Dominion Voting Systems CEO Says Company Has Never Used SolarWinds Orion Platform

Epoch Times ^ | 12/15/2020 | Zachary Steiber

[algore]

See my prev comments on this matter.

Signing your malicious code with a random cert is trivial, but creating your own binary signed by ‘microsoft’, or ‘solarwinds’ or ‘etc’ is hard. Inserting it into their update program is harder. I know cause i have done it. Very stressful, cause its on you if something is wrong and there are insane audit trails that do not go missing.

Unsigned ‘open source’ is not even in the same ball park’

Yes Adobe (flash product) has been a clusterf#(k forever but that has nothing to do with this.

[Robert357]

Gosh, one more time we are told by the “experts” that we should not believe our eyes when they tell us things, as they get to choose which parts of what they tell us are true and which parts are false.

I would like to see him under oath in a court of law with the threat of perjury and under cross examination make the same statement. I would wager he would take the 5th Amendment.

[nutmeg]

Sorry... can someone get me up to speed on what “Solar Winds / Orion” is all about? Having a hard time keeping up with everything lately. Thanks.

[Spitzensparkin1]

from Imgflip Meme Generator

"width=500">

[nonsporting]

What is the version of the software with the known vulnerability? Whether these machines are running Windows or Linux, getting this version info is pretty easy.

[palmer]

but creating your own binary signed by ‘microsoft’, or ‘solarwinds’ or ‘etc’ is hard. Inserting it into their update program is harder. I know cause i have done it.

You mean easier. Just because solarwinds says it was "highly sophisticated" doesn't mean it was. It was very likely trivial to get the malicious software in. The solarwinds code signing cert private keys may or may not have been protected. The attackers may have used their own code signing private key.

Adobe is very relevant. A long vulnerability track record in both cases. Those track records are not an accident or random slop.

[algore]

” The attackers may have used their own code signing private key.”

that fact that you even said that means you are totally clueless.

but don’t let that get in the way of your narrative.

[palmer]

I don't have a narrative, you do. I looked up the attack and it was just a compromise of the integration environment, so they piggybacked on normal code updates. Their shotgun result may have benefitted some adversaries but more targetted attacks on other vulnerable SolarWinds products will be harder to detect.

[WHBates]

The presence of “QSnatch” does not necessarily indicate a hack, that could be intentional.