Re: [PLUG] OT: SolarWinds

[Rich Freeman via plug <plug@lists.phillylinux.org>]

On Thu, Dec 31, 2020 at 4:58 PM Rich Kulawiec via plug
<plug@lists.phillylinux.org> wrote:
>
> On Thu, Dec 31, 2020 at 12:25:15PM -0500, Rich Freeman wrote:
> >
> > Are you sure you aren't conflating Office 365 with Azure or something
> > else?
>
> Yes, I'm quite certain.

So, the problem is that you claim you have all this evidence, but you
haven't shared any of it.  Look, I'm willing to take your word that
you didn't just doctor up your own logs.  Just tell me that this IP
was part of a brute force attack against you on roughly this date, and
per this document that IP was clearly exclusively used by Office365 at
that time.

However, your description of your evidence is so vague that I can
think of a bunch of reasons why it could be misleading.  I don't think
you're out to deceive the world, but I'm not going to just take your
word for it that servers that should be under the exclusive control of
the MS corp routinely do ssh brute-force attacks.

> But to paraphrase what I said: if you don't believe me, and it's become
> pretty clear that you won't no matter what I say or what I show you, then
> *do your own homework*.  If you do, and if you're diligent and patient
> about it (I've been doing this work since July 2001), then you're eventually
> going to see things much more interesting and/or alarming than this.

Ok, there are two problems here.

First, lots of people make decisions about what products they want to
use ALL THE TIME, and most of them come to fairly different
conclusions than you.  It probably isn't because they're all lazy or
incompetent.  Most likely they have different priorities.

Second, you mention 2001.  That is an ETERNITY ago.  Obviously
learning from experience is good, but you have to be careful about
WHAT you learn from experience.  You can't base opinions of companies
or their products on observations made decades ago, because these
things change quickly.  You can't use the Apple Newton as your basis
for evaluating the iPad.  :)

Companies don't have hearts, souls, or brains.  They're just
collections of people, and those people turn over all the time.
Really what you care about is what a company is going to do in the
NEXT few years.  At best the past is a useful benchmark, but you can't
base evaluations about MS today on what they did with Windows 98.

> I think it's eminently reasonable to suggest that an adversary
> well-resourced and capable enough to help itself to Microsoft's crown
> jewels would really not have much difficulty going anywhere else in their
> operation that they chose to: Office365, Azure, whatever.

So, that isn't necessarily true.  If they just hacked into some random
person's laptop to steal what that random person had on it, that
probably doesn't get them much access beyond it.  At work I've seen
all sorts of people setting up servers under their desks, and while
these sorts of things eventually get taken care of it is a bit of
whack-a-mole.  Not every host in a company has the same standards for
security.  I'm sure many sysadmins around here will appreciate that a
lot of developers use hosts that are far less controlled than those
that are in production.

I'm just speaking generically - I don't know the details of this
particular attack and it may or may not have provided access to large
portions of the company's systems.

However, even if it was the case that MS was completely penetrated,
this is basically true of almost every company on Earth at one time or
another.  If your standard is that you NEVER want to be hacked into
then you're going to probably have to spend 50x more on your
infrastructure than you're probably willing to, and you're definitely
going to be spending 50x more than your competitors will.  You're
probably also going to have to give up a lot of conveniences that
would make your company (and your competitors) more productive.  In
the end you might never be hacked, but chances are you won't have
anything worth hacking as you head towards bankruptcy.

Security always has to be right-sized, and if you're going to have a
fixed budget for your infrastructure, you can often get a lot more
security by outsourcing it than doing it all yourself.

And really in the case of Office365 there aren't a lot of
alternatives, and many of those are just as outsourced.  The mail
component is probably the one that is most easily done in-house, but
companies have been reluctant to deploy FOSS-based email solutions for
decades even when they were shouldering 100% of the costs of doing it
with Microsoft-based solutions in-house.

I don't administer Office365 or one of its competitors professionally
so I can't speak to the pros/cons that tend to sway companies one way
vs another.  However, a LOT of large organizations seem to be moving
in the MS direction, and there is probably a good reason for that.

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug