Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Am I understanding the last one correctly?

1. Customers complain that they can't install latest version because it's checksum doesn't match what SolarWinds posted

2. The checksum doesn't match because malware has been inserted into the package during build/delivery

3. SolarWinds tells customers to ignore this and install it manually

Did no one think to check why the checksum didn't match?



One suspects they've given this advice for a long time... because their shit has been hacked for a long time.


This seems an unfair leap. The most common cause of a checksum mis-match is going to be a partial download or something similar.

It's also not relevant to the current attack since the code was legitimately included in the official release and, as such, baked into the valid checksum results.


Is the proper response to tell a customer to install the package anyway because it's just a partial download or something similar? Regardless, it seems irresponsible.


#2 is speculation. Seems possible that there's an unrelated bug causing checksum errors. In any event, it's not a good look right now.


Regardless of the motivation, cause, mechanism of #2 - #3 is not the appropriate way to handle the problem. Attack is indistinguishable from unintentional corruption. And #3 trains customers to do the wrong thing when they encounter an attack.


The malicious file was signed with the right certificate. So yeah you should ideally be more careful with checksums but there already was a much more robust and secure authentication mechanism and it was defeated.


Yes, these are two orthogonal egregious security problems.


Solarwinds is def. Used by acrive duty cyber units at Lackland afb...and they wonder why we tell them they can't just install what they feel like.


And you posted this US military vulnerability on a publicly searchable internet site?

head desk


TO be fair, it isn't really secret, if you look at any job posting for lackland, you'll see it mentioned over and over..

https://careers-salientcrgt.icims.com/jobs/11200/network-sys...'

https://i.imgur.com/d8KbSZp.png

But, wow, imagine that's a job, just walk in, look at two programs and swap out parts as needed.


The qualifications reads 'Someone from HR came up with this'


Isn't that true of most postings?


Facebook query Find people who work for US Air Force.

Vulnerabilities publicly available are numerous, and I gave no such details to anyone that would give them an easier time finding said compromises.

Its like saying windows 10 bug found --> HEY THE MILITARY USES WINDOWS 10.


My employer has a knowledgebase on the public internet that is littered with lists of softwares and practices. There are thousands of employees. Name dropping software should be a risky thing to do, but that isn’t the world we live in.


[flagged]


Give the OPSEC snide comment to the job postings publicly advertised.

Don't hate on marines, they do hard work.

Using a throwaway account to be trite seems par for the course tho for opinions that can be disregarded.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: