SolarWinds = Theranos of Cyber Security?

[SuperMatt]

It sounds like the people working at SolarWinds are awesome at marketing to big companies, and really bad at actual cyber security.

SolarWinds, the Security Consulting Company That Maybe Wasn’t Very Good at Security

Link to: https://www.reuters.com/article/global-cyber-solarwinds/hackers-at-center-of-sprawling-spy-campaign-turned-solarwinds-dominance-against-it-idUSKBN28P2N8

daringfireball.net

Most executives are grossly overpaid in America, and the results come in all the time. They are totally disconnected from their employees in many cases, and listen to ‘yes men’ instead of the experts. So, to get rich these days, being able to schmooze overpaid executives is far more important than a good business model, or products that actually do something.

 

[Thomas Veil]

Wasn’t Theranos an actual con job, though? This looks more like a real business that wasn’t ready for prime time.

 

[jonblatho]

Wasn’t Theranos an actual con job, though? This looks more like a real business that wasn’t ready for prime time.

Setting a software update server’s password to “solarwinds123” in the first place, let alone apparently leaving it that way after someone pointed out that they were able to access it with that password, is active malpractice for a cybersecurity firm. That’s not an “oops”; that’s just plain stupid.

 

[thekev]

This looks more like a real business that wasn’t ready for prime time.

The alleged stuff is shit you should not see on a live server. You wouldn't even use it on a honeypot, because you couldn't learn anything useful from it.

 

[rdrr]

The alleged stuff is shit you should not see on a live server. You wouldn't even use it on a honeypot, because you couldn't learn anything useful from it.

Hate to disagree with you, but solarwinds products are not all shit. There are some very useful monitoring/troubleshooting aspects of it that a lot of Fortune 500, government, and major communications entities that use it.

 

[thekev]

Hate to disagree with you, but solarwinds products are not all shit. There are some very useful monitoring/troubleshooting aspects of it that a lot of Fortune 500, government, and major communications entities that use it.

I used the term alleged, because I didn't feel like digging. Anyway, having some useful stuff doesn't lend them a pass for that kind of password boondoggle. It's a pretty bad sign of either policy or poorly enforced policy.

 

[rdrr]

I used the term alleged, because I didn't feel like digging. Anyway, having some useful stuff doesn't lend them a pass for that kind of password boondoggle. It's a pretty bad sign of either policy or poorly enforced policy.

Agreed, but to be fair there are a lot of published default passwords out there for major corporate products and even consumer products (think linksys routers). It all boils down to laziness, but that isn't an excuse. I got a feeling that there were a few people fired over this, and probably a lot more... CEO/President and a few VPs. Plus I think there is a less than 50% chance Solarwinds survives this.