Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Microsoft Security IT

Microsoft President Calls SolarWinds Hack an 'Act of Recklessness' 87

An anonymous reader shares a report: Of the 18,000 organizations that downloaded a backdoored version of software from SolarWinds, the tiniest of slivers -- possibly as small as 0.2 percent -- received a follow-on hack that used the backdoor to install a second-stage payload. The largest populations receiving stage two were, in order, tech companies, government agencies, and think tanks/NGOs. The vast majority -- 80 percent -- of these 40 chosen ones were located in the US. These figures were provided in an update from Microsoft President Brad Smith. Smith also shared some insightful and sobering commentary on the significance of this almost unprecedented attack. His numbers are incomplete, since Microsoft sees only what its Windows Defender app detects. Still, Microsoft sees a lot, so any difference with actual numbers is likely a rounding error. Smith said: It's critical that we step back and assess the significance of these attacks in their full context. This is not "espionage as usual," even in the digital age. Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world. In effect, this is not just an attack on specific targets, but on the trust and reliability of the world's critical infrastructure in order to advance one nation's intelligence agency. While the most recent attack appears to reflect a particular focus on the United States and many other democracies, it also provides a powerful reminder that people in virtually every country are at risk and need protection irrespective of the governments they live under.
This discussion has been archived. No new comments can be posted.

Microsoft President Calls SolarWinds Hack an 'Act of Recklessness'

Comments Filter:
  • by lkcl ( 517947 )

    it also provides a powerful reminder that people in virtually every country are at risk and need protection irrespective of the governments they live under.

    only if they use solarwinds orion software.

    • In this case yes.

      But this is hardly the first hack to ever happen, thus the general point still stands.

      Though it is not so much protection but we would definitely need less bugs in major software systems. Though on protection, secondary systems to detect such intrusions would definitely be a good thing.

    • Re:caveat (Score:5, Interesting)

      by AleRunner ( 4556245 ) on Friday December 18, 2020 @10:33AM (#60844902)

      it also provides a powerful reminder that people in virtually every country are at risk and need protection irrespective of the governments they live under.

      only if they use solarwinds orion software.

      Or they use any software, including SaaS solutions, or administration services which was (in some part) delivered from any company which used solarwinds orion software. Not to mention, since the NSA has potential access to more or less anyone's computers (see Snowen paper titled something like "I hack admins" written up on the Intercept [theintercept.com]) and they hacked the NSA, in principle you should probably basically assume that they had access to everything. Having hacked Microsoft is also pretty much "game over - you win" for the hackers. Imagine if they have something injected into a developer's laptop which is being distributed by auto-updates at this moment. If it was done as a one line obfuscated change to some developer's commit, how would you ever tell?

      • I guess Microsoft needs to review all recent check-ins to their source code repositories that go anywhere near security critical code. Since the time the hackers first got access to Solarwinds Orion. Depending on how long ago that was, it could be a lot of work.

    • Re:caveat (Score:4, Informative)

      by smooth wombat ( 796938 ) on Friday December 18, 2020 @12:24PM (#60845254) Journal
      only if they use solarwinds orion software.

      Not necessarily. The cyber arm of the Department of Homeland Security is now saying some people were compromised without using SolarWinds [cnn.com].

      The agency also acknowledged Thursday that the hackers used "tactics, techniques and procedures that have not yet been discovered," adding that it is continuing to investigate whether, and how, other intrusion methods may have been used since the campaign began months ago.

      Not only isn't SolarWinds required for this incident, the Russians have been accessing thousands of compromised systems for months. And no one knew.

      Why does that sound so familiar [imdb.com]?

      • by Zxern ( 766543 )

        "Tactics, techniques and procedures that have not yet been discovered"

        Like having an inside man, or maybe family with a lot of debt and legal troubles ahead of them, who've been very friendly with Russia....

    • emptor.

  • Perhaps if the people of said countries held their elected officials to higher standards ( or indeed, any standards ), things like this would happen.

    This was indeed an "Act of recklessness", on the part of the admins and other officials who created an environment which allowed such vulnerabilities to propagate. Having worked government, I can already guess that it was a combination of admins who are minimally capable and managers getting their backs scratched. Will anyone be fired for this? Will anyone b

    • by hey! ( 33014 )

      This isn't just affecting governments.

      Government is different only in a matter of degree to private sector. Nobody wants to pay what it would take to attract or train then retain competent IT people -- there just aren't enough to go around.

