By John Gruber

• Archive
• The Talk Show
• Dithering
• Projects
• Contact
• Colophon
• Feeds / Social
• Sponsorship

Linked List: December 21, 2020

Monday, 21 December 2020

SolarWinds, the Security Consulting Company That Maybe Wasn’t Very Good at Security ★

Reuters, last week:

On Monday, SolarWinds confirmed that Orion - its flagship network management software - had served as the unwitting conduit for a sprawling international cyberespionage operation. The hackers inserted malicious code into Orion software updates pushed out to nearly 18,000 customers. And while the number of affected organizations is thought to be much more modest, the hackers have already parlayed their access into consequential breaches at the U.S. Treasury and Department of Commerce. […]

In one previously unreported issue, multiple criminals have offered to sell access to SolarWinds’ computers through underground forums, according to two researchers who separately had access to those forums. […] Security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds’ update server by using the password “solarwinds123”

“This could have been done by any attacker, easily,” Kumar said.

Mistakes happen. That simple axiom is sometimes at the heart of seemingly stupid security breaches. But setting an important password to “companyname123” isn’t a mistake, it’s just malpractice. Like a doctor deciding to perform surgery using kitchen shears. And being warned about it and ignoring it? It’s hard to comprehend. So one thing I’ve been thinking about this SolarWinds company is that maybe they’re no good at security at all. That what they’re good at is just selling themselves to big corporate and government clients as being good at security. There are a lot of successful consulting companies — security-related or otherwise — who are no good at all on the actual consulting part, but are very good at the selling their services part, to clients who don’t know the difference between bullshit and expertise.

Here’s a report today from Ryan Gallagher at Bloomberg^*, suggesting exactly that:

Thornton-Trump, as well as a former SolarWinds software engineer who talked to Bloomberg News, said that given the cybersecurity risks at the company, they viewed a major breach as inevitable. Their concerns about SolarWinds are shared by several cybersecurity researchers, who discovered what they described as glaring security lapses at the company, whose software was used in a suspected Russian hacking campaign.

“My belief is that from a security perspective, SolarWinds was an incredibly easy target to hack,” said Thornton-Trump, now the chief information security officer at threat intelligence firm Cyjax Ltd.

I’m not suggesting that SolarWinds might be a fraud in the way that buying an expensive “super secure” smartphone and getting a box containing a heavy rock inside instead of a phone is a fraud. More like buying a purportedly “super secure” smartphone and getting a crappy phone with confusing “security” software installed on it that really doesn’t do anything useful and may in fact be less secure.

* Don’t make me say it.

Reuters: ‘Apple Targets Car Production by 2024’ ★

Stephen Nellis, Norihiko Shirouzu, and Paul Lienert, reporting for Reuters:

Apple Inc. is moving forward with self-driving car technology and is targeting 2024 to produce a passenger vehicle that could include its own breakthrough battery technology, people familiar with the matter told Reuters. […]

As for the car’s battery, Apple plans to use a unique “monocell” design that bulks up the individual cells in the battery and frees up space inside the battery pack by eliminating pouches and modules that hold battery materials, one of the people said.

Apple’s design means that more active material can be packed inside the battery, giving the car a potentially longer range. Apple is also examining a chemistry for the battery called LFP, or lithium iron phosphate, the person said, which is inherently less likely to overheat and is thus safer than other types of lithium-ion batteries.

”It’s next level,” the person said of Apple’s battery technology. “Like the first time you saw the iPhone.”

My favorite story about the Apple car project — from before the reset heralded by the return of Doug Field — is that they actually had a concept for an Apple-designed and branded car. And they added it all up and it turned out to be so embarrassingly expensive that they had to seriously hit the reset button. That’s the way it goes, no shame in that.

I’m quite certain that Apple has a very talented team, a division even, working their asses off on this, and might well come up with the iPhone of cars. But I’ll take all Project Titan related news with a grain of salt until we see something real.