The Daily Parker

The Times continues its coverage of the SolarWinds breach, and adds a detail that explains why the Russians continue to eat our lunch:

Employees say that under [SolarWinds CEO Kevin] Thompson, an accountant by training and a former chief financial officer, every part of the business was examined for cost savings and common security practices were eschewed because of their expense. His approach helped almost triple SolarWinds’ annual profit margins to more than $453 million in 2019 from $152 million in 2010.

But some of those measures may have put the company and its customers at greater risk for attack. SolarWinds moved much of its engineering to satellite offices in the Czech Republic, Poland and Belarus, where engineers had broad access to the Orion network management software that Russia’s agents compromised.

So many things went wrong in this case that singling out one CEO for taking profits over security may seem myopic. But the SVR must love the poetry of it: a greedy American CEO tries to increase his paycheck by hiring engineers easy for them to compromise, leading to the largest network intrusion in history.

I want to see Congress investigate this, and I want to see Thompson reduced to penury for his greed. Not that anything will change; until we have rational regulation of software security—hell, until we have any regulation of software security—criminals and our adversaries will keep exploiting companies like SolarWinds.

We're so close to ending 2020 that I can almost taste it. (I hope to be tasting tacos in a few minutes, however.) True to form, 2020 has apparently decided not to leave quietly:

• Senate Majority Leader Mitch McConnell (R-KY) has blocked a vote on $2,000 relief checks so that he can add a poison-pill amendment the STBXPOTUS has asked for.
• Writing in The Atlantic, Dani Alexis Ryskamp points out that the life depicted in The Simpsons is no longer attainable.
• New Republic has named Florida governor Ron Desantis (R) "Scoundrel of the Year."
• Michael Benson reviews some satellite photos of Earth this year and comes away horrified.
• Wired looks at the state and evolution of ransomware and also comes away horrified.
• The United Nations Working Group on the Use of Mercenaries (yes, there is such a thing) came away horrified from the STBXPOTUS pardoning the Blackwater guys who murdered Iraqi civilians.

Finally, the Washington Post's Michael Rosenwald reports that Bloom asked 28 historians to determine whether 2020 was the worst year ever. It wasn't even close.

Thank you, Tom Lehrer, for encapsulating what this season means to us in the US. In the last 24 hours, we have seen some wonderful Christmas gifts, some of them completely in keeping with Lehrer's sentiment.

Continuing his unprecedented successes making his the most corrupt presidency in the history of the country (and here I include the Andrew Johnson and Warren Harding presidencies), the STBXPOTUS yesterday granted pardons to felons Charles Kushner, Paul Manafort, and Roger Stone. Of the 65 pardons and commutations he has granted since becoming president, 60 have gone to people he knows personally and who have committed crimes on his behalf. Maggie Haberman and Michael S Schmidt say he's at his most unleashed as he tries to avoid leaving office the loser he is.

In other news:

• The UK and the EU have agreed a trading and security deal with only days to spare.
• Illinois has vaccinated over 100,000 people for SARS-Cov-2 so far, more than any other state.
• Calculated Risk lists the 10 biggest economic questions for 2021.
• Via Bruce Schneier, China has used stolen HR data to detect and neutralize CIA assets in Africa and Europe.
• We had a bit of weather in Chicago overnight. Around 2pm we hit a high temperature of 14.4°C, which dropped slowly to 9°C at 7pm, then promptly fell off a cliff. When I woke up this morning to frigid -10.6°C air, the temperature had dropped 25°C in 16 hours. Welcome to Chicago in winter.

Finally, enjoy this performance of the "Hallelujah" chorus from Händel's Messiah released just a few moments ago by the Apollo Chorus of Chicago:

It's 11°C outside and I have a fuzzy houseguest for the day, so there will be walks! At least until the 20°C temperature drop starts around 6pm... So while I'm enjoying the last above-freezing day of the year with a very sweet and very strong office companion, I've got a few things to occupy my time.

At the top of my list today, we find that the STBXPOTUS has pardoned 15 truly awful murderers and grifters, including the four assholes who slaughtered unarmed Iraqi civilians in 2007. It's possible these are the worst pardons ever granted by a US president. (I wonder if Bill Moyers would agree.)

Next we have Bruce Schneier explaining just how bad the SolarWinds penetration really is.

And finally, US Surgeon General Dr Jerome Adams said Chicago's coronavirus vaccine rollout was the best in the nation. Go us!

I will now finish my lunch, guarded vigilantly by my neighbor's dog who hopes against all evidence that some of my ham sandwich will find its way to her snout.

Welcome to the (abbreviated) lunchtime roundup:

• Not only have attackers breached hundreds of networks due to a subtle flaw in a complicated piece of software, it turns out that a Dutch software engineer has—for the second time—exposed a rather glaring flaw in an uncomplicated piece of wetware by guessing the STBXPOTUS's Twitter password. (It was "maga2020!". I am not making this up.)
• Thomas Edsall decries "the rise of 'political sectarianism'."
• It's time once again for Drew Magary's "Hater's Guide to the Williams-Sonoma Catalog."

Finally, Julie Nolke for the fourth time explains the pandemic to her past self.

FireEye, a cybersecurity firm, revealed last week that unknown parties had penetrated its network and that its clients, including the US Government, were at risk. Bruce Schneier has technical details about the attack. Former Homeland Security Adviser Thomas Bossert lays out the scope of it:

The attackers gained access to SolarWinds software before updates of that software were made available to its customers. Unsuspecting customers then downloaded a corrupted version of the software, which included a hidden back door that gave hackers access to the victim’s network.

This is what is called a supply-chain attack, meaning the pathway into the target networks relies on access to a supplier. Supply-chain attacks require significant resources and sometimes years to execute. They are almost always the product of a nation-state. Evidence in the SolarWinds attack points to the Russian intelligence agency known as the S.V.R., whose tradecraft is among the most advanced in the world.

According to SolarWinds S.E.C. filings, the malware was on the software from March to June. The number of organizations that downloaded the corrupted update could be as many as 18,000, which includes most federal government unclassified networks and more than 425 Fortune 500 companies.

The magnitude of this ongoing attack is hard to overstate.

The Russians have had access to a considerable number of important and sensitive networks for six to nine months. The Russian S.V.R. will surely have used its access to further exploit and gain administrative control over the networks it considered priority targets. For those targets, the hackers will have long ago moved past their entry point, covered their tracks and gained what experts call “persistent access,” meaning the ability to infiltrate and control networks in a way that is hard to detect or remove.

The logical conclusion is that we must act as if the Russian government has control of all the networks it has penetrated.

Now, if only we had an administration that believed its experts and a majority party in the Senate that would pass a Defense Reauthorization Bill...

The Electoral College has voted, and with no surprises, as of 16:37 Chicago time Joe Biden has received the requisite 270 votes to be elected President of the United States. And yet, we had a few surprises today:

• The loathsome STBXPOTUS fired his almost-equally-loathsome Attorney General, Bill Barr, which could not have happened to a better couple.
• The US passed 300,000 Covid-19 deaths today. Probably 250,000 could have been prevented.
• Security guru Bruce Schneier advocates for regulation of persuasion technologies.
• A man in Peoria, Ill., impersonated a property owner to have an artist paint a Cookie Monster mural. The real property owner did not find this amusing.

Finally, John le Carré died at 89 yesterday. Time to revisit Josephine Livingstone's review of "the glorious return of George Smiley," le Carré's 2017 novel A Legacy of Spies.

From Andrew Marantz at The New Yorker:

In retrospect, it seems that the company’s strategy has never been to manage the problem of dangerous content, but rather to manage the public’s perception of the problem. In [former UK Liberal Democratic Party leader Nick] Clegg’s recent blog post, he wrote that Facebook takes a “zero tolerance approach” to hate speech, but that, “with so much content posted every day, rooting out the hate is like looking for a needle in a haystack.” This metaphor casts Zuckerberg as a hapless victim of fate: day after day, through no fault of his own, his haystack ends up mysteriously full of needles. A more honest metaphor would posit a powerful set of magnets at the center of the haystack—Facebook’s algorithms, which attract and elevate whatever content is most highly charged. If there are needles anywhere nearby—and, on the Internet, there always are—the magnets will pull them in. Remove as many as you want today; more will reappear tomorrow. This is how the system is designed to work.

“It’s an open secret,” Sophie Zhang, a former data scientist for the company, recently wrote, “that Facebook’s short-term decisions are largely motivated by PR and the potential for negative attention.” Zhang left Facebook in September. Before she did, she posted a scathing memo on Workplace. In the memo, which was obtained by BuzzFeed News, she alleged that she had witnessed “multiple blatant attempts by foreign national governments to abuse our platform on vast scales”; in some cases, however, “we simply didn’t care enough to stop them.” She suggested that this was because the abuses were occurring in countries that American news outlets were unlikely to cover.

Nothing surprising in the article, but Marantz adds a lot more detail than most people have realized.

A cold front pushed its way through Chicago this afternoon, making it feel much more like autumn than we've experienced so far. And it got pretty chilly in Washington, where Senate Republicans began the first day of hearings into the nomination of Amy Coney Barrett for the Supreme Court:

• Matt Ford says Barrett's nomination is "the culmination of [the right-wing Federalist Society] movement’s work—and perhaps its high-water mark as well."
• Aaron Blake calls the Republican Party's  gamesmanship over the past 30 years "court stacking," and argues it deserves a proportional response from the left.
• Microsoft and the United States Cyber Command discovered that they had both targeted a group of cybercriminals, with happy results for all (except the Russians who they targeted).
• Closer to home, a developer will start construction on an extension to Chicago's 606 Trail across the Chicago river, due to open in 2023.
• The Chicago Tribune has yet another explainer about the Illinois graduated income tax proposal.

And much farther from home, Mars will be in opposition tomorrow night, coincidentally during the new moon, meaning we'll get a really good look at it.

While I'm waiting for Vice President Mike Pence and Senator Kamala Harris to face off at 8pm Central, I have other things to occupy my thoughts:

• The First Lady has had a remarkably charmed pandemic life.
• Jeff Sessions and Rod Rosenstein were "a driving force" in the program of separating children from their parents at the border in 2018.
• Today is the 65th anniversary of Allen Ginsberg's first public recitation of "Howl."
• Apple's iOS v14 will finally have some of the security and privacy features Android has had for years.

Also, it's sunny and 20°C this morning, going up to 23°C this afternoon, so I'm taking half a day off work. We have perhaps 3 more days of nice weather this year, and it's the first day of a sprint (so no deadlines quite yet).