    • by Nidi62 ( 1525137 )

      Perhaps if the people of said countries held their elected officials to higher standards ( or indeed, any standards ), things like this would happen.

      On that note, we got a statement from the president of Microsoft. What about one from our actual president? Nope? SAD!.

      At least our incoming president made a statement.

      • Re: (Score:2, Interesting)

        by Plugh ( 27537 )
        Yeah Biden talking about stepping up offensive hacking makes me feel much safer that the next administration won't start an actual hot war with Russia.... NOT
        • LOL

          Is that what they're reporting over there, Ivan?

          What he actually said was,

          "I want to be clear: My administration will make cybersecurity a top priority at every level of government -- and we will make dealing with this breach a top priority from the moment we take office," Biden said, pledging to impose "substantial costs on those responsible for such malicious attacks."

          He said you'll face consequences, Ivan. Costs. He didn't tell you what the consequences will be. What the cost will be. You'll have to wait and see.

          That you think the consequences will involve computer networks is "cute," but not meaningful.

          • by Plugh ( 27537 )
            Quoth Biden: [necn.com]

            We need to disrupt and deter our adversaries from undertaking significant cyberattacks in the first place

            • You're kidding, right? The full quote from the article that you linked is:

              “We need to disrupt and deter our adversaries from undertaking significant cyberattacks in the first place,” he said. “We will do that by, among other things, imposing substantial costs on those responsible for such malicious attacks, including in coordination with our allies and partners.”

              And if you don't actually think that "disrupting and deterring adversaries from undertaking significant cyberattacks" is a worthwhile endeavor, then how the hell do you justify your position? Are you just an anarchist? The US, among other nations, should just ignore cyberattacks - like the tides, they just happen? That should not be a position worth considering for any nation, Russia (and China) included.

              • by Plugh ( 27537 )
                Defense != offense
              • by DarkOx ( 621550 )

                A Biden administration *might* improve the security posture of federal systems, as right up until it runs of a foul of interfacing with minority owned business or some similar bullshit.

                John Kerry will deliver a nice speech about international cooperation, and setup yet another body of some kind to hand a lot tax dollars to be spent on fine dining and fancy drinks for a staff of his buddies. They will do nothing useful. Some token sanctions agreement that does not bother Putin (if it was actually even Russi

    • Having worked government

      In Soviet Putinstan, Government works YOU!

    • by ceoyoyo ( 59147 )

      Agreed. Remember that time when someone hacked those Iranian centrifuges and ended up spreading a worm through everyone's SCADA systems? We really need to start taking the people of these countries to task for not reigning in their governments.

    • by Anonymous Coward
      This is a bad take. Buying the most popular closed source network monitoring system, used by thousands of organizations, is not something even remotely approaching "recklessness." That's an absurd suggestion.

      Anytime you think "government is the solution", you've misunderstood the nature of the problem...and possibly of governments.

      And anyone who applies these platitudes broadly is an idiot. Because government isn't always the answer doesn't mean it's never the answer.

      • This is a bad take. Buying the most popular closed source network monitoring system, used by thousands of organizations, is not something even remotely approaching "recklessness." That's an absurd suggestion.

        Closed source...used by thousands of high profile organizations....choosing that demonstrates a shocking lack of understanding of IT security. So if it wasn't grossly negligent/reckless, it was pure ignorance.

        Anytime you think "government is the solution", you've misunderstood the nature of the problem...and possibly of governments.

        And anyone who applies these platitudes broadly is an idiot. Because government isn't always the answer doesn't mean it's never the answer.

        At best, government is the best of bad options. At best.

    • by mccrew ( 62494 )

      This was indeed an "Act of recklessness", on the part of the admins and other officials who created an environment which allowed such vulnerabilities to propagate. Having worked government, I can already guess that it was a combination of admins who are minimally capable and managers getting their backs scratched.

      Welcome to Slashdot's longest running game show Blame The Victim! It's the zany show where technology experts try to explain why their products are too difficult to understand and use by regular people, and how it's all the users' fault. I'm your host Mr. McCrew.

      • by Zxern ( 766543 )

        Eh...if you want something secure, you probably don't want to use commercial used by thousands of companies. That allows for thousands of practice runs.

        As much as people like to bash the saying "Security through Obscurity" obscurity does have it's benefits it just shouldn't be the only feature.

  • by geekmux ( 1040042 ) on Friday December 18, 2020 @09:43AM (#60844750)

    Microsoft? Preaching about acts of recklessness? That's fucking cute. We've built entire industries around protecting business from the risks of running Windows.

