K.S. Bhaskar via plug on 16 Dec 2020 08:37:39 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] OT: SolarWinds

Spot on, Rich. Where we may disagree is that I don't think small companies should be cut any slack.

That said, it's usually the big companies that get cut slack: think of all the people that use Zoom despite the company's established track record of lax security. Or Microsoft… This is just an extension to IT of the decades-old saying, “If you owe the bank $1,000, the bank has you in its power, but if you owe the bank $1,000,000, you have the bank in your power.”

Regards
– Bhaskar

On Wed, Dec 16, 2020 at 6:36 AM Rich Kulawiec via plug <plug@lists.phillylinux.org> wrote:
On Tue, Dec 15, 2020 at 11:50:51AM -0500, Mike Leone via plug wrote:
> We got a SolarWinds notification last night, and this morning, one of my
> co-workers updated to the latest version. 2020-02.1 HF1

Given this:

        Security researcher Vinoth Kumar told Reuters that, last year,
        he alerted the company that anyone could access SolarWinds update
        server by using the password "solarwinds123".

and this:

        Others - including Kyle Hanslovan, the cofounder of Maryland-based
        cybersecurity company Huntress - noticed that, days after
        SolarWinds realized their software had been compromised, the
        malicious updates were still available for download.

both of which are quotes from this:

        Hackers used SolarWinds' dominance against it in sprawling spy campaign
        https://www.reuters.com/article/global-cyber-solarwinds/hackers-at-center-of-sprawling-spy-campaign-turned-solarwinds-dominance-against-it-idUSKBN28P2N8

my recommendation would not be that you update it.  My recommendation
would be that you deinstall it and wipe/reload/restore the system(s)
which were infected with it.

Why?  Three reasons.

First, because these are appalling mistakes.  If they were a tiny startup
or an underfunded nonprofit I could cut them some slack, but they're
a $6B company whose products are installed all of the place.  With great
power comes great responsibility.

Second, because the company that made these mistakes quite likely made
others, equally or more egregious, that we don't know about yet.  I say
that because I've seen this movie before, many times, and it always
ends the same way.

Third, because I wouldn't want to be the person that has to explain --
to management, to auditors, to regulatory agencies, to anybody --
why I kept running software from a company that has already stacked
quite a bit of proof on the table that it's not competent to secure
that software.  *Last* week, before we knew all this, there might
have been some valid excuses.  *This* week there are none.

---rsk
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug