[HN Gopher] U.S. Treasury, Commerce Depts. Hacked Through SolarW... ___________________________________________________________________ U.S. Treasury, Commerce Depts. Hacked Through SolarWinds Compromise Author : parsecs Score : 436 points Date : 2020-12-14 16:34 UTC (6 hours ago) (HTM) web link (krebsonsecurity.com) (TXT) w3m dump (krebsonsecurity.com) | [deleted] | icedistilled wrote: | Wow the hackers had free rein over basically any company that | they wanted. | | SolarWinds says it has over 300,000 customers including: | | -more than 425 of the U.S. Fortune 500 | | -all ten of the top ten US telecommunications companies | | -all five branches of the U.S. military | | -all five of the top five U.S. accounting firms | | -the Pentagon | | -the State Department | | -the National Security Agency | | -the Department of Justice | | -The White House | trixie_ wrote: | As a user of Ignite, we're struggling to find an alternative | that matches its feature set. Great business opportunity here. | realmod wrote: | Russia's hacking/software capabilities have always fascinated me. | I might be out of the loop, but it very much feels like this | "online cold-war" is very one-sided towards Russia, which is | ridiculous given US capabilities. Though, this could be | attributed to the US simply not getting caught. | | Nonetheless, everything I've read points to Solarwinds conduct | being borderline negligent. For example, they not only told | customers to ignore inaccurate checksums but they also failed | basic server security. | wonder_er wrote: | I read _Countdown to Zero Day: Stuxnet and the Launch of the | World 's First Digital Weapon_ a few weeks ago, and really | enjoyed it. | | I'd recommend giving it a read. It gives an accurate-but- | uncomfortable overview of how the US government handles cyber | security issues. | robocat wrote: | More details: https://www.fireeye.com/blog/threat- | research/2020/12/evasive... | | "SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds | digitally-signed component of the Orion software framework that | contains a backdoor that communicates via HTTP to third party | servers. We are tracking the trojanized version of this | SolarWinds Orion plug-in as SUNBURST." | | " Multiple trojanzied updates were digitally signed from March - | May 2020 and posted to the SolarWinds updates website. The | trojanized update file is a standard Windows Installer Patch file | that includes compressed resources associated with the update, | including the trojanized SolarWinds.Orion.Core.BusinessLayer.dll | component. Once the update is installed, the malicious DLL will | be loaded by the legitimate SolarWinds.BusinessLayerHost.exe or | SolarWinds.BusinessLayerHostx64.exe. After a dormant period of up | to two weeks, the malware will attempt to resolve a subdomain of | avsvmcloud[.]com." | | "This actor prefers to maintain a light malware footprint, | instead preferring legitimate credentials and remote access for | access into a victim's environment." | | "In observed [trojan] traffic these HTTP response bodies attempt | to appear like benign XML related to .NET assemblies" "Command | data is spread across multiple strings that are disguised as GUID | and HEX strings." | | Edit: Silly me, that was the first article on hn, see thread: | https://news.ycombinator.com/item?id=25413053 | wonder_er wrote: | Seems like a good time to plug an excellent book: | | _Countdown to Zero Day: Stuxnet and the Launch of the World 's | First Digital Weapon_ [0] | | The US Government has spent two decades and hundreds of millions | of dollars building tools to undermine the security of systems | around the world, and withholding information from "Industry" | that would help harden those systems. | | I have no idea who "did" this, I don't really care. The NSA has | been loading this footgun for decades. | | [0] https://www.amazon.com/Countdown-Zero-Day-Stuxnet-Digital- | eb... | misiti3780 wrote: | I can second that that book was great. | jkaptur wrote: | I really enjoyed _The Hacker and the State_ by Ben Buchanan. It | explores why various nations pursue cyber operations the way | they do. | meh206 wrote: | The "Russia" allegation sounds like an extremely weak & | repetitive claim made by people on a certain political side to | divert attention away from their bad press for criminal behavior | (to include all of the Chinese compromises that were recently | revealed). | | They're playing a VERY dangerous game, as if they would rather | the entire world be destroyed before facing the possibilities of | justice (Gitmo, military court tribunals, and everything else | that the EO from 9/18 outlined). | | The bottom line: the MSM has been full of $&@T for quite some | time, and this claim in Reuters is most likely more of the same. | intern4tional wrote: | Microsoft and Fireeye have both made similar claims and | released substantial technical details. | | Attribution is hard, but those two companies have a solid | reputation and do not make BS claims. | goodluckchuck wrote: | I see where they claim it's a sophisticated / state-sponsored | attack, but could you share where they attribute it to Russia | in particular? If that's a political assessment made by the | media that's one thing, but if these sourced have