SolarWinds Breach is the Rule, Not an Exception - Security Boulevard

SolarWinds Breach is the Rule, Not an Exception

A new article about the philosopher Wittgenstein’s passion for reading crime stories has an important insight into both the man and his methods:

That a crime has been committed, [The Maltese Falcon author] Hammett knew, does not necessarily mean that a plan has been carried out. Plotting and scheming are things people usually do in response to a crime, not in preparation for one. And since most crimes are not clean in the first place, their solutions probably aren’t either. To search for logic in a murder case is to expect to find what was likely never there.

In other words, as the article continues to describe the genius of Wittgenstein, someone seeing pieces of an attack can lead to an urge to paint a picture that may not even exist.

The philosopher achieves clarity, Wittgenstein [in his later writings] believed, by discarding generalizations and focusing instead on concrete circumstances. […] Just because you have pieces does not mean you have a puzzle. It is enough to describe accurately. Attempting to explain only compounds the confusion.

I have to set aside some of the article because it seems to draw conclusions askew from the facts. For example an overly Western perspective that ignores insights and great similarity of Islamic and Jewish philosophers:

His claim was not that these things don’t exist but merely that words can’t touch them.

This could have been meant by Wittgenstein to inspire beauty through attempts to approach what is hard or impossible to achieve.

To try as hard as possible yet come up short in achieving a connection with God for example does not mean someone “can’t touch” God, unless stuck in a binary mode.

I suspect someone more familiar with Talmudic thinking would not have described Wittgenstein as saying “words can’t touch them” in such a cold manner.

Indeed, three out of four of his grandparents were Jewish, which would have made things far more difficult for him had his family not claimed to be Catholic and paid large ransoms to the Nazis.

Anyway, I bring these words to light here because it offers a very different approach from what I’m seeing in the news. I mean people like Clarke and other “hawks” seem to suggest the SolarWinds breach is a case of war, when that is not at all what the puzzle pieces of this crime thriller suggest.

As former Bush Administration official Theresa Payton told Fox News, “This vulnerability allowed these nefarious cyber operatives to actually create what we refer to in the industry as ‘God access’ or a ‘God door,’ giving them basically any rights to do anything they want to in stealth mode.”

Ok, ok, stop just a minute. Who says God access or God door? Wat.

We all say got root. Nobody, and I mean NOBODY, says got God with the intention of talking about system access.

God doesn’t even have an account on systems because even if you believed in God he wouldn’t need an account. Duh. What is with these Bush Administration people being so nutty?

Anyway, back to Clarke doing his usual hawkish Clarke thing:

“This is not just about an espionage attack,” said Richard Clarke. “This is about something called preparation of the battlefield, where they’re now able, in a time of crisis, to eat the software in thousands of U.S. companies.” More than 20 years ago, Clarke was the nation’s first cyber czar, working initially in the Clinton White House and then under George W. Bush. “Sunday Morning” senior correspondent Ted Koppel asked Clarke, “When you hear people talk about this as being purely an intelligence operation, you accept that?” “No, I don’t,” he replied.

Eat the software. Ok since software is infamously said by right-wing libertarians to be eating the world. Those eating the software would be eating the world? I’ve heard Russians are starving but that sounds ridiculous.

I would accept preparation for the battlefield, as that’s surveillance, but eating software doesn’t fit a battle narrative.

Clarke tones it down a little when he clarifies further.

Clarke said, “What has occurred is, again, preparation of the battlefield. There’s not been a lot of damage because of SolarWinds. Maybe some information was stolen, but nothing has been damaged yet.” “Yet!” said Koppel. “But if I didn’t misunderstand what you said before, the Russians are really no more than a few keystrokes away from implementing exactly that kind of damage on, as you put it, thousands of American firms.” “That’s right. And we do not have plans or capability today to quickly come back after that kind of devastating attack,” Clarke said.

A “few keystrokes” reminds me of the “whistle tone” phreaker hysteria of the 414s in 1980s as gleefully retold by Kevin Mitnick in his interview with the Russian state propaganda rag.

