History, Security

SolarWinds Breach is the Rule, Not an Exception

Leave a comment

A new article about the philosopher Wittgenstein’s passion for reading crime stories has an important insight into both the man and his methods, very applicable to recent breach news:

That a crime has been committed, [The Maltese Falcon author] Hammett knew, does not necessarily mean that a plan has been carried out. Plotting and scheming are things people usually do in response to a crime, not in preparation for one. And since most crimes are not clean in the first place, their solutions probably aren’t either. To search for logic in a murder case is to expect to find what was likely never there.

In other words, as the article continues to describe the genius of Wittgenstein, someone seeing pieces of an attack can lead to an urge to paint a picture that may not even exist.

The philosopher achieves clarity, Wittgenstein [in his later writings] believed, by discarding generalizations and focusing instead on concrete circumstances. […] Just because you have pieces does not mean you have a puzzle. It is enough to describe accurately. Attempting to explain only compounds the confusion.

I have to set aside some of the article (ironically) because it seems to draw conclusions askew from the facts and fails to describe accurately.

For example it brings an overly Western perspective that ignores insights and great similarity between Wittgenstein and Islamic and Jewish philosophers, such as this phrase:

His claim was not that these things don’t exist but merely that words can’t touch them.

The claim by Wittgenstein could have been to inspire beauty through attempts to approach what he saw as impossibly hard to achieve.

To come up short in achieving a connection with God, that is to say, does not mean someone “can’t touch” God unless they become stuck in a binary mode where lack of perfection is failure instead of a proof there is need to try for perfection.

I suspect someone more familiar with Talmudic thinking (Judah versus Joseph) would not have described Wittgenstein as saying “words can’t touch them” in such a cold manner emphasizing only failure.

Indeed, three out of four of his grandparents were Jewish, which would have made things far more difficult for him had his family not claimed to be Catholic and paid large ransoms to the Nazis.

All of that being said, I brought it up here to offer a VERY different approach from what I’m seeing in the news.

I mean people like Clarke and other “hawks” seem to suggest the SolarWinds breach is a case of war, when that is not at all what the puzzle pieces of this crime thriller suggest.

As former Bush Administration official Theresa Payton told Fox News, “This vulnerability allowed these nefarious cyber operatives to actually create what we refer to in the industry as ‘God access’ or a ‘God door,’ giving them basically any rights to do anything they want to in stealth mode.”

Ok, ok, stop just a minute. Who says God access or God door? Wat.

We all say got root. Nobody, and I mean NOBODY, says “got God” with the intention of talking about privileged system access.

The closest thing has to be a Microsoft control panel shortcut {ED7BA470-8E54-465E-825C-99712043E01C} that users called God mode, even though it is just a stupid desktop link to the settings a user already is authorized to use.

That’s like saying God mode in your car is when you check the oil using a dipstick.

God doesn’t have an account on systems, and there’s no God mode, since even if you believed in God he wouldn’t need these things. Duh.

What is wrong with Bush Administration people being so nutty that they bring some random God complex into even a computer security topic instead of talking about root and admin or… QSECOFR?

Anyway, back to Clarke doing his usual hawkish Clarke thing:

“This is not just about an espionage attack,” said Richard Clarke. “This is about something called preparation of the battlefield, where they’re now able, in a time of crisis, to eat the software in thousands of U.S. companies.” More than 20 years ago, Clarke was the nation’s first cyber czar, working initially in the Clinton White House and then under George W. Bush. “Sunday Morning” senior correspondent Ted Koppel asked Clarke, “When you hear people talk about this as being purely an intelligence operation, you accept that?” “No, I don’t,” he replied.

Eat the software. Ok since right-wing libertarian venture capitalists infamously said they predict software would be eating the world… does this mean the Russians eating the software would be eating the world?

I’ve heard Russians are starving, but this sounds ridiculous.

Preparation for the battlefield is an interesting twist of language, as that’s surveillance by another name, but the whole eating software concept doesn’t fit a battle narrative.

Clarke then pulls out an old American scare tactic as he clarifies further.

Clarke said, “What has occurred is, again, preparation of the battlefield. There’s not been a lot of damage because of SolarWinds. Maybe some information was stolen, but nothing has been damaged yet.” “Yet!” said Koppel. “But if I didn’t misunderstand what you said before, the Russians are really no more than a few keystrokes away from implementing exactly that kind of damage on, as you put it, thousands of American firms.” “That’s right. And we do not have plans or capability today to quickly come back after that kind of devastating attack,” Clarke said.

A “few keystrokes” takes us all the way back to the “whistle tone” phreaker hysteria of the 414s from the 1980s… as gleefully retold by Kevin Mitnick in his interview with the Russian state propaganda rag.

The government obviously labeled me with these terms, like “terrorist”, and they locked me up in solitary confinement because they said I could whistle into a telephone and launch nuclear weapons. Basically, I became the example, and they created this myth of Kevin Mitnick to scare the public. But if the truth be known, I was fascinated with technology and telephone systems, and I became a hacker more for the exploration, for the seduction of adventure and pursuit of knowledge. I was able to compromise a lot of stuff, like, for example, most of the telephone companies in the U.S. and stuff like that, but it wasn’t to do damage or to sell to a foreign power or anything like that; it was more for my intellectual curiosity – and I ended up getting in a lot of trouble for it, I ended up getting sent to prison for 5 years. Four of those years were without trial.

Four years in jail without trial is the scary part of that story and probably why the Russians like spreading it around so much.

Now in direct comparison, think about Clarke being a self-proclaimed proponent of poisoning upstream American technology in the supply-chain because Russia was stealing. He kinds of tells it like “serves those evil Russians right” that a gas pipeline exploded the in 1980s.

Just to be clear here, I’m not saying that was an actual cause-effect. In fact there has been much disputed about the facts.

What I’m saying is that I stepped into an elevator with Clarke once and asked him to explain the ethical differences between the Trans-Siberian pipeline explosion in June, 1982 and the San Bernadino explosion in 2010 (not the 1989 one, of course).

Seriously, it was me and him riding down four floors and that was the first thing I blurted out…

Clarke was visibly angry and dismissed my question quickly by assuring me he knows very well how the US absolutely was behind the Russian pipeline blowing up, duh.

His logic to me appears blinded from over-emphasis on trying to build a picture he wants us to see rather than looking at the actual pieces of puzzle in our hands (and may in fact never achieve that picture he wants).

He jumps right towards painting the worst risks of gaining high-level authorization, the kind of slippery leap which has some pretty big negative precedents in national security games domestically and internationally.

If someone has achieved root access, he suggests to us, then direct preparation for war is happening if not becoming an act itself. That’s wrong on the face of it, right?

Clarke pushes a war alarm repeatedly like he’s auditioning for a remake of Dr. Strangelove.

This whole thing is counter-factual when you apply even a simple case of a house and door with a key. Someone has infiltrated the lock factory, such that they can produce a key and walk through your home without you knowing. Nothing is damaged, nothing is destroyed.

Interesting history tangent here: A mole in the CIA was suspected when a lock in a Russian apartment door was turned and the owner had to break into his own place…

As soon as Gordievsky landed in Moscow, he picked up signs that he had gambled wrong. On the front door of his apartment, someone had locked a third lock he never used because he had lost the key; he had to break in. Clearly the KGB had searched his flat.

Did the intruders put a secret door in, or a hidden way to bypass your locks, so they could come back later and burn your place down, or prevent you from getting in (e.g. ransomware)?

Was the act of entering and achieving high authorization the same as one of war?

Reminder: “slippery slope” is a logical fallacy. Please don’t start arguments by saying there’s a slippery slope as it’s self-invalidating. I hate seeing that. People seem to think it makes their argument better, like starting with “here’s a straw man I built and now am going to burn.” Just stop that.

I don’t think anyone can, or has, proven yet such regularly invasive acts of surveillance rise above espionage into far worse things, given all that has been said so far about the SolarWinds Breach details.

At best they’re saying the places entered are untrustworthy and must be rebuilt, something less like Stuxnet (which did actual damage), and more like… well more like every day business continuity planning.

It’s true that if someone enters your house they can surveil or they can burn it down but you don’t treat them as equally possible just because someone has entered your house.

It would be like describing Pearl Harbor as devastating because of a fly-over event in preparation for bombing, instead describing the actual bombing as the disaster.

Pearl Harbor was the day that dropping bombs and shooting crossed the line, right?