    It's unfortunate that the Hammer of Hypocrisy is even beyond Thor's ability. Otherwise, it would be wielded with great justification to crush the stupidity of Microsoft Ignorance.

    • by Plugh ( 27537 ) on Friday December 18, 2020 @10:27AM (#60844878) Homepage
      I read your post in Samel Jackson's Pulp Fiction voice and it was mighty
      • I read your post in Samel Jackson's Pulp Fiction voice and it was mighty

        Please. Please. I see him standing over a room of CIOs: "Say 'no budget' again".

      • I read your post in Samel Jackson's Pulp Fiction voice and it was mighty

        I feel honored. My response is hardly worthy.

        Rumor has it he once signed up Lord Vader for a Capital Rebellion limited edition Skywalker credit card. At 12% above galactic prime rate. With 10% of the profits going to the Free Solo project.

        A motherfucking Jedi of an actor indeed.

    • Microsoft? Preaching about acts of recklessness? That's fucking cute. We've built entire industries around protecting business from the risks of running Windows.

      So what you're saying is they are absolute experts as they have the most experience?

      I mean that must be your point, because Slashdot keep hammering home that experience is worth everything.

      • Microsoft? Preaching about acts of recklessness? That's fucking cute. We've built entire industries around protecting business from the risks of running Windows.

        So what you're saying is they are absolute experts as they have the most experience?

        I was more pointing out the painful hypocrisy of Microsoft doing any additional chastising towards a company who discovered a rather serious vulnerability within one of their products that happened to likely impact quite a large and important audience.

        Not unlike what the literal world of business has been painfully enduring for decades now. Virus after vulnerability, bug after worm, crack after hack, trojan after malware...a lot have been primarily built to target Microsoft products, and there are reckless

    • I would have changed the last word to Arrogance, but you win the internet today, well said. Their not really that stupid they just don't give a shit about anyone else.
  • by Anonymous Coward

    The best part is the heat maps published showing the locations of the hacks, basically show *none* for Russia.

    Fucking obvious, much?

  • by Mr. Dollar Ton ( 5495648 ) on Friday December 18, 2020 @09:57AM (#60844786)

    with a bunch of backdoors, but it is "reckless" to use them?

    Fuck off.

    "Security" will not improve unless software companies are liable for their own defects the way every other maker is.

    • by thegarbz ( 1787294 ) on Friday December 18, 2020 @11:27AM (#60845044)

      with a bunch of backdoors, but it is "reckless" to use them?

      Fuck off.

      "Security" will not improve unless software companies are liable for their own defects the way every other maker is.

      It's quite clear now that you don't know at all what happened or what was going on. Hint: No software company released a PoS with a bunch of backdoors. The backdoor was distributed through compromising the software company and pushing it out as an update, and was then subsequently used.

      More reading less angry frothing from the mouth.

      • No software company released a PoS with a bunch of backdoors.

        The backdoor was distributed [to customers by the said software company] pushing it out as an update

        These are exactly equivalent. The fact that somehow the company's own security was shitty enough to be compromised is irrelevant. If your company cannot provide secure updates, it has no business in the security and monitoring business.

        Thanks to apologists like yourself, unprofessional peddlers of bullshit will continue to dominate the software industry and produce and distribute malware-infested crap. Congrats, you're a significant part of the problem.

        • This sort of thing is what happens when management is more concerned with checking boxes than actually securing their data and networks.

          Infosec probably got a policy approved which forced DevOps to install an agent on all of their servers. The agent needs Internet access to send data to the vendor and can also be configured to auto-update itself to save staff time. No one cares about the new attack vector because they got to check a box and passed their security audit.

          I have seen this happen firsthand i

        • These are exactly equivalent.

          Thanks for telling the world that you have no idea about security or risk management. We almost made the mistake of taking what you said seriously.

          • LOL, didn't realize I was talking to the world itself on the very day it was off its meds.

            • The only thing off its meds is your idea of risk management and mitigation. Please let security experts do their job and stop talking shit on the internet.

    • by geekmux ( 1040042 ) on Friday December 18, 2020 @11:31AM (#60845068)

      "Security" will not improve unless software companies are liable for their own defects the way every other maker is.

      While I tend to agree with you, have you considered the actual effects of your demands? This would likely boost an industry alright. The insurance industry.

      Consider how effective your liability battles will be against Google, Oracle, Facebook, Amazon, or any of the other mega-corps left standing after you've decimated an entire "middle class" industry that can no longer afford the liability of being in the software industry. Even if you win, fines and punishments against mega-corps would make our attempts to control the corrupt banking industry look like even more of a joke. Tends to happen when you're a ever-growing portion of the Donor Class.

