[eternalny1]

Interesting tidbit at the bottom ...

> In an interesting turn of events, the investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor.

[vmception]

Is anyone ever pissed that one exploit getting caught reveals other hacker’s efforts?

Like how that amateurish but high profile Wannacry attack revealed a much more lucrative Monero mining botnet that was running with the same exploit for weeks longer, but some script kiddie ruined it

[bombcar]

I recall at least one "worm" that would patch the hole it came in by, perhaps so that it wouldn't have competition.

It wasn't one of those "healing viruses" either; it was exploiting a weakness and preventing others from doing the same.

[KMag]

> it was exploiting a weakness and preventing others from doing the same.

This is also a solution (albeit with a race condition) to one bug that the Morris worm had: the same worm infecting a host multiple times and the multiple instances drawing more attention / stepping on its own feet. Other worms likely have had similar flaws.

(Any suggestions to eloquently un-mix the worm/feet metaphors?)

[infogulch]

This makes me think of a common refrain when dealing with parasite infestations: If you see one, there's way more than just one.

Deterministic builds cannot come soon enough. And really, builds are not enough, we need to be able to extend confidence in the execution of the programs we write much deeper than just builds.

[Shank]

> Deterministic builds cannot come soon enough.

This doesn't do anything for people who buy SolarWinds Orion, which is a closed-source off-the-shelf tool that gets picked up everywhere because of a combination of good sales tactics, compliance checkboxes, and ability to remove work from all involved.

Going back up the chain, a technical solution probably won't solve the issues inside SolarWinds either. Systemic organizational issues lead to RCE backdoors and implants distributed on official update servers, signed with authentic keys.

[toast0]

Deterministic builds can be done with closed source too. It doesn't directly help the users, but if they had setup a second build machine and noticed the build output was different, they could have addressed this sooner.

Of course, if following best practices, all build machines should be equally compromised. ;p

[pnutjam]

Mdt hashes and signing could have avoided this. Open source stuff always verifies, vote closed source doesn't have that habit.

[Osiris]

An article I read said that they did provide hashes but they also provided instructions on how to install it anyway if the hashes didn't match.

[Osiris]

https://mobile.twitter.com/KyleHanslovan/status/133841999966...

[pbronez]

I wonder if you could gain security while preserving agility by having build servers with exceptional (and annoying) security maintained offline. Do your CI/CD work, then chop off a weekly release and build it from source on a machine that’s been powered off in a secure room the whole time.

Still doesn’t help you if the attack is sufficiently upstream..

[Khaine]

Being liable for the consequences of poor software development and security practices would

[WarOnPrivacy]

If top management, maybe.

[pnutjam]

I haven't paid much attention to the solar winds catalog, but last I looked I did everything they offered on Linux with open source free tools.