FireEye, a cybersecurity firm, revealed last week that unknown parties had penetrated its network and that its clients, including the US Government, were at risk. Bruce Schneier has technical details about the attack. Former Homeland Security Adviser Thomas Bossert lays out the scope of it:
The attackers gained access to SolarWinds software before updates of that software were made available to its customers. Unsuspecting customers then downloaded a corrupted version of the software, which included a hidden back door that gave hackers access to the victim’s network.
This is what is called a supply-chain attack, meaning the pathway into the target networks relies on access to a supplier. Supply-chain attacks require significant resources and sometimes years to execute. They are almost always the product of a nation-state. Evidence in the SolarWinds attack points to the Russian intelligence agency known as the S.V.R., whose tradecraft is among the most advanced in the world.
According to SolarWinds S.E.C. filings, the malware was on the software from March to June. The number of organizations that downloaded the corrupted update could be as many as 18,000, which includes most federal government unclassified networks and more than 425 Fortune 500 companies.
The magnitude of this ongoing attack is hard to overstate.
The Russians have had access to a considerable number of important and sensitive networks for six to nine months. The Russian S.V.R. will surely have used its access to further exploit and gain administrative control over the networks it considered priority targets. For those targets, the hackers will have long ago moved past their entry point, covered their tracks and gained what experts call “persistent access,” meaning the ability to infiltrate and control networks in a way that is hard to detect or remove.
The logical conclusion is that we must act as if the Russian government has control of all the networks it has penetrated.
Now, if only we had an administration that believed its experts and a majority party in the Senate that would pass a Defense Reauthorization Bill...
The Electoral College has voted, and with no surprises, as of 16:37 Chicago time Joe Biden has received the requisite 270 votes to be elected President of the United States. And yet, we had a few surprises today:
Finally, John le Carré died at 89 yesterday. Time to revisit Josephine Livingstone's review of "the glorious return of George Smiley," le Carré's 2017 novel A Legacy of Spies.
From Andrew Marantz at The New Yorker:
In retrospect, it seems that the company’s strategy has never been to manage the problem of dangerous content, but rather to manage the public’s perception of the problem. In [former UK Liberal Democratic Party leader Nick] Clegg’s recent blog post, he wrote that Facebook takes a “zero tolerance approach” to hate speech, but that, “with so much content posted every day, rooting out the hate is like looking for a needle in a haystack.” This metaphor casts Zuckerberg as a hapless victim of fate: day after day, through no fault of his own, his haystack ends up mysteriously full of needles. A more honest metaphor would posit a powerful set of magnets at the center of the haystack—Facebook’s algorithms, which attract and elevate whatever content is most highly charged. If there are needles anywhere nearby—and, on the Internet, there always are—the magnets will pull them in. Remove as many as you want today; more will reappear tomorrow. This is how the system is designed to work.
“It’s an open secret,” Sophie Zhang, a former data scientist for the company, recently wrote, “that Facebook’s short-term decisions are largely motivated by PR and the potential for negative attention.” Zhang left Facebook in September. Before she did, she posted a scathing memo on Workplace. In the memo, which was obtained by BuzzFeed News, she alleged that she had witnessed “multiple blatant attempts by foreign national governments to abuse our platform on vast scales”; in some cases, however, “we simply didn’t care enough to stop them.” She suggested that this was because the abuses were occurring in countries that American news outlets were unlikely to cover.
Nothing surprising in the article, but Marantz adds a lot more detail than most people have realized.
A cold front pushed its way through Chicago this afternoon, making it feel much more like autumn than we've experienced so far. And it got pretty chilly in Washington, where Senate Republicans began the first day of hearings into the nomination of Amy Coney Barrett for the Supreme Court:
And much farther from home, Mars will be in opposition tomorrow night, coincidentally during the new moon, meaning we'll get a really good look at it.
While I'm waiting for Vice President Mike Pence and Senator Kamala Harris to face off at 8pm Central, I have other things to occupy my thoughts:
Also, it's sunny and 20°C this morning, going up to 23°C this afternoon, so I'm taking half a day off work. We have perhaps 3 more days of nice weather this year, and it's the first day of a sprint (so no deadlines quite yet).
Starting in March, this year has seemed like a weird anthology TV show, with each month written and directed by a different team. We haven't had Aaron Sorkin and Thomas Schlamme yet; I'm hoping that'll be the season finale in February. This month we seem to have Armando Iannucci running the show, as the President's antics over the weekend suggest.
So here's how I'm spending lunch:
Tomorrow night will be the vice-presidential debate, which I will again live-blog. I can't wait.
The cartoonist and author behind Hyperbole and a Half has returned with a new book, which I should receive tomorrow. This news offsets pretty much all the other news from today:
I'm sure there's more, but I'm done for the day.
With 58 days until the election, the noise keeps increasing. Here's some of it:
Finally, The Smithsonian describes how Greg Priore managed to steal priceless documents from the Carnegie Library of Pittsburgh, because he was in charge of security for those items.
I'm taking a day off, so I'm choosing not to read all the articles that have piled up on my desktop:
- Tropical Storm Josephine has formed east of the windward islands, becoming the earliest 10th named storm on record. The National Hurricane Center promises an "extremely active" season.
- By tracking excess deaths in addition to reported Covid-19 deaths, the New York Times has concluded we've already surpassed 200,000 and could hit half a million by the end of the year.
- The General Accounting Office, a non-partisan Congressional watchdog, says Chad Wolf and Ken Cuccinelli are not legally qualified for their current positions, throwing into doubt all DHS actions under their leadership.
- CityLab sees parallels between Chicago's response to looting in the past few months and its response to the Lager Beer Riot of 1855.
- Has the European Central Bank "found a way around the lower bound on interest rates?"
- John Scalzi declaims, "Fuck you, I'm voting." ("You," in this case, means the Trump Administration, in case there was any doubt.)
- A former Google security engineer earned $50,000 for helping "a guy" get $300,000 in Bitcoin out of an old Zip file, thanks to advances in computing power and a flaw in the Zip implementation.
Finally, a "mania" set Stravinsky's Rite of Spring to Teletubbies footage, and it's horrifying.
This is my 55th post this month, and the fifth month in a row in which I've posted over 50 times. That brings my 12-month total to 581, the third record in a row and the fifth record this year. I guess Covid-19 has been good for something.
Here's what I'm reading today:
I'm excited to add a notch on the Brews and Choos project in a few hours. Check back tomorrow.