      Also, think smaller. Would you write software facing the threat of liability? That cool next-gen secure text messaging app caused someone to leak underage photos? Oh boy. The 19-year old coding whiz-kid creator of [insanely popular viral game] serving 10-15 years on mass addiction charges coming from multiple countries? Ouch. Makes the Bali Nine look tame by comparison. And let's not assume our legal industry isn't that stupid. It most certainly is.

      • Yes, I would write software facing the threat of liability. If someone would not because they can't manage, then maybe they have no business writing software today.

        • Yes, I would write software facing the threat of liability. If someone would not because they can't manage, then maybe they have no business writing software today.

          I admire your bravery, but hindsight continues to sustain 20/20 vision. In all honestly, would likely financially "manage" a significant legal threat about as well as the other 99.999% of the population, resulting in the irony of you no longer being in the business of writing software.

          On a related note, the ever-growing insurance mafia might be able to offer you some protecti, er I mean assistance...

          • It is cute that you judge everyone by your stellar standards and competence and find them lacking, but there is this one stubborn fact: all industries that are subject to PL regulations somehow managed to not only survive and thrive, but also churn out safer products, and all that without deficit of distracting noise from people with 20/20 vision, immense predictive powers and enormous abilities, who basically repeated your bullshit when PL laws were being introduced.

            Sorry, but reality appears to disagree w

            • It is cute that you judge everyone by your stellar standards and competence and find them lacking, but there is this one stubborn fact: all industries that are subject to PL regulations somehow managed to not only survive and thrive, but also churn out safer products, and all that without deficit of distracting noise from people with 20/20 vision, immense predictive powers and enormous abilities, who basically repeated your bullshit when PL laws were being introduced.

              Sorry, but reality appears to disagree with y'all.

              Reality, circa 2020: When lawsuits are brought against "regulated" organizations, the end result is often an agreement that includes admitting no fault along with a check for 74 cents to each victim as compensation. IF the fine was large enough (seemingly never is these days), they might consider actually improving on the product. Barely. Most of the time though, defects driven or created by Greed, are and will be financially seen to be worth the risk every time.

              Tobacco. Banking. Automotive. Food.

        • by Zxern ( 766543 )

          No software is ever going to be totally secure. Given enough time there is always a way to break it.

          • What does that have to do with the topic I'm discussing, which is reasonable liability for avoidable defects in software, which are now rampant due to complete lack of responsibility by the so-called "software industry"?

      • This would likely boost an industry alright. The insurance industry.

        Not if insurance wasn't an option. It is if penalties are merely monetary, and targeted at the company's money. The moment they turned criminal, with jail time involved, you'd see very few CEO wanting to risk personally going serving so many years in prison and forfeiture of all their personal property (including any received or to be received insurance) in exchange for no matter how many millions of insurance dollars that'll benefit the company alone.

        In fact, I've defended for years that the whole notion o

  • you have now permission to bomb their building.

    if you can find it.

    /sarcasm
  • The "infrastructure" clearly didn't deserve any trust with or without the hack. You're just mad the reckless endangerment by the people who ran it that way was exposed.
  • Created eh? (Score:5, Insightful)

    by DarkOx ( 621550 ) on Friday December 18, 2020 @10:18AM (#60844842) Journal

    This is not "espionage as usual," even in the digital age. Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world.

    It did not create a serious technological vulnerability. The people who built the infrastructure did that! These systems were ALWAYS vulnerable to a supply chain attack like this. I would not go as far as to say they were as vulnerable as the weakest link (solar winds) because many of them did have detective and ex-filtration controls that likely limited what the attackers were able to do and finally resulted in discovery but none the less.

    They did not create any vulnerability. Weakness in the procurement (verifying vendors implement and reliable follow security standards, continued verification), weakness in the audit and validation of delivered components, and weakness in the management installing big binary blob updates rather than tiny audit-able patches that be verified to make exactly the changes stated and only those changes.

    Not saying doing any of these things better/right would be easy or cheap, but suggesting the hackers created the vulnerability is just stupid. If you break into my house because the lock was easily it picked, yes you are the bad actor, I am still the victim, but it does not mean the lock wasnt hot garbage.

  • by Anonymous Coward

    "this is not just an attack on specific targets, but on the trust and reliability of the world's critical infrastructure in order to advance one nation's intelligence agency. "

    Unlike the NSAs prism project.

    fuck off America, someone else is playing your game now, and you're on the receiving end of it.

  • by DeplorableCodeMonkey ( 4828467 ) on Friday December 18, 2020 @10:29AM (#60844890)

    This is not "espionage as usual," even in the digital age. Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world.

    And men like this are the sort who point to laws and say "that's why this can't happen." He undoubtedly expects that a piece of paper that Russia signed a long time ago will prevent them from targeting hospitals, power plants, sewage systems, etc. It won't. It also won't stop the Chinese. They literally wrote a manual, called Unrestricted Warfare, that discusses how to destroy whole countries like the US through non-military means like destroying out financial system, utilities, etc.

    Men like this are worse than the generals and admirals that didn't trust radars before Pearl Harbor. That was an unproved technology. These people lack the conceptual model to realize that Russia and China are, in fact, engaged in a literal war with the US but through means that conventional law isn't prepared to handle. They allow hackers to conduct ransomware attacks on hospitals and then reward them with good jobs if they don't get caught. That's not skeezy, that's recruiting men who not only committed a serious moral and legal crime, but saying "we want men who are willing to target civilians."

    • by weeboo0104 ( 644849 ) on Friday December 18, 2020 @10:58AM (#60844970) Journal

      We need to start considering these attacks for what they are, threats to national security.

      Every year, hundreds of millions of dollars are taken from victims from Indian call centers pretending to be the IRS/Microsoft/Social Security/etc. and it has never been taken seriously.

      Vast farms of bots continually attack mobile banking apps and the web to regularly exfiltrate millions of dollars out of accounts.

      SpearPhishing campaigns target users of various online services and even though we know the countries these attacks originate from, nothing is done.

      Even domestically in the US, this hits close to home in my family. My wife and I recently sold our house and about 2 weeks after the house was listed on the market, we started getting State Unemployment debit cards for names of people that never lived at our address. I reported the incidents to the unemployment agency, but their only concern was we not use the cards. The only reason we caught this was because we had put a vacation hold on our mail to make sure the increased traffic to our home didn't result in our own sensitive information being lifted by showing visitors.

      Even then, my wife and I just got notifications this month from the State Unemployment agency (from that same state we don't even live in anymore), that unemployment claims had be entered on our behalf. I reported it immediately and it took 2 WEEKS for someone to reach back out to me to officially "close" the filing. I know my online unemployment ID was compromised because when I reported the fraud, I tried to log into the account I last used over 5 years ago and someone has changed the secret questions used to reset the account password. The unemployment agency rep said their is nothing they could do to close the account and I had to call a separate number that I have yet to successfully connect to a live person.

      Our government needs to wake the hell up and start responding to these types of attacks in kind. Sanctions, Asset Seizures, Account Freezing, or just using good old fashioned intelligence to track the group kingpins and take direct action.

      • Even then, my wife and I just got notifications this month from the State Unemployment agency (from that same state we don't even live in anymore), that unemployment claims had be entered on our behalf. I reported it immediately and it took 2 WEEKS for someone to reach back out to me to officially "close" the filing. I know my online unemployment ID was compromised because when I reported the fraud, I tried to log into the account I last used over 5 years ago and someone has changed the secret questions used to reset the account password. The unemployment agency rep said their is nothing they could do to close the account and I had to call a separate number that I have yet to successfully connect to a live person.

        Sounds like wire fraud to me, which is already a criminal offense. If the agency rep said they cannot do something, maybe the responsible DA is overworked. But in a strictly legal sense, it should be possible to find and prosecute the people who filed the false claim. They may even be some small time US criminals with no connection to foreign actors.

      • Our government needs to wake the hell up and start responding to these types of attacks in kind.

        But that would be big government, something half of the electorate fight against tooth and nail.

  • BIg picture trends (Score:4, Interesting)

    by scamper_22 ( 1073470 ) on Friday December 18, 2020 @12:00PM (#60845172)

    The solar winds hack alerts us to a variety of large trends in the industry. It's just interesting to see how this hack played out.

    1. Auto-update/frequent updates
    Updates are a great way to ensure application are up to date, ironically often for 'security'. Yet the downside is that it gives attackers a way to attack. The latest example I can think is Ubuntu SNAP. I'm just using SNAP as an example here... let's not turn it into a SNAP thread. SNAPs auto-update without a real way to stop that. SNAP developers make a valid claim that they want to make sure devices in the wild are updated with the latest security so they're not vulnerable. Yet, imagine the counter example, some SNAP project is compromised and a build is released containing a hack and it's automatically pushed to users. This is especially concerning as the SNAP store is largely open.

    2. Trust/loyalty
    I don't quite know how the Russian hackers managed to hack the build, but my bet would be an insider. Especially in this global and connected world, one has to ponder loyalty. Who do you hire? Can they be trusted? Can contractors be trusted? How many countries/companies really have full control of their process? Do you have some remote office in a distant land? Maybe through an acquisition. I just did a quick Google of Solar WInds career page and they have offices in the Czech republic, Minsc, Phillipines... That's a large attack surface. Would be pretty easy for a a malicious state actor to find some person in say Minsc to be an inside threat. Or in the case of a global workforce, maybe even someone in the US. We're supposed to believe we're all global citizens with everyone just operating on some basis of a free market and democracy. But that's not the case. I wouldn't expect Iran to trust an American employee. Historically loyalty was so important, it was often met with death if you deviated. Be disloyal to the religious order... death. Disloyal to the king... death. Today, we frown on such loyalty tests. Heck, it's considered immoral to question someone's loyalty.

    • Auto-update/frequent update is an awful trend for so many reasons.

      One of biggest ones is that it reduces the QA burden for developers because they can always just shit out another update to fix what the last one broke, a never ending cycle.

      Then there's the relentless changes initiated for change's sake.

    • by DarkOx ( 621550 )

      Who do you hire? Can they be trusted? Can contractors be trusted? How many countries/companies really have full control of their process? Do you have some remote office in a distant land? Maybe through an acquisition. I just did a quick Google of Solar WInds career page and they have offices in the Czech republic, Minsc, Phillipines... That's a large attack surface.

      Be really really honest about what you just said there!
      Diversity isnt a really a strength, but it often can be a weakness.

  • by Rick Zeman ( 15628 ) on Friday December 18, 2020 @12:29PM (#60845266)

    What did the US president have to say about this hackapalooza?

    Yeah, the above.

  • by whitroth ( 9367 )

    So, how serious a hack has the CIA and/or the NSA executed against Russia in the last couple years?

  • The US has about 3.7 million burglaries per year. Yet houses have back doors, and many are made of glass or other fragile materials. Many people leave them unlocked during the day. Should we talk about how reckless people are to have doors made of glass, with all the burglaries going on? No, of course not!

    Yes, Solar Winds and others should take security seriously. But when security is breached, let's not go after the good guys, let's go after the criminals!

    • by DarkOx ( 621550 )

      I am with you where the commercial space is concerned. It is the governments job after all to 'provide for the common defense' that means it has a legitimate role in finding and stopping these actors when it comes to them preying upon the citizens (and their corporations).

      However when it comes to the government itself well they have the job of being the defenders. You and have can see well "I had locks and I used them" the fact that someone forced them now is matter for law enforcement and the insurance co

      • You are right on all accounts. However, this article isn't discussing hacks against the government, but against a commercial entity (Solar Winds).

        Solar Winds will pay a price in lost trust, for sure. This is similar to how a bank would lose trust if you put your valuables in a safe deposit box, and the bank failed to keep it safe. But we should not penalize Solar Winds because a crime was committed against them, and indirectly, against its customers.

  • ...but on the trust and reliability of the world's Microsoft infrastructure.

    Once again.

  • Recklessness is selling an OS that can be hacked.
  • While I am not aware of details of the hack at this time, this clearly was the result of recklessness and incompetence on the side of those that got hacked and had their software back-doored, i.e. SolarWinds. This business deserves to fail.

    A sound security mind-set never blames the attackers. Of course they are ultimately responsible, but they will always exist and that is outside of your control. Hence you make damned sure your supply-chain is secure. But no, everything has to be cheap these days, no matte

  • by t4eXanadu ( 143668 ) on Friday December 18, 2020 @06:20PM (#60846580)

    Where is the statement from the government condemning the attack? POTUS should absolutely be making statements about this (or Senate and House leaders, for that matter). Maybe they did, but it hasn't been headline news (or I missed it).

    I see Microsoft's point, but they did hack pretty key federal infrastructure. If Capital Hill had been bombed, there would definitely be more statements about it from the leaders of all the branches of the government (assuming they survived).

    And, of course, why the hell are those agencies at the federal government relying on SolarWinds. Cost, I guess. You'd think they would have their own monitoring software that the contractors use.

    I'd say let this be a lesson, but it probably won't be.

Perfection is acheived only on the point of collapse. - C. N. Parkinson

Working...