some sort | of technical data that inherently links it to a particular | nation... that's something I haven't seen. | hackinthebochs wrote: | The widespread use of unvalidated automatic updates will go down | as one of the biggest security blunders of the last decade. | tootie wrote: | There was a fun one a few years ago when someone realized that | Maven Central didn't require https so anyone could MITM | arbitrary amounts of open source Java code. But I think this | problem could be even more pervasive. Think about that giant | green lock icon you see on secured sites. And then think about | all the apps and devices making requests with no UI and we have | no idea what they're all talking to until you have the patience | and knowhow to operate wireshark. | | Off the top of my head, the only real solution is to feed a lot | of this arbitrary traffic through trusted brokers which is | going to make us even more dependent on Google, Microsoft or | whoever else takes up that mantle. | mdoms wrote: | On balance, I don't think so. | rossdavidh wrote: | That's a pretty high bar, given the security blunders of the | last decade. | [deleted] | dmitrygr wrote: | This is why all this bullshit about "let's add a backdoor to all | encryption just for the government" is just that: bullshit. A | year or so after it is added, it will be available to every | government on earth this way, and a year after, on your favourite | warez site... | Havoc wrote: | Ouch. Via a security provider. Thats ugly no matter how you look | at it | [deleted] | thesimon wrote: | Adding snake oil usually adds more attack vectors rather than | removing them. Look at all the "endpoint protection" and AV | exploits surfacing almost every week. | outworlder wrote: | Yes. Security vendors have to add a bunch of snake oil | products. | | If they just did "consulting" and trained the staff against | social security attacks, and improved a company's policies, | how could managers that authorized the expense justify it? | Where's the shiny "product" that "keep us safe"?"Do you mean | we have to periodically expend money to keep ourselves safe? | I'll go with Vendor B, they have a blockchain-based Machine | Learning tool that's going to safeguard us against current | and future threats!" | zentiggr wrote: | Thanks now my skin's crawling again from the all too | familiar cesspool feeling. | | Salesmen (external or even worse internal) convincing | inexperienced CTOs or VPs that they need <this exact | software> regardless of any real world factors... | | These are the people I would throw out with their own | bathwater. | just_steve_h wrote: | Companies that provide faulty software are "magically" exempt | from liability - neat trick! | dang wrote: | The major earlier threads on this ongoing story are: | | https://news.ycombinator.com/item?id=25413053 | | https://news.ycombinator.com/item?id=25409416 | mxskelly wrote: | When will people realize that slapping yet another startup's tech | stack onto yours isn't going to magically fix anything and in | fact just adds complexity and points of failure. | | I've always done my best to err on the side of "let's try not to | add yet another level of complexity" and this strategy has yet to | fail me. | falcolas wrote: | When the financial costs of exposing yourself to such risks | outweigh the time saved. | | So, never. At least, not in our current software development | industry. | Karunamon wrote: | I agree with the point, but that's not what happened here. | SolarWinds Orion isn't some VC-backed panacea sold by SV | hucksters to cure all your infrastructure's ills, it's a | monitoring stack like Zenoss or Zabbix or (...) and is | correctly marketed as such. | nrmitchi wrote: | SolarWinds is a 21-year-old publicly-traded company. | | They're not really "yet another startup". | | I also don't think that the departments of the US Government | are all going around all willy-nilly dropping tools from "yet | another startup" into their core infrastructure. | | While your _overall point_ may be valid, it 's tough to come to | the conclusion that it is applicable here. | wglb wrote: | No longer publicly traded: | https://www.solarwinds.com/company/press- | releases/solarwinds... | nrmitchi wrote: | Went public again Oct 18, 2018: | https://www.solarwinds.com/company/press- | releases/2018-q4/so... | mcguire wrote: | Willy-nilly dropping tools into core infrastructure is | largely how government IT works. | | Corporate IT, too, from what I've seen. | notabee wrote: | That's very true, In my limited experience, they are tools | sold to non-technical leadership that are either thrown to | technical staff to deal with and implement or require | letting yet another vendor have network access to manage. | It adds up to a hot mess. | mcguire wrote: | My favorite comment from a (authentication system) | vendor, during a meeting where we were trying to figure | out why users were having trouble logging into an | internal app: "Do I have a charge code for this?" | reaperducer wrote: | _SolarWinds is a 21-year-old publicly-traded company. They | 're not really "yet another startup"._ | | Today it is. If we knew when SolarWinds was added to the | government systems, his comment might stand. | rplnt wrote: | Startup or