What Do Solarwinds And Colonial Have In Common?
The Market Ticker - Commentary on The Capital Markets
Logging in or registering will improve your experience here
Main Navigation
Full-Text Search & Archives
Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions. For investment, legal or other professional advice specific to your situation contact a licensed professional in your jurisdiction.

NO MATERIAL HERE CONSTITUTES "INVESTMENT ADVICE" NOR IS IT A RECOMMENDATION TO BUY OR SELL ANY FINANCIAL INSTRUMENT, INCLUDING BUT NOT LIMITED TO STOCKS, OPTIONS, BONDS OR FUTURES.

The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.


Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be sent unmodified to lawmakers via print or electronic means or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media, to republish full articles, or for any commercial use (which includes any site where advertising is displayed.)

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.

Considering sending spam? Read this first.

2021-05-14 07:00 by Karl Denninger
in Technology , 470 references Ignore this thread
What Do Solarwinds And Colonial Have In Common?
[Comments enabled]

Oh, look at this little explooooiiner for the weak-minded.

Sen. Mark Warner (D-Va.), who's been a leading voice in Congress on the issue, told Axios that if Americans knew how many ransomware attacks were happening every day, it would "blow their minds."

The Colonial hack, coupled with the Russians' SolarWinds attack — which had a breathtaking scale penetrating some 16,000 companies — has made people realize a cyber enemy could shut down an entire economy, Warner said.

"Warner said."

Note what Warner didn't say, nor has anyone else: This is all -- every bit of it -- due to employers everywhere coddling little snowflakes and cutting corners instead of telling all those little snowflakes to shut up and do their damned jobs.

Yep.

It's really not that hard folks.

Go into virtually any business and look on a desk.  There's a computer.  Walk up to said computer.  Type in "https://facebook.com" and hit return. Does it work?  Now try Google.  Or Yahoo.  Or pretty-much anything else.

How about email?  Running Exchange, a known dangerous piece of code that more than fifteen years ago I was contracted to write a front-end for because the agency in question knew it was dangerously insecure and didn't want to get screwed?  How come they knew and nobody else did?  The truth is that everyone did and does know but nobody cares; it's far more important to have convenience than security.

Pipeline operator?  Heh, you don't have a right-of-way from one end to the other already, do you?  Oh, wait, you do?  Then why didn't you run fiber along said right-of-way and have your own transport infrastructure that is impervious to electrical disturbances, other than at the repeaters of course which require power.  Why wasn't it true that every computer that could in some way interact with said control system, including billing, and the control system itself wasn't on a sanitary network on private infrastructure with exactly zero outside connectivity of any sort -- and no exceptions?  If you needed to work from home why wasn't it done like the DOD does it, where the machine has a nailed VPN that cannot be overridden, the employee has no administrative access, yes, even the CTO and CEO, the USB ports don't work and for the love of God you can't get on Facebook from it because said machine only connects back to a sanitary network with no outside links!

Mobile devices?  Same deal.  Oh, we should do "BYOD" and save money; it would be so terrible to issue corporate devices which can't be used for anything but corporate work and won't talk to anything else either because they too are nailed-VPN.  Uh huh, and get hacked because your employees are snowflakes and demand they can have their cellphones on the corporate wifi which can get out of the building.  Why is that in any way connected to anything internally?  Because it's convenient, that's why.

But -- but -- but I have to have my phone in my pocket wails the snowflake employee, and I will dieeeeeeeee if I have to work in this steel building where there's no signal.  Why it was absolutely terrible in the 1980s and 1990s before such things existed; why, the phone on my desk is not good enough for meeeeeeeeeeeeeeeee!

Then there's the "cloud."  Oh, you put your data and some processing there eh?  How's it connected back to the office(s)?  How secure is said "cloud" and said connections?  Can you, and have you, vetted every employee at said cloud company that has administrative access, including all who have hypervisor access to the underlying machines?  Manage to steal an encryption key or worse, the credentials to issue certificates and such (e.g. into your VPN'd "safe zone") and the rest doesn't matter very much, you know.

Yes, I know cloud is cheaper.  It's also less-secure.  You're not running data and commands to and from such an environment that are rather important for operations and safety, are you?

Let's cut the crap eh?  I know full and damn well how to prevent this sort of thing from happening.  I've done it for a long time.  Indeed part of the problem is that these idiots who cater to snowflakes instead of telling them to shut the hell up and do their job or quit wind up in a never-ending update chase to try to stay ahead of security issues which you will never win and which cause more problems due to programming bugs than if you did it the right way in the first place which is that when at work you work and said networks that do important things have zero connectivity to the parts of the Internet where the bad guys try to break in from -- and that's all of it other than your business' infrastructure.  If you need to tunnel over potentially-unsafe places because it's cheaper to buy connections on a no-guaranteed-bandwidth and transport basis than pull your own infrastructure that's fine assuming you're good with the risk of transport being uncertain but the connection between the two points is nailed-VPN and properly maintained so exactly nothing else enters or leaves same.

Ever.

Period.

If you have some business reason for employees to be able to do research or otherwise on the Internet from your facility then you put a second computer on the desk of each person so-authorized who has a verifiable business reason to do so and it is from there that all such happens, with logs and full accountability.  Anyone who tries to play games with crossing between the two "worlds" is instantly fired.  Any laptop or other machine that has to leave the building has a TPM in it and the disk is encrypted; if someone tries to tamper with it so sorry, so sad, the TPM refuses to unlock the disk and the person who played the game has to bring it back to IT where everything flashable is re-flashed, the machine is reloaded and the employee is fired.

And you never, ever connect any of the important stuff to anything that isn't equally-secure or better.  Which means not on the "cloud" 99.9% of the time.

Yes, folks, I know how to do this stuff.  It is my wheelhouse.  Nobody wants to do it and Warner, along with the rest of the screaming goats in Congress and elsewhere know damn well how to do it because the DOD in fact does it.  

In short Axios is simply mealy-mouthed garbage; they are no more a "news" organization than are any of the others, nor is Congress.

Want to know why?

They're both full of snowflakes too.

View with responses (opens new window)