At least do some research my friend. Hackers compromised a digitally signed SolarWinds Orion network monitoring component, opening a backdoor into the networks of thousands of SolarWinds government and enterprise customers.
Solarwinds was the exact same problem. the cloud service was centralized and thousands of server where hacked because of it.
just because you install something yourself does not make it self hosted.
Lastly this was a supply chain attack. which means too that if the government is able to roll their own stuff, or use open source products that can be reviewed properly, this would not have happened.
"digitally signed SolarWinds Orion network monitoring component"
Do you even know what that is? It's a .net dll. It was absolutley self hosted. Updating the self-hosted software meant that included the backdoored dll. There is no cloud involved. Do you even know what solarwinds does?
> just because you install something yourself does not make it self hosted
It does when you install it on your own server that you manage.
> Lastly this was a supply chain attack. which means too that if the government is able to roll their own stuff, or use open source products that can be reviewed properly, this would not have happened.
So now you moved to every company and government should write their own software? And you think opensource means it will get reviewed because unpaid people who are not responsible for review will review it no matter what? Opensource is an even bigger nightmare, I am sure you must have heard of the log4j mess.
Perhaps you should look into what security professionals have to say about the subject instead of presuming things.
What do you think the networking component was used for? I give you a hint its in the name.
They attacker injected their own control server communication into the dll that is used by solarflare to actually report back to the main system. sooo their own control server. They literally had their control server communication use the same kind of json objects that solarwinds uses for themselves.
and if you tell me that this would have gotten by a regular pull request review on any project that uses a protected main branch, I am laughing.
> Log4Shell.
Log4Shell would most likely not have been possible if the project receives actual funding. I know its a krass idea to spend money on things that are free but you know someone needs to be paid to review things.
I am of the opinion that if the government uses these things, they could spend the same amount of money on open source.
Do you even realize how much money that ends up being?
>So now you moved to every company and government should write their own software?
no but when my government pais for its development, they should use open source projects.
So yeah my original point still stands. If they would have used an open solution to this, which does not require a centralised control server itself, this would not have happened. Its literally what people like me get paid for to review and if you tell me that a pull request with encoded code without reason or feature ticket would have been approved and implemented, i strongly disagree.
This would have been found by any tool using static code analysis for security simply because its encoded. At least flagged.
> self hosted
self hosted does not mean you install it. otherwise slack is self hosted. or that facebook is self hosted just because i install the app on my phone.
Finally i leave you with the definition of self hosted from wikipedia:
>> Self-hosting is the practice of running and maintaining a website or service using a private web server, instead of using a service outside of someone's own control.
There was no reason for the firewall to even allow this in the first place unless they were using a service outside of their control.
Are you arguing for the sake of it? I am so confused. What does CIS controls have to do with it(and I feel for you with all that box checking).
> As part of C2 communication, attackers have tried to mimic SolarWinds communication method by using JSON format for the HTTP communication. Following is the code for creating JSON format
The threat actors used their own C2 infra, they merely mimicked solarwinds' traffic!
> and if you tell me that this would have gotten by a regular pull request review on any project that uses a protected main branch, I am laughing
Why would I tell you that, what does this have to do with cloud vs self hosting. Is that a random comment?
> Log4Shell would most likely not have been possible if the project receives actual funding...
I agree but again I ask, why are you talking about the root cause for it? How does that help your self-hosting argument?
> no but when my government pais for its development, they should use open source projects
Who cares? Hoe is being opensource relevant?
> So yeah my original point still stands. If they would have used an open solution to this, which does not require a centralised control server itself, this would not have happened
Ok, I think I see the problem, in your opinion, anything not opensource is cloud???
Just for context, I use/support opensource in a corporate environment, it is hell. Begging opensource devs when your livelihood depends on their cooperation is very unpleasant. Commercial orgs demand reliability, hiring skilled people to support opensource (especially given crappy gov salaries) isn't viable and opensource devs nearly always refuse to provide paid support and SLA.
I would like to see you backup your argument by comparing the number of abandoned opensource projects vs companies abandoning their products. I am currently spending time I don't have supporting opensource sofware abandoned by its creators. Nothing says you don't know the state of foss security more than claiming it is more secure simply by being opensource.
> This would have been found by any tool using static code analysis for security simply because its encoded. At least flagged.
Maybe, that's a big maybe, I see encoded content in .net code all the time. And someone needs to actually review what is flagged. Simply reviewing commits would have caught it too. But what's your point? This thread is not RCA analysis. You are distracting with that to avoid the fact that it was self hosted!
> self hosted does not mean you install it. otherwise slack is self hosted. or that facebook is self hosted just because i install the app on my phone
It means you manage and operate infra it is hosted on. You don't run slack infra but you run solarwinds infra.
> There was no reason for the firewall to even allow this in the first place unless they were using a service outside of their control.
You realize you contradicted your own claims there right? The fact that the self-hosted firewall on random companies needed to block the traffic is why it is called self-hosted, exactly as your wikipedia quote is telling you.
I fear you have picked this hill to die on though.
Solarwinds has centralized metrics collection and the attack mimicked the normal json payload, therefore the attacker was hiding in regular traffic.
In our topic Microsoft has the keys to thousands of orgs which have been leaked because they are all "in the same cloud"
case Solarwinds would have been resolvable because it should have been noticeable that there is traffic going out externally to a cloud which it doesn't with truly self hosted software
case Microsoft would have been resolvable by hosting your own exchange.
In both cases the default firewall should be deny all and whitelisted by use case
I am not anti cloud, i am however anti "central control servers"
I am not claiming that FOSS is necessarily more secure, but as you noticed yourself, you are able to self service and therefore check also im not claiming it has to be free.
My claim in concern with the government is simply that when they pay for something the result should be open source and public, as all of us pay for it.
just because you install something yourself does not make it self hosted.
Lastly this was a supply chain attack. which means too that if the government is able to roll their own stuff, or use open source products that can be reviewed properly, this would not have happened.