[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security breach at multiple Federal agencies via SolarWinds
- To: berkeleylug@googlegroups.com
- Subject: Re: Security breach at multiple Federal agencies via SolarWinds
- From: Rick Moen <rick@linuxmafia.com>
- Date: Thu, 17 Dec 2020 18:35:14 -0800
- Arc-authentication-results: i=2; gmr-mx.google.com; spf=pass (google.com: domain of rick@linuxmafia.com designates 96.95.217.99 as permitted sender) smtp.mailfrom=rick@linuxmafia.com
- Arc-authentication-results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of rick@linuxmafia.com designates 96.95.217.99 as permitted sender) smtp.mailfrom=rick@linuxmafia.com
- Arc-message-signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:user-agent:organization :in-reply-to:content-disposition:mime-version:references:message-id :subject:to:from:date:sender:dkim-signature; bh=gE2yM5TvqJewVeqb4daPfau8lrqqyl18CcOhyzP+uIQ=; b=ZVhTcYTxtbc52oQiwrq6+fPGNFQXucq3Z0F+oRkOh0XUF2SRJLjmZLiVnqrhPtzkUQ 4OKjSzVTxOwFQWQpDctkpf+uj6WM/cB1qtJQrtBXL7blWJl66BBRQD4St+s5fr8MVKOz dYEmbvlYc/4DoccLwZDaP2ZcDwRFOiF+/bRP5/uQgBzM8Z9u+eLd1YVIOH7HE6r1EiHK SIlvIQB44z8MYBVeF+nzylfCxk8oHyi3QXNy/FQ0gUWJywn/QtoVxcVxlLKFBQgs6Gro MBbZx9JFXF0XT1fRus1ZDWL9VCCUdiB/pIIy2G5uEnI7UHws76ORquHWqZF5n8LUb17Z TlHA==
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=user-agent:organization:in-reply-to:content-disposition :mime-version:references:message-id:subject:to:from:date; bh=lvVrAQ2+BPUvRPXYgia7okQyvBSJ3qvRE/SSZcyz4P0=; b=NbCzkkmcsYUUPyX7zFifvix+JWMjElcvbKsXy49Ox43DYGvWtexymIBMilACc2zE+n 9x9PPs7+59roiPZ6H9rG+R3TB6YR57fExItGMwfzT2IskQNWuRKDL+P7gNDI3QMojMMn PqkqD3Lw64eWVNIiiAD1wgoe9XNeBNR5KKMUTAypDxOf8EhoAlswlwtgFa84+V1ar6Jq 9I1NvBdrNb1FDB1AzhRU6KaWZ7Y4sNm6VrqzLXBIR333gkx9gfxXe02i895gRgKKSlaC 4e9QJtnjP0bD4+OyvorHZOR/20y28Ryv0LOnNpVpwKn4apMoB5yoQU7Yl20Rq6vsKwNK mE9w==
- Arc-seal: i=2; a=rsa-sha256; t=1608258916; cv=pass; d=google.com; s=arc-20160816; b=yCq1WGcb6UyXDrdXHA6fSwTtgk6lPt+YgFXjZ0SjfqgALJuKmT6ubLGYAqVWhNOQwU uPZ7SgRuYOsCF7Q76fXp9PPFfbSwQ87CFTYW0QvOVYhOzifEkWKLJ6qG8N5nX0U/Q9cK tXCwbNOlQK00v2zqDZ0f/KidTkElHdN7az9QJ+a7IbutslKhCSYymbQMVWcUUpja+6Z/ OW5NiIfO9ehOS6JRVRYW1h+fEIfwWtn+pn0O8bdHDZHICKJvJdBCzKC4DpNLmuJto0kg XszJBYMiRhllwdk8wMGXtCQkLDgZfKy0N6YzHbIIRhpWxSPMfrjEujVXNWimob2SGbUG f/HA==
- Arc-seal: i=1; a=rsa-sha256; t=1608258915; cv=none; d=google.com; s=arc-20160816; b=TEOFgUkYU54WY9NHsJnPmkZe+wrSoDyZUkbCKIkgVcESdK6RWVm0jva4h9q5FwrIc+ Htt75pH8l+oUiZ1ylB9EtCWaaiqtBQx/uIdR7nhYtsiqgkyMs5SK8E63lqFxUcxAN9qp C85AkGbnqGinbg+a6Kj4blHDMrewCVWbJV35fKeD2c+z0LFPEr5n5m2JJF/gyGfswFQQ DISw1j33HH70eN3iQ7LZYtnIAYlx7jxVdlLdjPMzDMjik9MhzIKfvfRyudyOckOcnToT dWW6MZoBGXPDbQ/nn8Qa+j1vsk8dMRroDDjxqjTsDEdPKVfH2qmy4pkv3RajNykK6+QK FU8Q==
- Delivered-to: historian@entropia.netisland.net
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20161025; h=sender:date:from:to:subject:message-id:references:mime-version :content-disposition:in-reply-to:organization:user-agent :x-original-sender:x-original-authentication-results:reply-to :precedence:mailing-list:list-id:list-post:list-help:list-archive :list-subscribe:list-unsubscribe; bh=gE2yM5TvqJewVeqb4daPfau8lrqqyl18CcOhyzP+uIQ=; b=XyWVvFPWPcaOFmwhOsicVQZ0lm60RFmsqCbO+id0uHscwJqE3atXEEnk+UjVnlnSWv XcOcKRFl31F1UEqZn9+6N7PJ4aQB3rNrrYZ03p8F2EhHdgG+XyukWgGHHe6G/8bY7ZlV 8Ov7Y1qb/227dbb4xaeZ73rl7AtPXON+t9PbWiV4MGLFQ3zQbNZGrYn0/MUGs957oTPq 2T4pvrVObu2510BmK2RwOLoCPoqz/BEujawkq6D0lZw43P4/6TNBU2EI+zRf4o+A/G90 veIZb60jI+2AqvwSwImnhH5LobRVArhhkY377O37+WRF51wExrcJEv+iTXCMiCNAgpI/ s8jg==
- In-reply-to: <CAF+xKT6KGEwHM9LXHosgjgybaX-ZPkxXajMzY=oDbwdkd0jx7Q@mail.gmail.com>
- List-archive: <https://groups.google.com/group/berkeleylu>
- List-help: <https://groups.google.com/support/>, <mailto:berkeleylug+help@googlegroups.com>
- List-id: <berkeleylug.googlegroups.com>
- List-post: <https://groups.google.com/group/berkeleylug/post>, <mailto:berkeleylug@googlegroups.com>
- List-subscribe: <https://groups.google.com/group/berkeleylug/subscribe>, <mailto:berkeleylug+subscribe@googlegroups.com>
- List-unsubscribe: <mailto:googlegroups-manage+61884646931+unsubscribe@googlegroups.com>, <https://groups.google.com/group/berkeleylug/subscribe>
- Mailing-list: list berkeleylug@googlegroups.com; contact berkeleylug+owners@googlegroups.com
- Organization: If you lived here, you'd be $HOME already.
- References: <d09145ca-6392-4db8-8e55-11f352d847c6n@googlegroups.com> <20201217191540.GI28791@linuxmafia.com> <CAF+xKT6KGEwHM9LXHosgjgybaX-ZPkxXajMzY=oDbwdkd0jx7Q@mail.gmail.com>
- Reply-to: berkeleylug@googlegroups.com
- Sender: berkeleylug@googlegroups.com
- User-agent: Mutt/1.5.20 (2009-06-14)
Quoting Alan Davis (alan3davis@gmail.com):
> My naive perspective runs something like this:
> the human brain evolved to
> solve problems, not so much for engineering air-tight systems, despite our
> self-portrayal as a species apart. Consequently, any system created by
> humans will suffer from our inability to perceive all possible aspects and
> vulnerabilities....
Yeah, that's really not what you generally find. You find people /
organisations who mess up very fundamental things, and then major
collapses follow logically, and then the people / organisations point
fingers energetically in every _other_ direction.
> With regard to cyber-security, vis a vis breaches such as this---beside
> issues about proprietary software being inherently untrustworthy because it
> cannot be brainstormed, but seeks profit and/or security through
> obfuscation
The proprietary software legal model doesn't necessitate obfuscation.
Although most proprietary software happens to be binary-only for various
business and practical reasons, it's perfectly feasible to sell licences
to proprietary software with full source code visibility and build
instructions/tools granted to customers, or even to everyone.
For example, quite a bit of proprietary software implementations of
crypto are published with source code visibility, so outside experts can
audit it, making it more trustworthy to skeptical customers.
The central problem of proprietary code is actually _futureproofing_.
In a nutshell, it's about everyone, not just someone, having the right
to keep developing the code and using it for any purpose.
Let me give you an example: John Bradley's neat little tool 'xv' for
displaying and modifying graphics files on X11 Unixes was brilliant.
It probably still is. In early days of Linux (90s), there was nothing
better. It was small, fast, intuitive, robust, scripting-friendly (so
you could use it to, say, generate thumbnails from a directory of
thousands of files) -- and it came with full (small) C source code,
which anyone is permitted to distribute in unmodified form.
However: (1) John wants you to send him $35 if you use it and find it
useful, on the honour system. For personal use, this is merely
requested. For commercial/government/institutional use, it's required.
(2) Nobody else is granted the legal right to distribute modified
versions of xv.
John's most recent release was v. 3.10a, a quarter-century ago: It's
been abandonware since then. About two dozen people have sent John
fixes, which he's kind enough to make publicly available as source code
patches, but he isn't producing new versions. And, because he never
gave other people the legal right to distribute modified versions of xv,
nobody else can step in and release v. 3.11, no matter how many people
still love the program.
That's what I mean by no futureproofing. One guy had veto power over
whether the program ever got a new release, and all he had to do was
stop doing anything, and the program died. End of story.
> I am reminded of the advice that a computer system is only
> secure when it is locked with a meat-space lock and key.
This sounds plausible if you don't know much about computer/network
security, and it leads to low standards and tolerance for massive
screw-ups -- worse, to not even bothering to figure out the substance of
what happened in a security incident. I politely disagree.
> We should not be surprised when breaches occur.
OK, here's a thing: Do any of your doors have locks? Your bicycles?
Your other vehicles?
Would you be surprised if all of those locks suddenly ceased to work and
everything you own got stolen?
> Finger pointing is futile.
Suppose the above happened, except it was just your Kryptonite brand
locks that suddenly ceased to work, all your other locks worked just
fine, and your family's bicycles and motorcycles got stolen. Would you
think it 'futile' to learn from experience and be dubious of that
company's competence?
> This morning I stumbled upon a podcast on Weekday Radio about a serious
> nuclear accident at Humboldt power station. The HBO series _Chernobyl_: is
> it pertinent to the (in)actions of SolarWinds?
Does Betteridge's Law apply here? ;->
http://betteridgeslaw.com/
--
You received this message because you are subscribed to the Google Groups "BerkeleyLUG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to berkeleylug+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/berkeleylug/20201218023514.GM28791%40linuxmafia.com.