The main alarming thing, I guess, is that there is a large part of the world that is more easily motivated than me. I mean, it seems kind of boring to sort through all that. Impressive in sort of an autistic savant sort of way. I wonder if they were paid well by U.S. standards.
From: Friam <[email protected]> On Behalf Of Roger Critchlow Sent: Wednesday, December 16, 2020 2:14 PM To: The Friday Morning Applied Complexity Coffee Group <[email protected]> Subject: Re: [FRIAM] 5 agencies compromised pwntastic, even. -- rec -- On Wed, Dec 16, 2020 at 11:07 AM Marcus Daniels <[email protected]<mailto:[email protected]>> wrote: Yes, it sounds like they were methodical and patient. Impressive work. -----Original Message----- From: Friam <[email protected]<mailto:[email protected]>> On Behalf Of u?l? ??? Sent: Wednesday, December 16, 2020 7:06 AM To: FriAM <[email protected]<mailto:[email protected]>> Subject: Re: [FRIAM] 5 agencies compromised Well, it's one thing to simply screw up a dependency. Any programmer whose participated in a large project has done that at one point or another. But the interesting quote is this: "Multiple trojanzied updates were digitally signed from March - May 2020 and posted to the SolarWinds updates website, ..." They were digitally signed. Either they were legitimately signed and the vector is the typical one (humans [ptouie]) or the bad actor (not necessarily human) harvested a secret key and illegitimately signed them. And that's just the signing part. They also had to *post* them, which may well be the easier part. But it still had to be done. How did they 1) sign the packages and 2) post the packages? On 12/15/20 12:23 PM, Prof David West wrote: > Web-based (most software) systems are a complicated Jenga tower of > dependencies, each one of which provides an access point for > introducing malware, trojans, viruses, etc. The story of Azer Koçulu > and how his removal of eight lines of code (left-pad) brought down > major Web actors and sites > > > https://qz.com/646467/how-one-programmer-broke-the-internet-by-deletin > g-a-tiny-piece-of-code/ -- ↙↙↙ uǝlƃ - .... . -..-. . -. -.. -..-. .. ... -..-. .... . .-. . FRIAM Applied Complexity Group listserv Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam<http://bit.ly/virtualfriam> un/subscribe http://redfish.com/mailman/listinfo/friam_redfish.com archives: http://friam.471366.n2.nabble.com/ FRIAM-COMIC http://friam-comic.blogspot.com/ - .... . -..-. . -. -.. -..-. .. ... -..-. .... . .-. . FRIAM Applied Complexity Group listserv Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam<http://bit.ly/virtualfriam> un/subscribe http://redfish.com/mailman/listinfo/friam_redfish.com archives: http://friam.471366.n2.nabble.com/ FRIAM-COMIC http://friam-comic.blogspot.com/
- .... . -..-. . -. -.. -..-. .. ... -..-. .... . .-. . FRIAM Applied Complexity Group listserv Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam un/subscribe http://redfish.com/mailman/listinfo/friam_redfish.com archives: http://friam.471366.n2.nabble.com/ FRIAM-COMIC http://friam-comic.blogspot.com/
