The Times continues its coverage of the SolarWinds breach, and adds a detail that explains why the Russians continue to eat our lunch:
Employees say that under [SolarWinds CEO Kevin] Thompson, an accountant by training and a former chief financial officer, every part of the business was examined for cost savings and common security practices were eschewed because of their expense. His approach helped almost triple SolarWinds’ annual profit margins to more than $453 million in 2019 from $152 million in 2010.
But some of those measures may have put the company and its customers at greater risk for attack. SolarWinds moved much of its engineering to satellite offices in the Czech Republic, Poland and Belarus, where engineers had broad access to the Orion network management software that Russia’s agents compromised.
So many things went wrong in this case that singling out one CEO for taking profits over security may seem myopic. But the SVR must love the poetry of it: a greedy American CEO tries to increase his paycheck by hiring engineers easy for them to compromise, leading to the largest network intrusion in history.
I want to see Congress investigate this, and I want to see Thompson reduced to penury for his greed. Not that anything will change; until we have rational regulation of software security—hell, until we have any regulation of software security—criminals and our adversaries will keep exploiting companies like SolarWinds.
We're so close to ending 2020 that I can almost taste it. (I hope to be tasting tacos in a few minutes, however.) True to form, 2020 has apparently decided not to leave quietly:
Finally, the Washington Post's Michael Rosenwald reports that Bloom asked 28 historians to determine whether 2020 was the worst year ever. It wasn't even close.
Thank you, Tom Lehrer, for encapsulating what this season means to us in the US. In the last 24 hours, we have seen some wonderful Christmas gifts, some of them completely in keeping with Lehrer's sentiment.
Continuing his unprecedented successes making his the most corrupt presidency in the history of the country (and here I include the Andrew Johnson and Warren Harding presidencies), the STBXPOTUS yesterday granted pardons to felons Charles Kushner, Paul Manafort, and Roger Stone. Of the 65 pardons and commutations he has granted since becoming president, 60 have gone to people he knows personally and who have committed crimes on his behalf. Maggie Haberman and Michael S Schmidt say he's at his most unleashed as he tries to avoid leaving office the loser he is.
In other news:
Finally, enjoy this performance of the "Hallelujah" chorus from Händel's Messiah released just a few moments ago by the Apollo Chorus of Chicago:
It's 11°C outside and I have a fuzzy houseguest for the day, so there will be walks! At least until the 20°C temperature drop starts around 6pm... So while I'm enjoying the last above-freezing day of the year with a very sweet and very strong office companion, I've got a few things to occupy my time.
At the top of my list today, we find that the STBXPOTUS has pardoned 15 truly awful murderers and grifters, including the four assholes who slaughtered unarmed Iraqi civilians in 2007. It's possible these are the worst pardons ever granted by a US president. (I wonder if Bill Moyers would agree.)
Next we have Bruce Schneier explaining just how bad the SolarWinds penetration really is.
And finally, US Surgeon General Dr Jerome Adams said Chicago's coronavirus vaccine rollout was the best in the nation. Go us!
I will now finish my lunch, guarded vigilantly by my neighbor's dog who hopes against all evidence that some of my ham sandwich will find its way to her snout.
Welcome to the (abbreviated) lunchtime roundup:
Finally, Julie Nolke for the fourth time explains the pandemic to her past self.
FireEye, a cybersecurity firm, revealed last week that unknown parties had penetrated its network and that its clients, including the US Government, were at risk. Bruce Schneier has technical details about the attack. Former Homeland Security Adviser Thomas Bossert lays out the scope of it:
The attackers gained access to SolarWinds software before updates of that software were made available to its customers. Unsuspecting customers then downloaded a corrupted version of the software, which included a hidden back door that gave hackers access to the victim’s network.
This is what is called a supply-chain attack, meaning the pathway into the target networks relies on access to a supplier. Supply-chain attacks require significant resources and sometimes years to execute. They are almost always the product of a nation-state. Evidence in the SolarWinds attack points to the Russian intelligence agency known as the S.V.R., whose tradecraft is among the most advanced in the world.
According to SolarWinds S.E.C. filings, the malware was on the software from March to June. The number of organizations that downloaded the corrupted update could be as many as 18,000, which includes most federal government unclassified networks and more than 425 Fortune 500 companies.
The magnitude of this ongoing attack is hard to overstate.
The Russians have had access to a considerable number of important and sensitive networks for six to nine months. The Russian S.V.R. will surely have used its access to further exploit and gain administrative control over the networks it considered priority targets. For those targets, the hackers will have long ago moved past their entry point, covered their tracks and gained what experts call “persistent access,” meaning the ability to infiltrate and control networks in a way that is hard to detect or remove.
The logical conclusion is that we must act as if the Russian government has control of all the networks it has penetrated.
Now, if only we had an administration that believed its experts and a majority party in the Senate that would pass a Defense Reauthorization Bill...
The Electoral College has voted, and with no surprises, as of 16:37 Chicago time Joe Biden has received the requisite 270 votes to be elected President of the United States. And yet, we had a few surprises today:
Finally, John le Carré died at 89 yesterday. Time to revisit Josephine Livingstone's review of "the glorious return of George Smiley," le Carré's 2017 novel A Legacy of Spies.
From Andrew Marantz at The New Yorker:
In retrospect, it seems that the company’s strategy has never been to manage the problem of dangerous content, but rather to manage the public’s perception of the problem. In [former UK Liberal Democratic Party leader Nick] Clegg’s recent blog post, he wrote that Facebook takes a “zero tolerance approach” to hate speech, but that, “with so much content posted every day, rooting out the hate is like looking for a needle in a haystack.” This metaphor casts Zuckerberg as a hapless victim of fate: day after day, through no fault of his own, his haystack ends up mysteriously full of needles. A more honest metaphor would posit a powerful set of magnets at the center of the haystack—Facebook’s algorithms, which attract and elevate whatever content is most highly charged. If there are needles anywhere nearby—and, on the Internet, there always are—the magnets will pull them in. Remove as many as you want today; more will reappear tomorrow. This is how the system is designed to work.
“It’s an open secret,” Sophie Zhang, a former data scientist for the company, recently wrote, “that Facebook’s short-term decisions are largely motivated by PR and the potential for negative attention.” Zhang left Facebook in September. Before she did, she posted a scathing memo on Workplace. In the memo, which was obtained by BuzzFeed News, she alleged that she had witnessed “multiple blatant attempts by foreign national governments to abuse our platform on vast scales”; in some cases, however, “we simply didn’t care enough to stop them.” She suggested that this was because the abuses were occurring in countries that American news outlets were unlikely to cover.
Nothing surprising in the article, but Marantz adds a lot more detail than most people have realized.
A cold front pushed its way through Chicago this afternoon, making it feel much more like autumn than we've experienced so far. And it got pretty chilly in Washington, where Senate Republicans began the first day of hearings into the nomination of Amy Coney Barrett for the Supreme Court:
And much farther from home, Mars will be in opposition tomorrow night, coincidentally during the new moon, meaning we'll get a really good look at it.
While I'm waiting for Vice President Mike Pence and Senator Kamala Harris to face off at 8pm Central, I have other things to occupy my thoughts:
Also, it's sunny and 20°C this morning, going up to 23°C this afternoon, so I'm taking half a day off work. We have perhaps 3 more days of nice weather this year, and it's the first day of a sprint (so no deadlines quite yet).