Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Microsoft Security IT

Microsoft Says SolarWinds Hackers Viewed Source Code (cnet.com) 47

The hackers who carried out a sophisticated cyberattack on government agencies in the US and private companies were able to access Microsoft's source code, the company said Thursday. From a report: A Microsoft investigation turned up "unusual activity with a small number of internal accounts" and that "one account had been used to view source code in a number of source code repositories," the company said in a blog post. Microsoft said the account didn't have the ability to modify code and that no company services or customer data was put at risk. "The investigation, which is ongoing, has also found no indications that our systems were used to attack others," the company said.
This discussion has been archived. No new comments can be posted.

Microsoft Says SolarWinds Hackers Viewed Source Code

Comments Filter:
  • by bobstreo ( 1320787 ) on Thursday December 31, 2020 @03:09PM (#60883070)

    Psychiatric Treatments would be available for free, for non-Microsoft employees who may have seen their code.

  • Microsoft said the account didn't have the ability to modify code and that no company services or customer data was put at risk. "The investigation, which is ongoing, has also found no indications that our systems were used to attack others," the company said.

    Right, totally. Because this whole shitty scenario had nothing to do with your software or systems. I totally and completely believe the above statements. 100%.

    • Re:Yeah, right. (Score:4, Informative)

      by PPH ( 736903 ) on Thursday December 31, 2020 @03:52PM (#60883204)

      But they are correct. It's just that CozyBear found a better place to inject their malware. At SolarWinds. At this point, Microsoft (and its value added resellers, developers, customers, etc.) need to assume that their source code is 'out there' already. And every downstream process needs to be secured from modification as well. Or it's game over.

    • Re: (Score:2, Insightful)

      by rtb61 ( 674572 )

      OR the M$ paid for PR=B$, lobbyist, corporate main stream media blitz and a whole swag of corrupt politicians to blame everything on Russia, Russia, Russia. To avoid the well deserved financial hit for their incompetent security. What do governments and corporations pay M$ for when it comes to security, why nothing more than marketing and bullshit, highly profitable marketing and bullshit, but zero security.

    • Right, totally. Because this whole shitty scenario had nothing to do with your software or systems. I totally and completely believe the above statements. 100%.

      I mean you can be sarcastic all you want, but that just shows your ignorance. In fact MS and its "software or systems" was designed intentionally with the ability to limit any attack surface from 3rd party management tools like Solarwinds. The problem here stems from Solarwinds being setup in ways that gave it administrator access to machines including DCs either through administrator stupidity or though Solarwinds' own scope growth and instructions to run it with admin privileges.

      What next, you run Solarwi

      • I don't know if you have ever had experience trying to harden a Windows environment, but the last time I tried, it was hard. The last time I did it was with Windows NT 4.0. Windows NT 4.0 was meant to be hardened, unlike some of the newer versions of Windows. The fundamental problem with the security model was that the CPU would execute anything that got to it, and this hasn't been fixed. The result was that you needed to restrict every executable & DLL on the *NETWORK*. There was also a service wh

  • by xack ( 5304745 ) on Thursday December 31, 2020 @03:17PM (#60883104)
    It's not hacking, it is reverse telemetry.
  • by JoeyRox ( 2711699 ) on Thursday December 31, 2020 @03:17PM (#60883106)
    Albeit in a non-conventional manner.
  • by jddj ( 1085169 ) on Thursday December 31, 2020 @03:21PM (#60883124) Journal

    ...to create a devastating, and widely-distributed piece of spyware they're calling: "Windows 10".

  • by OneHundredAndTen ( 1523865 ) on Thursday December 31, 2020 @03:23PM (#60883140)
    Wouldn't they?
  • Signed,

    Linux

    P.S.: Maybe they fixed a bug (Like Corona, err, Cortana). Or improved the user experience (Buttons becoming recognizable as such)!

  • ... is not a legitimate method for security.

  • aand.. (Score:1, Redundant)

    by codevark ( 1070362 )
    ..immediately vomited themselves to death. srsly, what did you expect?
  • by ItsJustAPseudonym ( 1259172 ) on Thursday December 31, 2020 @03:58PM (#60883224)
    "Microsoft said the account didn't have the ability to modify code..."

    However, a large volume of patches containing fixes were submitted separately via email, shortly after the breach.
    • "Microsoft said the account didn't have the ability to modify code... " However, a large volume of patches containing fixes were submitted separately via email, shortly after the breach.

      Hopefully the hackers fixed a few things ...:-)

  • when common sense dictates something is a likely outcome.
    "The investigation, which is ongoing, has also found no indications that our systems were used to attack others,"
    And the attackers like it that way.

  • The source (every line) of every program on my Linux boxes is available ... but in spite of this they have not been cracked. So does Microsoft rely on security by obscurity [wikipedia.org] ? Maybe these are related to the people who think that you can have encryption back doors that can only be used by friendly governments. [Pick your definition of 'friendly']

  • I'm confused (Score:5, Insightful)

    by Pimpy ( 143938 ) on Thursday December 31, 2020 @04:29PM (#60883328)

    Are we meant to feel sorry for Microsoft, or for the hacker?

  • Premature (Score:4, Insightful)

    by fred911 ( 83970 ) on Thursday December 31, 2020 @04:29PM (#60883330) Journal

    "The investigation, which is ongoing, has also found no indications that our systems were used to attack others,"

    That's somewhat misleading. More accurately it should state that as of time, we've not seen use of the information we didn't properly secure to facilitate creation of exploits of the multiple existing attack vectors on the OS our customers bought to secure their data. As soon as we are aware of any such exploit we will push a security update and prey it doesn't kill too many users computers.

    Fuck you don't need an hourglass when every other day you push an update providing even more ''features'' modifying your customers computers.

  • Because that is the real question now. If it is pretty crappy, finding vulnerabilities may be easy. Given what "professional" software engineering these days often looks like, I am not hopeful.

    • by raymorris ( 2726007 ) on Thursday December 31, 2020 @06:02PM (#60883580) Journal

      Without seeing the source code, every month dozens of vulnerabilities are found in Windows and other Microsoft software. Dozens each and every month. So, it's pretty crappy.

      It's about 100 times easier to see the flaws when you can look at the source code, so this should be fun.

      • Without seeing the source code, every month dozens of vulnerabilities are found in Windows and other Microsoft software. Dozens each and every month. So, it's pretty crappy.

        Yeah except the same can be said for GNU/Linux. If you want to actually look at CVEs you'll see quite quickly that complex systems have bugs. Windows being a kernel, userland libraries and APIs, a GUI, and a web browser you'll find an incredible number of none Microsoft bugs if you limit your search to the Linux Kernel + all the libraries in a Linux OS + X / Wayland + Gnome + Firefox or whatever your browser of choice is.

        So really I guess software itself is pretty crappy.

        • > If builders built houses the way programmers built programs, the first woodpecker to come along would destroy civilization.

          Gerald Weinberg wrote "If builders built houses the way programmers built programs, the first woodpecker to come along would destroy civilization".

          My life's work is change that. There is absolutely no reason it must be so - we as a species know how to do engineering. We just haven't been applying that knowledge to software in the last 30 years or so. We've taught coding an compute

  • some mounth ag, we got a post here about all the MS source code windows to Office available on the DW. Is it related ?

  • 'View' means copied, you don't need an eidetic memory for that.

  • more than one statement at one time.

    https://youtu.be/FBWr1KtnRcI?t... [youtu.be]

  • by VaccinesCauseAdults ( 7114361 ) on Friday January 01, 2021 @05:27AM (#60884340)
    Reference to the widespread use of raw C and ancient style C++ within Microsoft. (With a nod to 2001.)
  • It means: body parts were sent flying everywhere when, instead of doing what it was supposed to do, their shitty old cannon blew up in their faces. Capsule summary of the Windows experience.

  • ... and Office, and no doubt other stuff, can now be considered, in the words of Edsger Dijkstra, "harmful".

    Which will change anything - how?

Every program is a part of some other program, and rarely fits.

Working...