not, government contracts require certain | certifications. | mgreenleaf wrote: | And yesterday's startup is tomorrow's billion dollar | company, often with nothing changed except the number of | customers. | falcolas wrote: | I believe that you have mis-read their comment - they aren't | saying Solar Winds is "yet another startup", they're saying | that SolarWinds is incorporating 3rd party technology (the | so-called supply chain attack on their build) without vetting | it. | | And, if we're being honest, those technologies probably are | based off startup tech; SolarWinds purchases and incorporates | startup companies (such as Vivid Cortex recently). | nrmitchi wrote: | That is entirely possible. | hobs wrote: | SolarWinds isn't another startup, its been around for over 20 | years, I have used their software half a decade ago and it did | the job just fine. | | Age doesn't imply its good either, but blaming startups isn't | the problem here. | onetimemanytime wrote: | >> _I have used their software half a decade ago and it did | the job just fine._ | | Russia agrees. | trashcan wrote: | This also came out today: | | https://mattermost.com/blog/coordinated-disclosure-go-xml-vu... | | It seems pretty likely that SolarWinds' SAML authentication was | bypassed or escalated by this issue with Go's encoding/xml, and | then used that to generate and distribute the trojaned | SolarWind's updates. | richardwhiuk wrote: | Doubt it - that bug has been known by Go/Mattermost since | August. | trashcan wrote: | How would SolarWinds know about it if it wasn't publicly | disclosed until today? | | Timeline: https://lh6.googleusercontent.com/GI- | MC0npwRiJju1O_PP_hG2mm8... | koolba wrote: | Is this the same SolarWinds that owns Pingdom? | | https://www.solarwinds.com/pingdom | daniellarusso wrote: | Yes. Luckily that is an external monitoring tool, but they do | allow 'transactional' monitoring, so some folks could have | login info saved. | | The two sites I monitored w/ that tool, we used it to determine | when a 3rd party account's login info has expired. | | So, I would expect my saved credentials to be invalid, but that | is just my anecdote. | | The rest is just simple uptime and response time monitoring of | specific URLs, which we publicly expose anyway, so no threat | there. | andreasley wrote: | I wonder if this unintended transparency actually makes for a | safer world. The cold war might have been shorter if both sides | would have been able to see that their enemy does not intend to | escalate the situation. | random5634 wrote: | A couple of quick notes: | | 1) The OPM hack and now this all illustrate - if govt gives | itself the big backdoors into everything, it's likely they will | give it to russia, criminals, ex-boyfriends stalking ex- | girlfriends etc. | | 2) My own impression of govt IT is largely security theatre in | the area I was involved. In particular such massive complexity | that agency staff think going around the rules is normal, because | it's the only way to actually get work done. And then such | glaring weaknesses that no one cares to fix. With google I've had | one password for 20 years (my google account) which allows a | hardware key for 2FA or google authenticator with what I imagine | is sensible monitoring, new device authentication etc (I find | this pretty secure). | | Govt you are forced to write down these insanely long passwords | with super complexity that cannot be cut and pasted that change | very 30 or 60 days. | | Because lost passwords are so common in these settings, the | password reset process is usually a MASSIVE weakspot. I've seen | it just be a phone call to a third party, you give them your | username, they give you a new temp password - that's literally | it. And the passwords end up everywhere. In lots of documents | that float around, emailed around etc etc. And lots of password | sharing when you get locked out of a tool and it will take a long | time to get a new account setup (months). Pretty soon the | procedures manual also gets you root access to everything. | all_blue_chucks wrote: | Neither of these hacks involved "back doors" as they are | normally defined. One was an authentication bypass; the other | was a supply chain attack. Neither involved any sort of | deliberate covert access mechanism. | hamburglar wrote: | I don't think OP meant to imply that backdoors had anything | to do with this. It's meant to underscore the argument | against backdooring encryption by pointing out that when you | trust some entity with a backdoor, you're potentially opening | that backdoor to anyone who can break that entity's security, | which may be very, very flawed. | Eduard wrote: | > With google I've had one password for 20 years (my google | account) which allows a hardware key for 2FA or google | authenticator with what I imagine is sensible monitoring, new | device authentication etc (I find this pretty secure). | | I too hope this is not just security theater as well. | mcguire wrote: | Aside from anything else, your second point is exactly spot-on. | That's not just your impression. | textech wrote: | Incompetence runs through every facet of American government, | corporations and even private businesses. There's an insane | amount of bureaucracy and