[FRIAM] 5 agencies compromised
Marcus Daniels
marcus at snoutfarm.com
Wed Dec 16 11:07:21 EST 2020
Yes, it sounds like they were methodical and patient. Impressive work.
-----Original Message-----
From: Friam <friam-bounces at redfish.com> On Behalf Of u?l? ???
Sent: Wednesday, December 16, 2020 7:06 AM
To: FriAM <friam at redfish.com>
Subject: Re: [FRIAM] 5 agencies compromised
Well, it's one thing to simply screw up a dependency. Any programmer whose participated in a large project has done that at one point or another. But the interesting quote is this:
"Multiple trojanzied updates were digitally signed from March - May 2020 and posted to the SolarWinds updates website, ..."
They were digitally signed. Either they were legitimately signed and the vector is the typical one (humans [ptouie]) or the bad actor (not necessarily human) harvested a secret key and illegitimately signed them. And that's just the signing part. They also had to *post* them, which may well be the easier part. But it still had to be done.
How did they 1) sign the packages and 2) post the packages?
On 12/15/20 12:23 PM, Prof David West wrote:
> Web-based (most software) systems are a complicated Jenga tower of
> dependencies, each one of which provides an access point for
> introducing malware, trojans, viruses, etc. The story of Azer Koçulu
> and how his removal of eight lines of code (left-pad) brought down
> major Web actors and sites
>
>
> https://qz.com/646467/how-one-programmer-broke-the-internet-by-deletin
> g-a-tiny-piece-of-code/
--
↙↙↙ uǝlƃ
- .... . -..-. . -. -.. -..-. .. ... -..-. .... . .-. .
FRIAM Applied Complexity Group listserv
Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam un/subscribe http://redfish.com/mailman/listinfo/friam_redfish.com
archives: http://friam.471366.n2.nabble.com/
FRIAM-COMIC http://friam-comic.blogspot.com/
More information about the Friam
mailing list