[HN Gopher] An Update on SolarWinds
___________________________________________________________________
An Update on SolarWinds
Author : ingve
Score : 161 points
Date : 2021-01-08 15:56 UTC (7 hours ago)
(HTM) web link (blog.jetbrains.com)
(TXT) w3m dump (blog.jetbrains.com)
| caleb-allen wrote:
| Here is an update for January 8:
|
| https://blog.jetbrains.com/blog/2021/01/08/january-8th-updat...
| proales wrote:
| So whats the chance they got owned so hard that they dont even
| know they got owned?
| hikerclimber wrote:
| hopefully you got compromised.
| vorpalhex wrote:
| > Our IDEs are standalone tools and bear no relation to TeamCity,
| other than the fact that we use our own installation of TeamCity
| to build them.
|
| It sort of seems like a compromised CI pipeline would allow an
| attacker to do all kinds of interesting things to your
| distributed binaries...
| swsieber wrote:
| True, but it wasn't JetBrains's CI pipeline that was
| compromised.
| colonelpopcorn wrote:
| But if they have a vulnerability that SolarWinds has not yet
| disclosed, they could very well be distributing compromised
| software.
| foolmeonce wrote:
| Everything has a vulnerability that Solarwinds hasn't
| disclosed. What is the logic in focusing on this extremely
| unique choice? A plan by a government wants to spearfish
| developers at every enterprise software company to find 1+
| ways in to their clients and should have chosen something
| universal. Without any apparent data, it seems more likely
| the suspicion is just speculation because it is less common
| than email clients, legacy browsers, dev-servers, common
| libraries, etc.
|
| I.e. because no one else found this intruder the crap
| software that everyone uses must be safe?
| sudhirj wrote:
| Yes, but that's a big if. It's also simply possible that
| Solarwinds has their TeamCity admin account password set to
| 'password' and accessible on a public network.
| vorpalhex wrote:
| Right, and we don't know, which means we should audit
| aggressively and assume these things may still be open
| attack vectors. You don't hang out with the backdoor open
| waiting for your friend to let you know.
| marcosdumay wrote:
| I guess that's why they said that they are auditing
| aggressively their CI tool.
| zinekeller wrote:
| ... actually, SolarWinds used "solarwinds123" on their
| FTP site.
|
| Which is stored on a publicly-accessible GitHub
| repository.
|
| (Source: https://www.theregister.com/2020/12/16/solarwind
| s_github_pas...)
| bonfire wrote:
| Poor CEO, be dragged through this for nothing..
| CodeWriter23 wrote:
| These stories JetBrains is defending against are sadly what
| passes as "Jounalism" in our society.
| compil3 wrote:
| That's why the laws that protect them need to be either changed
| or revoked. JetBrains should have 100% legal ability to sue the
| New York Times for slander.
| protomyth wrote:
| _New York Times Co. v. Sullivan_ is the case that pretty much
| prevents that unless it is beyond blatant. A decision or law
| to tighten the scope that decision would probably improve the
| public discourse dramatically in an era where the correction
| never comes close to the distribution of the original lie.
| solidasparagus wrote:
| Not really, it would just put the onus of deciding the
| truth onto the court systems, which doesn't sound great.
| JetBrains can't prove they weren't the underlying
| vulnerability so I have a hard time seeing any world where
| they would be able to successfully sue The New York Times
| here.
| aNoob7000 wrote:
| The problem is newspapers and journalists would be killed
| with a change in the law, and let TV "news" commentators
| like Tucker Carlson and Rachel Maddow to continue saying
| whatever they want.
|
| The problem is that the line between news and commentary at
| this time is blurred. Hell; we can't even agree on what is
| true anymore just look no further than the election fraud
| claims made by the President of the United States.
| protomyth wrote:
| I would be more sympathetic to newspapers and journalists
| if they were neutral observers, but as you say, the line
| between news and commentary is blurred and it seems
| everyone in media has picked a side. I think forcing
| these papers to do some basic fact checking would slow
| down the "must report first and damn the facts"
| mentality. The thinning or elimination of the fact
| checking people was the canary in the coal mine.
| VHRanger wrote:
| If the NYT caused their valuation to crash then they have a
| case
| andrewem wrote:
| The UK had laws which were much more favorable to people who
| sue alleging slander or libel, and they caused significant
| problems which led to their being substantially changed.
|
| https://en.m.wikipedia.org/wiki/English_defamation_law
|
| Edit to note: the kinds of changes you're suggesting seem
| great when the plaintiff is a small company suing the New
| York Times, but what about when a very large company sues a
| small newspaper or blog?
| diebeforei485 wrote:
| From the January 8 posting:
|
| > we would like to inform you that we have proactively reached
| out and spoken to the US Department of Justice, and have offered
| them our full cooperation in this matter
|
| So what exactly did the NYT and WSJ get wrong here?
| jhawk28 wrote:
| They were implying that jetbrains was "in" on the hack.
| 2OEH8eoCRo0 wrote:
| Wrong. From NYT
|
| >Officials are investigating whether the company, founded by
| three Russian engineers in the Czech Republic with research
| labs in Russia, was breached and used as a pathway for
| hackers to insert back doors into the software of an untold
| number of technology companies
| hprotagonist wrote:
| translation: "hell no, you are not throwing US under the bus for
| your idiocy!"
___________________________________________________________________
(page generated 2021-01-08 23:01 UTC)