people doing IT who have no business | doing IT. As for the corporations, the established ones get | taken over by the MBA types who have no clue about software or | security nor do they care as long as the numbers look good for | the next quarter. | dcolkitt wrote: | I'd bet dollars to donuts that firms run by professional | managers almost certainly have better security practices than | family or founder run firms. I say this because research | shows that professionally managed firms excel in virtually | every other facet of operations and management[1]. | | [1] https://hbr.org/2011/03/family-firms-need-professional | khamba wrote: | Although I do not disagree with your comment, I would do a | double take befpre accepting the source you cite because | they are very much incentived to proclaim the result they | proclaim. | x0x0 wrote: | MBAs discover companies desperately need MBAs! | textech wrote: | you mean professionally run corporations like Equifax, | Target or SolarWinds (published ftp password to github)? | snarf21 wrote: | Spot on, humans are always the weakest link. You must assume | your users will invoke every _worst_ practice imaginable and | make your system secure anyway. | kipchak wrote: | For what it's worth NIST password guidance SP800-63b no longer | advises the arbitrary expiration, so hopefully this is | something that will change. | | >"Verifiers SHOULD NOT require memorized secrets to be changed | arbitrarily (e.g., periodically). However, verifiers SHALL | force a change if there is evidence of compromise of the | authenticator." | GordonS wrote: | NIST changed those rules a few years ago, I think. I remember | thinking "please, PLEASE let companies follow suit...". | | And still, very few have :( | kipchak wrote: | I think it's new as of the 2019 revision, though it | wouldn't surprise me if it's been ignored for a while. I | don't think CMMC requirements specifically call out | expiration periods, so hopefully a good sign. | | Microsoft seems to be fairly forward thinking[1] on | passwords, doing away with expiration requirements and | focusing more on their risk based MFA stuff. | | [1]https://www.microsoft.com/en-us/research/wp- | content/uploads/... | at-fates-hands wrote: | >> In lots of documents that float around, emailed around etc | etc. | | The amount of fortune 500 and fortune 100 companies that I | worked at where this is commonplace is staggering. The amount | of businesses that never change their passwords is quite | frankly, shocking. I left a fortune 500 company two years ago | and I just tried my login on their external facing portal - and | it still worked. | | I've seen passwords being passed around in word docs and | internal blog posts. At one place they were mixing development | information with financial information. The idea you had | several folders of corporate contracts mingling with developer | docs on a sharepoint server was a real eye opener for me. | | Nobody else seemed to care when I brought up the fact you just | gave a bunch of developers access to facebook contracts and | other financially important docs they have no reason to have | access to. Their reason? It was too hard to set up a new folder | with access restricted. | | After a few years of experiencing these, I just became kind of | apathetic to it. If nobody in authority cares, then why should | I?? | SystemOut wrote: | I hated this part of being on-call for government customers. I | had to go through some crazy adjudication process all for the | privilege of having to change my passwords every 60 days. And | even though I used a password manager for them I couldn't paste | them in because the VM I was required to use to access the | systems didn't allow pasting from the outside. | | So I just typed them into notes on the VM and left them there. | Jtsummers wrote: | The insistence on the stupidly long passwords and 30-60 day | expiration times created _so_ many weaknesses. People choose | obvious patterns for their passwords to get around it. Like | `1q2w3e4r!Q@W#E$R`. Then they shift by one each time they have | to update, by the time they get across the keyboard they can | restart (or twice, in which case you swap the shift to the | first half instead of second half). Or, this was fun, my first | gov 't job the guy had stored passwords on a sticky underneath | the keyboard (I changed them all). They also used a shared | account for admin stuffs, even though we were all given an | admin token (like the smart card or CAC for regular login, but | with admin credentials and issued separately). | | In theory, the DOD CAC system (they've gotten better over the | years) eliminates the need for passwords entirely, but somehow | most teams never tie their system to it properly. | triangleman wrote: | >Or, this was fun, my first gov't job the guy had stored | passwords on a sticky underneath the keyboard (I changed them | all). | | Nothing wrong with writing passwords down. Or at least it's | the least wrong thing you could do among all things mentioned | here. | vorpalhex wrote: | It depends entirely on your security and threat model. Me, | working from home? I'll write down the password for my | netflix account and wifi - sure. | | In an office? Absolutely not, never, not once. Offices are | not private and not secure and in any kind of even vaguely | sensitive setting allowing a colleague to have access to | your password and impersonate you is a massive risk. | Jtsummers wrote: | I would partially agree with this. It's not _wrong_ to | write down passwords. It _is_ wrong to write them down and | not secure them. Securing them is the same step that | happens (or is intended to happen) with password managers. | The passwords are, themselves, encrypted in some fashion so | that they 're not (easily) accessible to others. If these | passwords were _at least_ put in a locked cabinet, I 'd | have felt better about it. A safe would've been even better | (and this is assuming that they needed to be shared, we had | security tokens that, if used properly, meant we _didn 't_ | need the passwords at all and each person would have a | unique access token for better accountability). | | It is moronic to write passwords down and stick them | underneath the keyboard. | vngzs wrote: | NIST no longer suggests such a rotation policy. They have | accepted that it weakens security. | | Anecdotally, colleagues have successfully lobbied to drop (or | not enforce) password expiration policies from other | government bodies on the strength of this recommendation from | NIST. | briffle wrote: | Yes, but as far as I have seen, not auditing/compliance | frameworks have updated their recommendations yet. Maybe | its not the frameworks, but the individual auditors and | their templates, but I have seen it a 'requirement' for | PCI, sarbenes-oakly, etc. | | its much easier to keep it in place to make the auditors | happy than remove it, and risk exceptions on your report | that you have to defend. | jimnotgym wrote: | However I'm pretty sure PCIDSS does still say 90 days | boston_clone wrote: | all the more reason to prioritize minimization of scope | for PCI ;) | Jtsummers wrote: | Yeah, I know it's not actually recommended anymore, but the | policy makers don't care. They're doing CYA policy. They do | whatever seems to be the strongest possible thing, users | and reality be damned. | | I was in a team whose security group eliminated the use of | DVD drives for _reading_ (not writing) data except for a | few permitted individuals. Creating a massive chokepoint in | every process where data had to come from off-network. | Security didn 't care, it took the realization of the cost | (delays, people too busy moving data to do their actual | jobs) for management to step in and end the nonsense. | | The same will be required for things like password | policies. Until the issue becomes realized (weak/written | passwords lead to a compromise), these policies will stay | in place within organizations and teams. It doesn't help | that the majority of the policy setters are _not_ IT | professionals (or only in the loosest sense, they can | install software but have no _real_ understanding of IT | systems). In DoD, most come from a physical security | background (retired /separated security forces). | mumblemumble wrote: | > They do whatever seems to be the strongest possible | thing | | It's not that, it's inertia and poor incentive | structures. | | In a large organization, if a policy was set in place by | someone else, then, even when you know it's a sub-par | policy, it's still in your interest to leave it alone. | Doing so gives you a way to deflect blame in the event of | a breach related to that decision. You can just blame the | policy itself. If, on the other hand, you change the | policy, you're more likely to be held personally | accountable. | | That said, you're also absolutely right about the | expertise problem. I don't know much about government, | but, in private industry, I've observed that the best way | to get put in charge of cybersecurity is to start from | somewhere completely outside of IT, and become good | friends with the CEO. | craftinator wrote: | > It's not that, it's inertia and poor incentive | structures. | | This is the psychological/economics point of view, and I | think it's the correct one for this problem. The other | tricky issue, besides the CYA prioritization, is that | being a dynamic entity requires other entities to do the | same. If you start changing procedures in your section, | other sections that rely on you need to adapt to these, | and they may have the CYA attitude and resist that | change. | kodah wrote: | Citation? I couldn't find anything on the web or here: | https://pages.nist.gov/800-63-3/sp800-63b.html | | edit: I wasn't calling OP a liar, I just couldn't find it. | NovemberWhiskey wrote: | It's right there in section 5.1.1.2: | | _" Verifiers SHOULD NOT impose other composition rules | (e.g., requiring mixtures of different character types or | prohibiting consecutively repeated characters) for | memorized secrets. Verifiers SHOULD NOT require memorized | secrets to be changed arbitrarily (e.g., periodically)."_ | hsbauauvhabzb wrote: | Harmj0y, who is probably the best public AD hacker right | now suggests 3 month rotations, IIRC. | | My guess is the idea is to mitigate compromise of very | old passwords, spray attacks using breached site creds, | reduce insider threat and at least offer some mitigation | for compromised hashes. | | I think this is wise compared in work environments - 90 | days, 180 or even 360 would be a good mitigation over | _none_ to too many. | acdha wrote: | I think those concerns are better addressed elsewhere | with tools like MFA, automatically disabling inactive | accounts, or monitoring public services like HIBP to | deactivate accounts quickly. Attackers can move quickly | so you hit diminishing returns on rotation policies | trying to avoid usability issues incentivizing worse | passwords while not rotating long after the account has | been compromised. | alanning wrote: | Should be noted that NIST's current recommendations are | meant to be part of a number of mitigation's including | checking passwords against known-breach databases, rate- | limiting, etc. | | Without those other mitigations, pw rotation may still | help more than it hinders, although I am definitely not a | fan of it and recommend implementing all of the NIST's | recs instead. | | For those looking to head that route, haveibeenpwned | offers an API to check hashes against previous breaches. | For a pw strength meter, have a look at zxcvbn. | [deleted] | Covzire wrote: | Indeed. Sports Team + Year, Season + Year, Company + Year or | some other such combination should get you a good 10% or more | of your users with only a few dozen permutations. | | They wrote 60 days into FEDRAMP I believe, something I jaw- | droppingly realized last year sometime. Whoever is writing | these policy frames don't know what they're doing. NIST did | away with those periodic password change recommendations for | a very good reason but IMO they need to now recommend the | opposite, directly, because the constant password changes are | doing real harm. | throwaway894345 wrote: | According to another comment, they do: | | > It's right there in section 5.1.1.2: "Verifiers SHOULD | NOT impose other composition rules (e.g., requiring | mixtures of different character types or prohibiting | consecutively repeated characters) for memorized secrets. | Verifiers SHOULD NOT require memorized secrets to be | changed arbitrarily (e.g., periodically)." | | https://news.ycombinator.com/item?id=25421584 | toomuchtodo wrote: | What's preventing more rapid uptake of integrating with the | CAC system? I can use my CAC when going through TSA for ID | (and verification is sub 10 seconds) but other agencies keep | dragging their feet. | Jtsummers wrote: | It seems to be laziness on the part of the IT system | makers. There are (mostly) standardized ways to | authenticate a CAC and associate it with a user for an | information system. But people seem to prefer to roll their | own. Either using traditional username/password combos, or | a worse solution. | | The worse one is this (seen a few times): Username/password | and _then_ you register your CAC with it. They only check | the CAC itself for the cert expiration date. When it does | finally expire (or gets revoked, say you need a new one | early like happened to me a couple times, not to loss just | became unreliable in the CAC reader), then you have to use | the username /password combo (the password has been getting | updated every 60-90 days during all this time) and register | your new CAC. | | But, since they aren't checking revocation data a stolen | CAC + PIN (say it's weak, beaten out of you, or they | observe you using it) even _revoked_ would still be able to | authenticate against that system until the cert expires or | the admin (usually) manually removes the revoked CAC. | toomuchtodo wrote: | As an IAM/trust systems enthusiast with a passing | interest in the CAC system (and tangentially, Login.gov), | this is disappointing to hear. Thanks for the context. | I'll keep my eye out for opportunities to contribute to | improving the situation (USDS or 18F). | mNovak wrote: | You should check out the new CMMC requirements -- basically a | new set of basic cyber security requirements for all DoD | suppliers, starting next year. | | It's heavily based on the NIST guidelines, so strong on 2FA, | and discourages arbitrary password rotation. | imchillyb wrote: | RELEVANT XKCD: | | https://xkcd.com/936/ | lovecg wrote: | Though it should be noted those "4 random word" passwords are | strong only if the words are truly random (and the string is | less likely to be memorable in this case). | | A password generator that allows retries means people will hit | that button until the string is memorable, reducing the | entropy. | vngzs wrote: | Since this is a supply chain attack on software downloads, I | think it's interesting to consider the implications for the | security posture of a cloud-native organization. While cloud- | native is commonly recognized as less secure (because the cloud | provider could be hacked!), there are a few categories of attacks | exclusive to onprem software deployments: | | 1. You misconfigure the onprem software, making it more insecure | than the alternatives. This does not occur with SaaS products. | | 2. The software delivery system is tampered with, and you | download and run malicious code on your systems with high | privileges. If you don't run it, this can't happen. | | Cloud deployments aren't obviously safer, but they have clear | advantages unless you are willing to pay top people to work on | and secure each onprem deployment full-time. | | NB: I don't actually believe "the cloud" is fundamentally more or | less secure than onprem deployments. Rather, I frequently hear | people argue that a website being hacked - or the potential for | it - justifies a movement to onprem, and I think this is | (usually) false. | tyldum wrote: | Things aren't black or white, but SaaS typically removes one | layer of security (the corporate firewall). Misconfigurations | are then typically exposed to the whole world. | caminocorner wrote: | > While cloud-native is commonly recognized as less secure | (because the cloud provider could be hacked!) | | That's not a common recognition by any means. Cloud providers | are more secure and spend more on infosec than any business | managing their own tech & data centers. Pretending that the | cloud provider being the point of entry is in the same ball | park of risk (or greater risk) is a strange talking point in | 2020 | jsty wrote: | Whilst not being a "cloud is someone else's computer" adherent, | the notion SaaS products can't be misconfigured into opening up | security holes not present / so serious in some on-prem | environments doesn't hold water - see the last decade's stories | of accidentally open S3 buckets, plaintext secrets pushed to | public GitHub repos, and all manner of other "minor | misconfigurations" | just_steve_h wrote: | So far I've seen ZERO EVIDENCE. Reuters and the Washington Post | have breathless claims of Russian hackers "according to officials | familiar with the matter." Uh huh. | | Saying "APT29" or "CozyBear" doesn't make the accusation any more | credible. | | If multiple US agencies are trumpeting the same story, you really | must ask yourself "Why? Why this? Why now?" | | It's pretty amusing, in a depressing way, to see how quickly so | many otherwise intelligent people can be made to snap to | attention and fight the Russian Menace with a few anonymous | government claims. | jen729w wrote: | Given the scope of this product -- basically everyone runs it | -- any chance that this is some sort of hoax will be mitigated | by the "too large to be a hoax" thing. Probably some sort of | fallacy whose name I don't know. | | See: moon landing. Of course we went to the moon otherwise, | what, 50,000 people are keeping a perfect and scandalous secret | for half a century? | jiggawatts wrote: | The best proof that the United States went to the Moon is | that there was extensive Russian spying going on at the time, | but Russia never claimed that the US was lying about the | Apollo program. | icedistilled wrote: | Why are there so many people who absolutely deny Russia does | any hacking. | | It's always some big conspiracy theory that multiple cyber | security agencies, all the three letter agencies, and multiple | news agencies are in on. | | I'd bring up tin foil hats, but nowadays we can make fabric | faraday cages so we can all be fashionable no matter what we | believe. | ehsankia wrote: | I'm curious, are people saying that "Russia doesn't do any | hacking" or that "there isn't yet enough evidence that this | specific attack is by Russia". Those are two very different | claims. | | I don't think there's any doubt about the former claim, | personally. The latter though, I think it's too early to | tell, especially since we've seen recently how certain | hackers have explicitly started putting bait signs from other | nation-states to misdirect. | jeffreyrogers wrote: | He's not denying Russia does hacking. He's saying there is no | evidence that ties this to Russia over any other group. Maybe | Russia is most likely based on priors, but I don't think the | average HN commenter has an accurate estimate of nation-state | hacking frequencies. | njharman wrote: | > Why are there so many people who absolutely deny Russia | does any hacking. | | Because there are many people paid to do so. (and soon if not | already automated bots). | La1n wrote: | Not everyone who questions something is a paid shill. | ineedasername wrote: | Could someone explain what a "supply chain" exploit is? | vsareto wrote: | https://attack.mitre.org/techniques/T1195/ as an example | Dirlewanger wrote: | These breaches will continue to happen, and happen...and happen | until our limp-dick federal government gives a shit and starts to | punish companies for their malicious malfeasance regarding IT | security. | andromeduck wrote: | This is the same congress that moved to largely indemnify | Equifax? | IronRanger wrote: | And until we end the H1B visa and only allow Americans or | American allies to run the IT systems of companies in America. | jorblumesea wrote: | So basically, Russians had the highest level of access to every | large company and most government agencies in the US? (Including | defense, DOD, pentagon) | | If so, this is on scale with the OPM hack in 2015. This is huge. | | Smart to use the election timing while authorities were focused | elsewhere. | colinmhayes wrote: | Is there any actual evidence that his was Russia? All I've seen | so far is solarWinds unsubstantiated claim. | jorblumesea wrote: | Attribution is very difficult in this space. According to | most articles I've read, senior officials believe it's Russia | (and it makes sense given the scope/scale) but