Saturday, May 1, 2021

From the wonderful folks who brought you NotPetya!


A good friend of mine, who will soon take an important cybersecurity position in the Biden administration, emailed me this article last week. He accompanied it with a note that said “A friend sent this to me last week; I was clenching my teeth as I read the article and the referenced report.”

At first, I was reluctant to read the article, since my dentist has warned me I’m clenching my teeth too much (although I told her I think the problem will abate with the new administration). But I did read it, and I also found it teeth-clenchingly outrageous. I also found this article from The Register, which – as usual with that publication – brought some nice insights to the story.

I can’t say anybody’s at fault here, and I can’t say the company in question, Positive Technologies, does in fact work hand-in-glove with the GRU. But they do tout their relationship with the Russian military on their web site, and my guess is they’re not in the business of securing the motor pool.

Of course, the worst part of the story is they were part of a group of firms given early access to vulnerability information by Microsoft (they also had relationships with VMWare, Intel, HP and IBM, and their customers include “major European banks Societe Generale and ING, as well as Samsung, SK Telecom of South Korea and BT, the British telecommunications giant”). Earth to Microsoft: There’s nothing wrong with having a relationship with a Russian firm. But to give early vulnerability information to a firm that advertises its relationship with the Russian military…What were you thinking? Or more to the point, were you thinking at all?

I’ve been intending to write a post on the cluelessness of Microsoft in another area, so this gives me reason to write that post in the near future . I have maybe 10-15 posts in my “backlog”, but something new always keeps coming up, so often they get pushed back – and some of the new topics just get added to the backlog. So much cluelessness, so little time…

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

 

No comments:

Post a Comment