People focus on the password because it's the only part of the story they can relate to or understand. Orange County Rep. Katie Porter:
> "I've got a stronger password than 'solarwinds123' to stop my kids from watching too much YouTube on their iPad ... You and your company were supposed to be preventing the Russians from reading Defense Department emails!"
Do I think most private companies could defend against Double Dragon or Lazarus or Fancy Bear? No, if a state level adversary is attacking you and the payoff is that good, you are going to get popped.
But a strong posture makes it harder, which means they throw more at you and you have a chance of picking up on the attack. Best case, anyways. Worst case, you get to testify to Congress that your security measures were top notch and industry leading. That sounds a shit ton better than “we left a screen door open and didn’t notice for months.”
She's wrong to imply that if only SolarWinds had followed her iPad password policy, the attack would have been stopped. And she's mistaken about Orion's use case, which has nothing to do with email security.
And while Russia conducted this attack, I'm tired of the Russian scarecrow: SolarWinds' job here has nothing to do with Russia.
But mostly I'm jaded by ambitious SoCal pols neglecting their districts to score easy points on national issues.
> She's wrong to imply that if only SolarWinds had followed her iPad password policy, the attack would have been stopped.
I don't think she was implying that at all. She was highlighting that if they couldn't even do a basic thing like employing stronger, more complex passwords - how could they defend against Russians reading DoD emails.
And by China, and by the US and probably a bunch of other actors.
I mean, software is far too complicated in our current rube goldberg tower of abstractions, and the asymmetry favours the attacker (only have to be lucky once, etc).
Until a few generations have grown up with software, I'm not sure this is going to improve (although in that case, we've probably solved climate change, so that would be good).
My laptop? My OpenBSD router? Very unlikely anyone has attacked it. I’ve had boring jobs and have boring interests.
Do I think the Russians, Iranians, or any major foreign adversary have a 0-day they could use against my systems if I suddenly got a top secret clearance and clocked in as more interesting? Absolutely.
I don't think this cliched "I'm not interesting" logic makes sense. At scale, a lot of "non-interesting" stuff becomes interesting. Or a way to find a needle in a haystack. Why wait until it's urgent to focus on a particular person? We all are aware that the US intelligence services operate this way, right? I can't think of a reason why others wouldn't.
The discussion above focuses on targeted operations by state intelligence. The CIA/FBI wouldn’t run around using 0-days on everyone’s box because the risk of discovery would be too high.
I do, however, agree with you in part: I’m sure that I have a lengthy profile built from passive monitoring. Heck, I’ve googled “tor project” so I know I’m in a database.
Everything is about relationships. It makes no sense to "target" someone for being suspicious up front, because when they know they are interested in you, what they want to find out is who you interact with and how. So ideally, they (any data analyst) want everybody in their database. Then they do queries when they are looking for something.
And looking at what has been public, in the news, it seems like it isn't that unusual to break into and scarf up someone else's database in its entirety, without any fancy "0-day" exploits. Case in point, the US Office of Personnel Management had everything compromised, basically all the information the US government possessed about everyone with a security clearance. Probably it will never be publicized how many spies were lost, let alone other damage.
Is that even a question? There are many known markets for zero-day exploits against most OS's and software; that means whoever has the money has the ability to own whatever they want until it's detected and patched.
> "I've got a stronger password than 'solarwinds123' to stop my kids from watching too much YouTube on their iPad ... You and your company were supposed to be preventing the Russians from reading Defense Department emails!"
Words fail.