To be historically accurate (as I’ve blogged about here before), Pearl Harbor’s incoming attack planes were detected by the latest technology but nobody talking about Pearl Harbor is really going into detail about that.

At best people call the ignored radar signals and missed footsteps very unfortunate, not unexpected.

To put it another way, a capability to rebuild an environment is desperately needed right now to restore trust, and the US government was supposedly ensuring that everyone is doing disaster recovery planning anyway.

Thus environments are untrusted mainly because they haven’t been routinely cleaned up fast or often enough, allowed to rot in the open.

And so here comes the real issue as documented already by many other security experts: the US is using surveillance and espionage all the time including (sometimes necessarily) privilege escalation and root-level authority in order to protect itself (not necessarily preparing the battlefield for attack).

Both of the above references are well-reasoned analysis worth reading.

Saying SolarWinds is breached also begs the uncomfortable question of whether the US already had secret access into SolarWinds (let alone all the other American “monitoring” and database companies) or will now use the same access for its own purposes.

More broadly, cleaning upstream vulnerabilities from dependencies and getting service and support doors (some call them back doors) out of products is a long-time herculean task in security for American technology, which may be impeded by American surveillance efforts, and not some sudden exceptional state we stumbled upon.

It is the stuff of repeated internal warnings, like Facebook being a disaster in 2014 and then hiring someone manifestly unqualified who then caused even greater harms to the world and got rich doing it.

Nothing here is really surprising except how little emphasis has been on tearing things down (Facebook really should no longer be allowed to do business and their disgraced ex-CSO should be in jail). Focus needs to shift to building better than such existing Fawlty Towers.

Like the industrialization dangers we look back on with horror today, SolarWinds being a danger is the norm for a lot of American tech that jumps into shortcuts and margin boosters in a cut-throat race driven by mathematicians counting beans more than philosophers explaining why they just don’t add up.

Microsoft’s founder famously said he didn’t want security because it didn’t make him money and admitted in 2001 he ignored years of prior warnings (getting towards the true foundation of the SolarWinds breach, Microsoft’s anti-government big margin low quality pedigree).

“In the pre-2001 days [when disasters were constant, yet not named things like CodeRed], Gates was the biggest reason why Microsoft was having so many security problems,” said John Pescatore an analyst at Gartner Inc…”I think they expected an overnight shift in terms of perception [when they suddenly confessed to decades of intentional harms]. It didn’t happen,” [Forrester analyst] Kark said. “It’s been more than six years, and it’s only now that we are starting to see Microsoft being recognized as a company that values and understands and is responding to security issues.”

The Grover Shoe Factory disaster is a great comparable study in how badly America managed safety in its manufacturing processes for industrialization, and what really changed afterwards.

Hint: it was not only the ability to more quickly transition off faulty technology, found during required quality audits, it also was partly the ability to remove, restore or build new a bigger factory after any disaster predicted or experienced.

Back to Clarke, he also says something about the past worth holding onto: a Bush administration in 2002 blocked efforts to fix infrastructure because it was opposed to big government and fundamentally removed trust in government.

“The kind of things that we need to do now, we could have done 20 years ago. Twenty years ago, however, there wasn’t a real understanding in the Congress or in the White House. There wasn’t a willingness to spend the kind of resources. People were worried about privacy concerns and ‘Big Brother’ controls. They didn’t trust the government to defend them against this sort of thing.”

It resonates with what I remember at the time, when I was doing assessments of woefully insecure American infrastructure (across many US states thousands of power company routers on the Internet using telnet and clear-text scripts). Raising security issues to government level in the late 1990s was met with “let the big banks figure it out, they run the power companies and understand business risk best”.

So this really seems like a great time to remember how the Bush administration absolutely was willing to spend huge resources for big government to start war with Iraq on false pretenses. They pushed hard for that picture, against the fact that puzzle pieces didn’t fit together.

Yet also they ran with the narrative that resources shouldn’t be spent to improve infrastructure/resilience because that would be big government. Instead let the “market” prove it can’t self-regulate, over and over and over again.

American tech is like a never-ending crime thriller, so the really insightful question — in terms of Wittgenstein’s brilliance — becomes whether as investigators we are choosing to be a lofty British Sherlock laying out masterful plans or the more tangible American hard-boiled detective who sticks to the facts.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.