SolarWinds urges US judge to toss out crap infosec sueball: We got pwned by actual Russia, give us a break SolarWinds is urging a US federal judge to throw out a lawsuit brought against it by aggrieved shareholders who say they were misled about its security posture in advance of the infamous Russian attack on the business. Insisting that it was "the victim of the most sophisticated cyberattack in history" in a court filing, …
What's wrong with capitalism?
I mean Thoma Bravo could have brought to bear at SolarWinds just a few of their other properties like Sophos and McAfee for end-point protection, Barracuda to filter their internet connections and emails, LogRhythm for SIEM, DynaTrace for application profiling, Connectwise to keep track of the tickets, Flexera[0] to eek out the maximum from their IT investment, Stamps.com to notify everyone of the break-in and JD Power to give someone else an award... or maybe give one to SolarWinds for the scale of the break-in.
TBH, the stamps.com deal hasn't closed yet. They're still in their "go-shop" phase for another week or so.
[0] - Yup. The same company that brought us InstallShield.
It won't, it'd just create more, smaller ones doing the same thing.
Monetary penalties which put the C-suite at risk personally would help.
UK public sector should be mandated to grade procurements with a weighting of cyber security at 20-30%, currently any procurement I've been involved in security is worth at most 5%, in many cases less. While cost will be 40-60% of the weighting.
All that does is mean we buy cheap insecure products over and over again and then people like me are given the impossible task of trying to manage risks around products we thought were horrendously insecure.
When companies fail to get business because they are insecure they will start to take it seriously.
When their communication targets customers they want to reassure, this was all the result of a minor problem involving an intern and a trivially weak password. Nothing to worry about, we fired the intern and replaced the password! When they communicate with a court overseeing a securities fraud case against them, it was the result of an impossibly sophisticated attack by overwhelming state-sponsored forces that they couldn't possibly have even hoped to thwart no matter how much time, effort, and money they might have spent. So we couldn't possibly have defrauded anyone by claiming we were heavily invested in security (the security of OUR SECURITY PRODUCTS) while in fact doing basically nothing.
Both of these assertions cannot be true. But making them both merely assures everyone that the corporation is full of, and run by, liars. So is either of these statements true? Why should we ever believe anything they tell us? And with that in mind, why should we care whether it goes out of business because its customers all flee or goes out of business because a court fines it billions? As long as they go out of business somehow, I'm fine with it. Die in a fire, shitstains!
Given their client base, you'd have expected SolarWinds to be ultra paranoid
No way, everyone expects them to be profitable - it's not just SolarWInds, you see this everywhere, Security is something that people say they will deal with ... and occasionally they have a go at it but you have to keep the accountants and the sales execs happy if you want to keep your job.
If you're the PFY, telling the PHB that they need to spend a lot of money while working hard to try and stay safe, means you'll be looking for a new job in most environments.
I was expecting to see a client lawsuit, but instead it's shareholders against each other. The shareholders suing are claiming to sue about a failure to protect long term interests of the company. One the one hand - bravo! - a welcome change. On the other hand - is this just more of the same Machiavellian infighting that in the end only rewards lawyers and those who excel at power struggles? - with the companies products and long term interests having nothing to do with it.
It could be both - then what is the ratio?
Yup! Shareholder lawsuits never made a whole lot of sense to me until I thought about them in economic terms.
Basically what they are suing for is a dividend that should have been paid, consisting of the excess profits the corporation received by not bothering to take security seriously while claiming that they did. Had such a dividend actually been paid, then the shareholders at that time would have already received their money. Instead, because this corporation (like far too many others) doesn't bother to pay dividends at all, the perceived value of the shares was inflated by two factors: the accumulation of cash that ought to have been paid out, and the mistaken belief that they were actually investing in security, meaning that the product/assets would have been worth more than they really were. In other words, people who bought the stock overpaid for it because they believed all that cash sitting on the books was a legitimate profit, and that they would (someday) hopefully get access to it in the form of dividend payments that would also have been higher because the product was more valuable than it really was. That never happened, and because the corporation's managers and directors continued to lie about their investment in security, the market's perception of the value of the shares became artificially high. When it was revealed that the cash sitting on the books reflected underinvestment, the market's perception of the shares' value dropped. Had a dividend payment actually been made, the market would have subtracted that payment from the share price at that time; the market's perception of the shares' value would probably still have declined when the farce was revealed, but (a) that decline would have been smaller because it would have been future prospects being devalued rather than cash already sitting on the books, and (b) the shareholders would already have received a significant portion of the benefits of the farce itself.
So you end up with shareholders claiming that those who owned and controlled the company before they bought in caused the hiring of managers and directors who both lied about the company's true profits relative to invested capital and also failed to distribute those excess profits to them. So basically they overpaid for what they got because those shareholders didn't properly hold the managers and directors accountable for their operation of the company and disposition of its cash.
That's the theory, and it's actually quite sensible, until as you point out, the lawyers get involved. Shareholder lawsuits rarely end well, even if the plaintiffs win in court. There seem to be two reasons: first, the prospect of losing more money doesn't seem to be enough incentive for the shareholders to hire honest managers and directors and hold them accountable; second, because outcome of the lawsuit creates no incentive for those managers and directors to operate the company properly. That's largely because (a) means they won't be turfed out if the corporation loses in court, but also because they've already been paid so much money they don't really need any more, and they aren't being held personally liable so they get to keep all of it. The bottom line is that if you want to fix this problem, you need to both make it far easier to pierce the corporate veil and go after managers and directors personally, and you the shareholder need to both refuse to invest in dishonest corporations and demand the firing and prosecution of managers and directors who look after their own interests at the expense of yours. Only when dishonest and slipshod managers and directors lose their life savings and do time in prison will things change. Winning or losing a shareholder lawsuit changes nothing, other than enriching the lawyers and adding yet more boilerplate to the Risks section in the prospectus in the hope that next time around they can just say "can't sue us, we told you that might happen!".
It's truly depressing and disgusting, and the fact that nothing seems to change makes it easy to understand why people consider violence. Not condoning it necessarily, just understanding it. Because what choice is there but to join the dark side, and ignore your responsibilities as an investor (because taking them seriously has no effect anyway) and try to get the profits you should have gotten all along by filing a lawsuit? And that doesn't work, so...
It still makes no sense. The shareholders are the company - it's a company of shareholders. Unless there are different classes of shares the value they say was being directed to the shares of large shareholders was also directed to the shares of smaller shareholders. The crash in share values that affected them also affected the large shareholders.
A successful suit involves shareholders' funds being paid to shareholders to compensate them for loss of value plus lawyer's costs. Without the expenses it's shareholders shifting the remaining money from one pocket to another. With the costs..... Can anyone spot who actually makes money out of this?
"It is an unfortunate fact that no company, regardless of its size, competency and resources seems immune to cyber-attacks as evidenced by the recent high-profile breaches."
Welcome to Narnia ..... where Devils and Daemons are Detailed to Destruction .... or Exhaustion if the Hellish Outcomes can be the Result of Heavenly Experiences.
Now what part of the Honest Gospel Truth ..... Absolute Security is an Almighty Myth .... would you disagree with and prefer to portray, pimp and pump and dump as a damnable lie?
That's probably correct.
The issue is that, at some point, someone is going to be thoroughly compromised despite best endeavours, will get sued anyway and will be able to sustain this kind of defence.
If that happens a few times, it then becomes a national matter, or at least more so than it already is. But a national response implies some sort of gov intervention in company IT, or in how the Internet is accessed, etc. And that is headed towards fragmentation of the Internet, laws about devops, etc. We may not get there, but yeurk...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
