SolarWinds' Orion monitoring platform may have been tampered with by attackers
- 
 SolarWinds said monitoring products it released in March and June of this year may have been surreptitiously tampered with in a “highly-sophisticated, targeted and manual supply chain attack by a nation state.” U.S. government agencies were ordered to scour their networks for malware and disconnect potentially compromised servers on Monday after authorities learned that the Treasury and Commerce departments were hacked in a global cyber-espionage campaign tied to a foreign government. The article continues... The apparent conduit for the Treasury and Commerce Department hacks — and the FireEye compromise — is a hugely popular piece of server software called SolarWinds. It is used by hundreds of thousands of organizations globally, including most Fortune 500 companies and multiple U.S. federal agencies, which will now be scrambling to patch up their networks, said Alperovitch, the former chief technical officer of the cybersecurity firm CrowdStrike. 
- 
 Would this have been caught earlier if it were open source? 
- 
 @VoIP_n00b said in SolarWinds' Orion monitoring platform may have been tampered with by attackers: Would this have been caught earlier if it were open source? No way to know for sure, but likely. 
- 
 Really? What makes you say that? Didn't some bug that was in Linux for more than a decade just get discovered last year? Being open source makes it easier to find them, sure, but more likely? Only if someone is looking. 
- 
 @Dashrender said in SolarWinds' Orion monitoring platform may have been tampered with by attackers: Really? What makes you say that? Didn't some bug that was in Linux for more than a decade just get discovered last year? Being open source makes it easier to find them, sure, but more likely? Only if someone is looking. The biggest difference is that companies can't actively hide vulnerabilities in open source. As you said, that doesn't mean anyone is looking. Not having read the articles here, I can't say what happened at Solarwinds this time. I do know I don't trust Solarwinds as a company. 
- 
 @VoIP_n00b said in SolarWinds' Orion monitoring platform may have been tampered with by attackers: Would this have been caught earlier if it were open source? Definitely, because everyone goes through the source code for all OSS. Don't you? 
- 
 @Obsolesce said in SolarWinds' Orion monitoring platform may have been tampered with by attackers: Definitely, because everyone goes through the source code for all OSS. Don't you? Every. Single. Line. I spend about 600 hours a year reading code. 
- 
 @VoIP_n00b : and you would understand all of the methods that a professional -- likely government sponsored -- hacker would use to exploit this system? Linux is OSS and has had many exploits... 
- 
 @manxam said in SolarWinds' Orion monitoring platform may have been tampered with by attackers: Linux is OSS and has had many exploits... Only the ones Voip_n00b didn't get to before it was too late... 
- 
 @Dashrender said in SolarWinds' Orion monitoring platform may have been tampered with by attackers: Really? What makes you say that? Didn't some bug that was in Linux for more than a decade just get discovered last year? Being open source makes it easier to find them, sure, but more likely? Only if someone is looking. I think the difference is one was a bug and one was injected maliciously. I'm not saying it would have definitely been found, but bugs look a bit different than purposefully malicious code. It's also that it at least has the opportunity to be found. A lot also depends on how things like pull requests/merge requests are approved as well. 
- 
 I can't say that being open source would this issue have been discovered, but if SolarWinds supplied MD5 and SHA256 checksums for their installations, and organizations verified it against what they downloaded they might have noticed that something was at least off. In looking at the site, it appears to offer a demo by request only, and no indication that such a basic security measure is offered - but it may be. 
- 
 @Dashrender said in SolarWinds' Orion monitoring platform may have been tampered with by attackers: Really? What makes you say that? Because it can be audited. It simply takes a situation that is X and improves it. Better is better, it's that simple. Didn't some bug that was in Linux for more than a decade just get discovered last year? Being open source makes it easier to find them, sure, but more likely? Only if someone is looking. This is an anecdote and means nothing here. How many bugs have been in closed source software for decades, sometimes even AFTER someone discovered them? How many are in there now, you don't know, because it's closed. So never, ever, ever can you state something like this and imply that it's meaningful. You are implying the "perfect or nothing" argument. You are ignoring the simple fact that being open has to improve the chances of catching a bug (because there's nothing that makes it worse and so much than makes it better) and pointing out only that by being open source it didn't prevent the possibility of bugs. No one ever has claimed such a ridiculous thing. So pointing it out has no purpose. The point is that being open would make it many times more likely to be found, and many, many times more likely to have been disclosed once found. That this is closed source, we have to assume that the vendor is keeping stuff hidden. We have zero reason to believe that they did or didn't already know about it. Closed source is not just a mechanism for hiding how things are done, it's also a major mechanism for hiding mistakes. Being open means that nothing can be hidden. And it means that there are more mechanisms for finding something. Both of those things mean that, on average, things are found (and disclosed) sooner. 
- 
 @Obsolesce said in SolarWinds' Orion monitoring platform may have been tampered with by attackers: @VoIP_n00b said in SolarWinds' Orion monitoring platform may have been tampered with by attackers: Would this have been caught earlier if it were open source? Definitely, because everyone goes through the source code for all OSS. Don't you? They do, actually. Big companies that use open source products go through the code a LOT. That's standard practice. The "people don't really look at the code" claim is actually untrue for products of any standing. On Wall St., for example, they specifically choose open source and audit the code at nearly all the banks. So it's not just one, it's all of them working together. And that's just one industry looking at code for everyone. Because many of these tools are automated, you'd be surprised just how dramatically easy code auditing is and how many companies do it out of habit, if nothing else. 
- 
 @manxam said in SolarWinds' Orion monitoring platform may have been tampered with by attackers: @VoIP_n00b : and you would understand all of the methods that a professional -- likely government sponsored -- hacker would use to exploit this system? Linux is OSS and has had many exploits... But far fewer than in closed source alternatives. Which is the entire point. Better and perfect aren't the same thing. 