The government obviously labeled me with these terms, like “terrorist”, and they locked me up in solitary confinement because they said I could whistle into a telephone and launch nuclear weapons. Basically, I became the example, and they created this myth of Kevin Mitnick to scare the public. But if the truth be known, I was fascinated with technology and telephone systems, and I became a hacker more for the exploration, for the seduction of adventure and pursuit of knowledge. I was able to compromise a lot of stuff, like, for example, most of the telephone companies in the U.S. and stuff like that, but it wasn’t to do damage or to sell to a foreign power or anything like that; it was more for my intellectual curiosity – and I ended up getting in a lot of trouble for it, I ended up getting sent to prison for 5 years. Four of those years were without trial.

Four years in jail without trial is the scary part of that story and probably why the Russians like spreading it around so much.

Now in direct comparison, think about Clarke being a self-proclaimed proponent of poisoning upstream American technology in the supply-chain because Russia was stealing. He kinds of tells it like “serves those evil Russians right” that a gas pipeline exploded the in 1980s.

Just to be clear here, I’m not saying that was an actual cause-effect. In fact there has been much disputed about the facts.

What I’m saying is that I stepped into an elevator with Clarke once and asked him to explain the ethical differences between the Trans-Siberian pipeline explosion in June, 1982 and the San Bernadino explosion in 2010 (not the 1989 one, of course).

Seriously, it was me and him riding down four floors and that was the first thing I blurted out…

Clarke was visibly angry and dismissed my question quickly by assuring me he knows very well how the US absolutely was behind the Russian pipeline blowing up, duh.

His logic to me appears blinded from over-emphasis on trying to build a picture he wants us to see rather than looking at the actual pieces of puzzle in our hands (and may in fact never achieve that picture he wants).

He jumps right towards painting the worst risks of gaining high-level authorization, the kind of slippery leap which has some pretty big negative precedents in national security games domestically and internationally.

If someone has achieved root access, he suggests to us, then direct preparation for war is happening if not becoming an act itself. That’s wrong on the face of it, right?

Clarke pushes a war alarm repeatedly like he’s auditioning for a remake of Dr. Strangelove.

This whole thing is counter-factual when you apply even a simple case of a house and door with a key. Someone has infiltrated the lock factory, such that they can produce a key and walk through your home without you knowing. Nothing is damaged, nothing is destroyed.

Interesting history tangent here: A mole in the CIA was suspected when a lock in a Russian apartment door was turned and the owner had to break into his own place…

As soon as Gordievsky landed in Moscow, he picked up signs that he had gambled wrong. On the front door of his apartment, someone had locked a third lock he never used because he had lost the key; he had to break in. Clearly the KGB had searched his flat.

Did the intruders put a secret door in, or a hidden way to bypass your locks, so they could come back later and burn your place down, or prevent you from getting in (e.g. ransomware)?

Was the act of entering and achieving high authorization the same as one of war?

Reminder: “slippery slope” is a logical fallacy. Please don’t start arguments by saying there’s a slippery slope as it’s self-invalidating. I hate seeing that. People seem to think it makes their argument better, like starting with “here’s a straw man I built and now am going to burn.” Just stop that.

I don’t think anyone can, or has, proven yet such regularly invasive acts of surveillance rise above espionage into far worse things, given all that has been said so far about the SolarWinds Breach details.

At best they’re saying the places entered are untrustworthy and must be rebuilt, something less like Stuxnet (which did actual damage), and more like… well more like every day business continuity planning.

To put it another way, the capability to rebuild the environment is desperately needed right now to restore trust, and the US government was supposedly ensuring that everyone is doing disaster recovery planning.

The environment is untrusted mainly because it isn’t being rebuilt fast or often enough.

It would be like describing Pearl Harbor as a disaster because it was a fly-over event in preparation of bombing, instead describing the actual bombing. Pearl Harbor was the day of dropping bombs and shooting that crossed the line, right?

To be historically accurate (as I’ve blogged about here before), Pearl Harbor’s incoming attack planes were detected by the latest technology but nobody talking about Pearl Harbor is really talking about that part much.

At best people call all the ignored radar signals and missed footsteps very unfortunate, not unexpected.

And so here comes the real issue as documented already by many other security experts: the US is using surveillance and espionage all the time including (sometimes necessarily) privilege escalation and root-level authority in order to protect itself (not necessarily preparing the battlefield for attack).

Saying SolarWinds is breached also begs the uncomfortable question of whether the US already had secret access into SolarWinds (let alone all the other American “monitoring” and database companies) or will now use the same access for its own purposes.

More broadly, cleaning upstream vulnerabilities from dependencies and getting service and support doors (some call them back doors) out of products is a long-time herculean task in security for American technology, which may be impeded by American surveillance efforts, and not some sudden exceptional state we stumbled upon.

It is the stuff of repeated internal warnings, like Facebook being a disaster in 2014 and then hiring someone manifestly unqualified who then caused even greater harms to the world and got rich doing it.

Nothing here is really surprising except how little emphasis has been on tearing things down (Facebook really should no longer be allowed to do business and their disgraced ex-CSO should be in jail). Focus needs to shift to building better than such existing Fawlty Towers.

Like the industrialization dangers we look back on with horror today, SolarWinds being a danger is the norm for a lot of American tech that jumps into shortcuts and margin boosters in a cut-throat race driven by mathematicians counting beans more than philosophers explaining why they just don’t add up.

Microsoft’s founder famously said he didn’t want security because it didn’t make him money and admitted in 2001 he ignored years of prior warnings (getting towards the true foundation of the SolarWinds breach, Microsoft’s anti-government big margin low quality pedigree).

“In the pre-2001 days [when disasters were constant, yet not named things like CodeRed], Gates was the biggest reason why Microsoft was having so many security problems,” said John Pescatore an analyst at Gartner Inc…”I think they expected an overnight shift in terms of perception [when they suddenly confessed to decades of intentional harms]. It didn’t happen,” [Forrester analyst] Kark said. “It’s been more than six years, and it’s only now that we are starting to see Microsoft being recognized as a company that values and understands and is responding to security issues.”

The Grover Shoe Factory disaster is a great comparable study in how badly America managed safety in its manufacturing processes for industrialization, and what really changed afterwards.

Hint: it was not only the ability to more quickly transition off faulty technology, found during required quality audits, it also was partly the ability to remove, restore or build new a bigger factory after any disaster predicted or experienced.

Back to Clarke, he also says something about the past worth holding onto: a Bush administration in 2002 blocked efforts to fix infrastructure because it was opposed to big government and fundamentally removed trust in government.

“The kind of things that we need to do now, we could have done 20 years ago. Twenty years ago, however, there wasn’t a real understanding in the Congress or in the White House. There wasn’t a willingness to spend the kind of resources. People were worried about privacy concerns and ‘Big Brother’ controls. They didn’t trust the government to defend them against this sort of thing.”

It resonates with what I remember at the time, when I was doing assessments of woefully insecure American infrastructure (across many US states thousands of power company routers on the Internet using telnet and clear-text scripts). Raising security issues to government level in the late 1990s was met with “let the big banks figure it out, they run the power companies and understand business risk best”.

So this really seems like a great time to remember how the Bush administration absolutely was willing to spend huge resources for big government to start war with Iraq on false pretenses. They pushed hard for that picture, against the fact that puzzle pieces didn’t fit together.

Yet also they ran with the narrative that resources shouldn’t be spent to improve infrastructure/resilience because that would be big government. Instead let the “market” prove it can’t self-regulate, over and over and over again.

American tech is like a never-ending crime thriller, so the question in terms of Wittgenstein’s wisdom, whether we are choosing to be a lofty British Sherlock or the more tangible American hard-boiled detective in our analysis and investigations of truth.

*** This is a Security Bloggers Network syndicated blog from flyingpenguin authored by Davi Ottenheimer. Read the original post at: