Microsoft Says SolarWinds Hackers Viewed Source Code (cnet.com) 47
The hackers who carried out a sophisticated cyberattack on government agencies in the US and private companies were able to access Microsoft's source code, the company said Thursday. From a report: A Microsoft investigation turned up "unusual activity with a small number of internal accounts" and that "one account had been used to view source code in a number of source code repositories," the company said in a blog post. Microsoft said the account didn't have the ability to modify code and that no company services or customer data was put at risk. "The investigation, which is ongoing, has also found no indications that our systems were used to attack others," the company said.
Microsoft also announced (Score:4, Funny)
Psychiatric Treatments would be available for free, for non-Microsoft employees who may have seen their code.
Re:Microsoft also announced (Score:4, Funny)
This probably ended the hacking spree, since they would've gone insane and then set out on a killing/enmaddening spree, Bird Box-style.
"LOOK AT IT! IT'S BEAUTIFUL! CAN'T YOU SEE!?!?"
Re: (Score:2)
"LOOK AT IT! IT'S BEAUTIFUL! CAN'T YOU SEE!?!?"
The Nezperdian hive-mind of chaos. Zalgo. He Who Waits Behind the Wall. He is an eyeless abomination with seven mouths. His right hand holds a dead star and his left hand holds the Candle Whose Light is Shadow and is stained with the blood of Steve Jobs. Six of his mouths speak in different tongues, Windows NT, Windows 2000, Windows XP, Windows Vista, Windows 8, Windows 10. When the time is right, and Windows 11 is released, the seventh shall sing the song that ends the Earth.
Re:Microsoft also announced (Score:5, Funny)
Re: (Score:2)
Which might be delivered more like Microsoft Psychiatric Treatments 359.
Yeah, right. (Score:2)
Right, totally. Because this whole shitty scenario had nothing to do with your software or systems. I totally and completely believe the above statements. 100%.
Re:Yeah, right. (Score:4, Informative)
But they are correct. It's just that CozyBear found a better place to inject their malware. At SolarWinds. At this point, Microsoft (and its value added resellers, developers, customers, etc.) need to assume that their source code is 'out there' already. And every downstream process needs to be secured from modification as well. Or it's game over.
Re: (Score:2, Insightful)
OR the M$ paid for PR=B$, lobbyist, corporate main stream media blitz and a whole swag of corrupt politicians to blame everything on Russia, Russia, Russia. To avoid the well deserved financial hit for their incompetent security. What do governments and corporations pay M$ for when it comes to security, why nothing more than marketing and bullshit, highly profitable marketing and bullshit, but zero security.
Re: (Score:1)
Right, totally. Because this whole shitty scenario had nothing to do with your software or systems. I totally and completely believe the above statements. 100%.
I mean you can be sarcastic all you want, but that just shows your ignorance. In fact MS and its "software or systems" was designed intentionally with the ability to limit any attack surface from 3rd party management tools like Solarwinds. The problem here stems from Solarwinds being setup in ways that gave it administrator access to machines including DCs either through administrator stupidity or though Solarwinds' own scope growth and instructions to run it with admin privileges.
What next, you run Solarwi
Re: (Score:2)
I don't know if you have ever had experience trying to harden a Windows environment, but the last time I tried, it was hard. The last time I did it was with Windows NT 4.0. Windows NT 4.0 was meant to be hardened, unlike some of the newer versions of Windows. The fundamental problem with the security model was that the CPU would execute anything that got to it, and this hasn't been fixed. The result was that you needed to restrict every executable & DLL on the *NETWORK*. There was also a service wh
Microsoft having a taste of their own medicine (Score:5, Funny)
Microsoft fully embracing open source (Score:5, Funny)
Re:Microsoft fully embracing open source (Score:4)
> Albeit in a non-conventional manner.
And showing why "secret-source security products" is oxymoronic.
Re: (Score:3)
Yeah - only the "bad guys" get to see it, so when are they (intentionally ambiguous) going to put it online?
Re: Microsoft fully embracing open source (Score:4, Funny)
SolarWinds: We found nothing of value in there. Mostly code copied from IBM OS/2, BSD, etc.
And they used what they learned... (Score:4, Funny)
...to create a devastating, and widely-distributed piece of spyware they're calling: "Windows 10".
And they threw up instantly (Score:3)
Oh noes! (Score:2)
Signed,
Linux
P.S.: Maybe they fixed a bug (Like Corona, err, Cortana). Or improved the user experience (Buttons becoming recognizable as such)!
Obfuscation ... (Score:2)
Re: (Score:2)
It is a widely used one though.
aand.. (Score:1, Redundant)
Could not modify code... (Score:4, Insightful)
However, a large volume of patches containing fixes were submitted separately via email, shortly after the breach.
Re: (Score:3)
"Microsoft said the account didn't have the ability to modify code... " However, a large volume of patches containing fixes were submitted separately via email, shortly after the breach.
Hopefully the hackers fixed a few things ...:-)
Absense of Evidence is not Evidence of Absense... (Score:2)
when common sense dictates something is a likely outcome.
"The investigation, which is ongoing, has also found no indications that our systems were used to attack others,"
And the attackers like it that way.
What is the problem ? (Score:2)
The source (every line) of every program on my Linux boxes is available ... but in spite of this they have not been cracked. So does Microsoft rely on security by obscurity [wikipedia.org] ? Maybe these are related to the people who think that you can have encryption back doors that can only be used by friendly governments. [Pick your definition of 'friendly']
Re: (Score:2)
Which would be an entirely different issue to "someone was able to view the source code".
The fact is with linux and other open source code, everyone has equal access to see the code. With closed source software the bad guys have usually obtained access via nefarious means while the good guys cannot view the source due to legal issues. This gives the bad guys an advantage.
Re: (Score:2)
Wish I had mod points.
I'm confused (Score:5, Insightful)
Are we meant to feel sorry for Microsoft, or for the hacker?
Re:I'm confused (Score:5, Funny)
Re: (Score:2)
Premature (Score:4, Insightful)
"The investigation, which is ongoing, has also found no indications that our systems were used to attack others,"
That's somewhat misleading. More accurately it should state that as of time, we've not seen use of the information we didn't properly secure to facilitate creation of exploits of the multiple existing attack vectors on the OS our customers bought to secure their data. As soon as we are aware of any such exploit we will push a security update and prey it doesn't kill too many users computers.
Fuck you don't need an hourglass when every other day you push an update providing even more ''features'' modifying your customers computers.
So, how crappy is that code? (Score:2)
Because that is the real question now. If it is pretty crappy, finding vulnerabilities may be easy. Given what "professional" software engineering these days often looks like, I am not hopeful.
Dozens of vulnerabilities per month (Score:5, Insightful)
Without seeing the source code, every month dozens of vulnerabilities are found in Windows and other Microsoft software. Dozens each and every month. So, it's pretty crappy.
It's about 100 times easier to see the flaws when you can look at the source code, so this should be fun.
Re: (Score:2)
Without seeing the source code, every month dozens of vulnerabilities are found in Windows and other Microsoft software. Dozens each and every month. So, it's pretty crappy.
Yeah except the same can be said for GNU/Linux. If you want to actually look at CVEs you'll see quite quickly that complex systems have bugs. Windows being a kernel, userland libraries and APIs, a GUI, and a web browser you'll find an incredible number of none Microsoft bugs if you limit your search to the Linux Kernel + all the libraries in a Linux OS + X / Wayland + Gnome + Firefox or whatever your browser of choice is.
So really I guess software itself is pretty crappy.
Woodpecker ruin it all (Score:3)
> If builders built houses the way programmers built programs, the first woodpecker to come along would destroy civilization.
Gerald Weinberg wrote "If builders built houses the way programmers built programs, the first woodpecker to come along would destroy civilization".
My life's work is change that. There is absolutely no reason it must be so - we as a species know how to do engineering. We just haven't been applying that knowledge to software in the last 30 years or so. We've taught coding an compute
Ms Source already in the wild (Score:2)
some mounth ag, we got a post here about all the MS source code windows to Office available on the DW. Is it related ?
View? (Score:2)
'View' means copied, you don't need an eidetic memory for that.
I hope they didn't see... (Score:1)
more than one statement at one time.
https://youtu.be/FBWr1KtnRcI?t... [youtu.be]
My God! Itâ(TM)s full of stars! (Score:3)
Hoist by their own petard (Score:2)
It means: body parts were sent flying everywhere when, instead of doing what it was supposed to do, their shitty old cannon blew up in their faces. Capsule summary of the Windows experience.
So ... alll versions of Windows (Score:2)
Which will change anything - how?