The U.S. Spent $2.2M on Security System That Wasn’t Implemented(propublica.org)
propublica.org
The U.S. Spent $2.2M on Security System That Wasn’t Implemented
https://www.propublica.org/article/solarwinds-cybersecurity-system
16 comments
Yes, we (Datadog Agent integrations) were one of the early adopters mentioned, please see our blog post [1].
Also, really, the TLDR should be just use TUF + in-toto already.
[1] https://www.datadoghq.com/blog/engineering/secure-publicatio...
Also, really, the TLDR should be just use TUF + in-toto already.
[1] https://www.datadoghq.com/blog/engineering/secure-publicatio...
Such a great quote!
“In security, you almost never go from making something possible to impossible,” Cappos told ProPublica, “You go from making it easy to making it hard...”
Whether or not his system would've done that is probably up for debate, but I love that quote!
“In security, you almost never go from making something possible to impossible,” Cappos told ProPublica, “You go from making it easy to making it hard...”
Whether or not his system would've done that is probably up for debate, but I love that quote!
That's not always true. I've always thought the move from telnet and rcp to ssh/scp actually made things easier. Could be that that's my mind playing tricks on me but it doesn't seem that way.
I think in context, the thing you'd be making harder is eavesdropping, not use.
TL;DR
> NYU academic gets some federal funding to make a supply chain security tool
> A supply chain breach occurs
> NYU academic says: If only the federal government had compelled all it's vendors to use my tool, this could have been avoided
It's just a rather substance-less piece of self promotion imo. I do a lot of work in supply chain security too. Perhaps if the federal government had hired me, none of this would have ever happened. Can I have a ProPublica article too? /s
> NYU academic gets some federal funding to make a supply chain security tool
> A supply chain breach occurs
> NYU academic says: If only the federal government had compelled all it's vendors to use my tool, this could have been avoided
It's just a rather substance-less piece of self promotion imo. I do a lot of work in supply chain security too. Perhaps if the federal government had hired me, none of this would have ever happened. Can I have a ProPublica article too? /s
ProPublica writers fall for these types of pitches all the time. They never do their homework - if something sounds bad to laymen, they’ll write a story stripped of context. It’s incredible.
I see it as a broader problem of how scandalizing a problem plays out. Whenever a scandalous problem occurs, everybody is going to be interested in exploiting it to suit their own agenda. People are going to be heaping accountability onto their adversaries, which is how you end up with the bureaucratic tyranny of accountability avoidance taking priority over problem solving. You're also going to have everybody shouting about how the occurrence of the scandal necessitates the prioritization of their agenda items, how the urgency of the problem means reasonable analysis is not necessary, and how other priorities that may conflict with their agenda items can now simply be ignored.
You can see this happen at all levels of society. I'm sure most of us would have seen a pattern like this unfold at work. But the media especially loves it wrt public interest scandals, because they're such solid revenue generators for them.
You can see this happen at all levels of society. I'm sure most of us would have seen a pattern like this unfold at work. But the media especially loves it wrt public interest scandals, because they're such solid revenue generators for them.
How could this software have helped when the attackers had full access to the servers it would've been running on? Surely they could modify it to say and do whatever they want.
No breach. That stupid hackers broke in to honeypots. US government conducts large scale network security experiments. Don't believe what news told you.
I'm honestly more inclined to believe the government is incompetent rather than super competent. Anything to back your statement up?
Hi, have you heard about Chaff Bugs? URL: https://arxiv.org/abs/1808.00659
I mean, it makes some sense as a concept, sure. Is there any reason to think the govt is doing it?
Sure. Computer (including smartphone today) and the Internet is a part of US DNS (Digital Nervous System), SenseNET. Have you also heard about MITCH (Man In The CHair) concept coined by a US Air Force researcher (URL: https://apps.dtic.mil/dtic/tr/fulltext/u2/a332722.pdf). Frankly said the computer and the Internet are a kind of weapon in disguise in the domain of information warfare and the intelligence community. The Truth is Out There.
> The U.S. Spent $2.2M on Security System That Wasn’t Implemented
Nice lead, you couldn't even get a Tetris clone installed for $2.2 Million.
Talk on in-toto -- https://www.usenix.org/conference/usenixsecurity19/presentat...
It would need explaining why it's not academia.
Nice lead, you couldn't even get a Tetris clone installed for $2.2 Million.
Talk on in-toto -- https://www.usenix.org/conference/usenixsecurity19/presentat...
It would need explaining why it's not academia.
I'm not surprised multiple vendors haven't adopted the system yet.
2.2 million on a research initiative and not immediately adopting it until it's proven and widespread seems perfectly reasonable to me.
The (abridged) title made it sound worse IMO.