- 
 @scottalanmiller said in SolarWinds' Orion monitoring platform may have been tampered with by attackers: @Dashrender said in SolarWinds' Orion monitoring platform may have been tampered with by attackers: Really? What makes you say that? Because it can be audited. It simply takes a situation that is X and improves it. Better is better, it's that simple. Didn't some bug that was in Linux for more than a decade just get discovered last year? Being open source makes it easier to find them, sure, but more likely? Only if someone is looking. This is an anecdote and means nothing here. How many bugs have been in closed source software for decades, sometimes even AFTER someone discovered them? How many are in there now, you don't know, because it's closed. So never, ever, ever can you state something like this and imply that it's meaningful. You are implying the "perfect or nothing" argument. You are ignoring the simple fact that being open has to improve the chances of catching a bug (because there's nothing that makes it worse and so much than makes it better) and pointing out only that by being open source it didn't prevent the possibility of bugs. No one ever has claimed such a ridiculous thing. So pointing it out has no purpose. The point is that being open would make it many times more likely to be found, and many, many times more likely to have been disclosed once found. That this is closed source, we have to assume that the vendor is keeping stuff hidden. We have zero reason to believe that they did or didn't already know about it. Closed source is not just a mechanism for hiding how things are done, it's also a major mechanism for hiding mistakes. Being open means that nothing can be hidden. And it means that there are more mechanisms for finding something. Both of those things mean that, on average, things are found (and disclosed) sooner. That wasn't my point - I agree open is better, but bug still exist, often time for years, decades even, until someone looks. There is so much believe that just because it's open source that it's been vetted by many many people, and that's just simply not true. 
- 
 @scottalanmiller said in SolarWinds' Orion monitoring platform may have been tampered with by attackers: @manxam said in SolarWinds' Orion monitoring platform may have been tampered with by attackers: @VoIP_n00b : and you would understand all of the methods that a professional -- likely government sponsored -- hacker would use to exploit this system? Linux is OSS and has had many exploits... But far fewer than in closed source alternatives. Which is the entire point. Better and perfect aren't the same thing. absolutely - it's better, but anything but perfect.  
- 
 @Dashrender said in SolarWinds' Orion monitoring platform may have been tampered with by attackers: That wasn't my point - 
 I agree open is better, but bug still exist, often time for years, decades even, until someone looks.
 There is so much believe that just because it's open source that it's been vetted by many many people, and that's just simply not true.A piece of software doesn't to be vetted by many, the option to have it vetted by any number of people is what is important. Compared to being vetted by 1 organization, who discloses nothing for the software and may not even vet the software besides "it works" without checking for vulnerabilities. 
- 
 @VoIP_n00b said in SolarWinds' Orion monitoring platform may have been tampered with by attackers: Would this have been caught earlier if it were open source? @DustinB3403 this is what most people are responding to Would it have been caught earlier if this was open source - Who the hell knows - no one does. 
- 
 @Dashrender said in SolarWinds' Orion monitoring platform may have been tampered with by attackers: Would it have been caught earlier if this was open source - Who the hell knows - no one does. Being caught and being able to be disclosed are different things. A bug privately disclosed and unfixed is still a bug. A bug that is publicly disclosed or not, would at least allow a user to decide/look for those known issues and decide if not to use the product. 
- 
 @Dashrender said in SolarWinds' Orion monitoring platform may have been tampered with by attackers: @scottalanmiller said in SolarWinds' Orion monitoring platform may have been tampered with by attackers: @Dashrender said in SolarWinds' Orion monitoring platform may have been tampered with by attackers: Really? What makes you say that? Because it can be audited. It simply takes a situation that is X and improves it. Better is better, it's that simple. Didn't some bug that was in Linux for more than a decade just get discovered last year? Being open source makes it easier to find them, sure, but more likely? Only if someone is looking. This is an anecdote and means nothing here. How many bugs have been in closed source software for decades, sometimes even AFTER someone discovered them? How many are in there now, you don't know, because it's closed. So never, ever, ever can you state something like this and imply that it's meaningful. You are implying the "perfect or nothing" argument. You are ignoring the simple fact that being open has to improve the chances of catching a bug (because there's nothing that makes it worse and so much than makes it better) and pointing out only that by being open source it didn't prevent the possibility of bugs. No one ever has claimed such a ridiculous thing. So pointing it out has no purpose. The point is that being open would make it many times more likely to be found, and many, many times more likely to have been disclosed once found. That this is closed source, we have to assume that the vendor is keeping stuff hidden. We have zero reason to believe that they did or didn't already know about it. Closed source is not just a mechanism for hiding how things are done, it's also a major mechanism for hiding mistakes. Being open means that nothing can be hidden. And it means that there are more mechanisms for finding something. Both of those things mean that, on average, things are found (and disclosed) sooner. That wasn't my point - I agree open is better, but bug still exist, often time for years, decades even, until someone looks. There is so much believe that just because it's open source that it's been vetted by many many people, and that's just simply not true. Those are bugs. It's different, because this was purposefully injected. There are tons of tools that scan for malicious code. An example is being at FDX they used Sonarqube and other tools like Fortify to find vulnerabilities in code. This may not have been source code though. That's why there's initiatives for things like supply chain trust in software (TUF,notary,in-toto, etc). This was either source code, an artifact in the build process, or something in the release process. Open source is great, but if you can't verify the build was done properly then there could be injections during the build which you wouldn't catch in the code. Companies need to start demanding the build process be auditable with some kind of supply chain verification like the tools mentioned, where the BOM can be signed and audited. 






