you imagine are not learned, and what irreparable damage to vulnerable vital security apparatus results should fabulous creative intentions be maliciously imagined and subsequently construed and acted upon, either wantonly or accidentally and unintentionally, as being of malignant contention ....... with the always abiding danger and difficulty being in such scenarios, that they can be so, just as easily as not be so.
For example, and this is a heads up on a current investigation into such virtual matters as may definitely definitively practically matter, what would you reasonably think of the following missive and quoted text from/for a space/place elsewhere here, ..... Seizure of Satellites Presented as Option to Defend U.S. Spacecraft .... which at the time of this posting, is yet to appear for public peer review there .....
Please be made very aware that is far too much like a "I'm sorry, Dave. I'm afraid I can't do that" situation, to not be one, which would then result in a manic series of totally unforeseen and non-contributable reactions .......... which some would be realising was a Simply Enriching NEUKlearer HyperRadioProACTive IT just doing its AI Thing ...... fortuitously advising there be no prisoners allowed for the taking, so 'tis best to immediately bin that errant notion proposing engaging disabling motions.
Does it advise and encourage and seek to creatively engage on constructive defence parameters or forewarn of incoming hostile systems attacks only to be held in abeyance on the generous grateful payment of danegeld ransoms akin to royal fortunes ...... which appears to the traditional conventional human default way of dealing with all of those strange types of events/incidents/opportunities
However, quite whether such would solve such a really hard problem or merely ensure it remains practically non problematical until such times as places and spaces in the future can better resolve and render the enigma benign and non-catastrophically destructive, is surely all that one can immediately achieve and enjoy and employ and entertain and regard as an outstandingly pragmatic success.
> solve such a really hard problem or merely ensure it remains practically non problematical until such times as places and spaces in the future can better resolve and render the enigma benign and non-catastrophically destructive
Oh, hello GPT-3...
"It’s a really hard problem to solve given the complexity of modern software development environments and the subtlety of very advanced nation-state attackers," he said."
Well, that settles it then. As a mere citizen and daily computer and internet user, I can only conclude that we're all well and truly plucked.
Back to sleep, then. Nothing's changed.
Lessons learned and mission accomplished, apparently ...... Thomas Claburn in San Francisco
Rather than crazy fun and cracker games and the strangest of almighty shenanigans only just getting started, Thomas? Don't be putting any money you can't afford to lose betting on that not being the true and honest novel nature of the future in humanised virtualised realities at the human animal/virtual machine interface.
Quote: "The paranoid is a person who knows a little about what is going on." William Burroughs
*
New perspective:
1. Review SolarWinds hack
2. Review the Ken Thomson paper (1984) : https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf
So..................... Rewrite the William Burroughs quote thusly:
- "The paranoid is a person who knows that the usual paranoia is simply not enough paranoia about what is going on."
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