smoking guns | are hard to find. | jeffreyrogers wrote: | The Russia attribution track record is not very good. E.g. | that Afghanistan bounty story appears doubtful and many of | the earlier allegations of ties between the Trump | administration and Russia were not substantiated. | | Not that Russia is not a threat to the US, but there is a | sizable part of the federal bureaucracy that wants to pin | things on Russia for various reasons (it's not all anti- | Trump either). | | Edit: Downvoters, feel free to prove me wrong. Here's one | source for my claims[0] | | [0]: https://www.nbcnews.com/politics/national- | security/u-s-comma... | thisisdallas wrote: | No, not at all. It's political theatre the media is playing. | Russia has been the big bad wolf since 2016. It's far more | likely China than Russia, although it could be a variety of | different states/parties. | outworlder wrote: | > Russia has been the big bad wolf since 2016. | | For a very good reason. | realmod wrote: | I still cannot help but laugh at the intentional | ignorance by a lot of people in the US right now. They | have for some reason (we all know why) gotten the notion | that Russia is some kind of innocent nation that does | nothing at all and that US is unreasonably antagonistic | against Russia. | | Russia is in NO uncertain terms a hostile and aggressive | nation that we all need to be wary of. | miguelmota wrote: | It's not fully confirmed yet but its probable it's the same | 'Cozy Bear' Russian hack group that hacked the State | Department and White House email servers during Obama | administration. | [deleted] | afrcnc wrote: | duplicate: https://news.ycombinator.com/item?id=25413053 and a | few others more | ummonk wrote: | For a minute I misparsed the title and thought that the US | Treeasury and Commerce departments' staff hacked their way around | a SolarWinds compromise. That would have been cooler. | ethanolburner wrote: | Just to add, 15 mins ago Chris Bing from Reuters and other | journalists confirmed the U.S. Department of Homeland Security to | be the 3rd agency to be impacted [1]. | | I suspect there will likely be further agencies and of course | private companies to come forward in the upcoming weeks/months. | | [1] https://twitter.com/Bing_Chris/status/1338552048342753288 | pmlnr wrote: | Sigh. | | "Engineers are expensive, so don't build, buy!" | | How about... the middle way? Let your own engineers deploy open | source, something you can verify, even audit, if you ever have | to. | | Ah, I forgot. Those usually don't come with fat envelopes from | the provider to the people making the decisions. | DougN7 wrote: | It should be noted that everyone with a recent version of | SolarWinds installed is considered exposed - not just the US gov | swalsh wrote: | So, am I reading this right? the Russian government had the | ability to impersonate the credentials of ANYONE in the marjoity | of the fortune 500, the US Government, the US DOD, and our | telecomm infrastructure... and they likely had this access for a | while. | | How is this NOT an act of war? | abvdasker wrote: | Anyone calling for war between the the largest nuclear power | and second-largest nuclear power is insane or ignorant. To even | suggest something like that is obscene given the | incomprehensible loss of life it would entail. I think most | people who can remember it would agree that it's a good thing | the Cold War stayed cold. | pvg wrote: | _How is this NOT an act of war?_ | | Very simply because it's not an act anyone would initiate armed | conflict over. | yibg wrote: | Everyone country does this to every other country that they | can. Not like the US doesn't (or at least try to) pull off | stuff like this too. So if it's an act of war then every major | power has pretty much at some point declared war on every other | major power, even allies. | UnpossibleJim wrote: | As I'm forced to speculate, because it is inconvenient for us | to call it an act of war. We routinely conduct cyber espionage | missions on other countries and "probe" their cyber defenses. | If we were to call this an all out act of war, then we would | also be found guilty of unprovoked acts of war on many other | countries, including allied countries. So, too, would many | other countries. This is the new spywork. | wavefunction wrote: | Russia has a policy where they allow "patriotic hackers" to | operate freely while turning a blind eye to their actions. The | Kremlin even mentioned this in their disavowal. | dragonwriter wrote: | While I disagree with the claim that merely having the | capacity is an act of war, doing something that would be an | act of war through privateers rather than official state | forces doesn't make it any less an act of war than it | otherwise would be. | Nginx487 wrote: | It is. Hope, after new administration takes office, "hell | sanctions" package would be approved, as well as closing | Russian embassies and increasing military pressure to its | borders. Sanctions already work, and Russian regime does not | enjoy a variety of options to oppose it. | Consultant32452 wrote: | We (the public) have not been provided evidence that this was | Russia. Let's not get ahead of ourselves. Some anonymous people | claimed it's Russia. That is meaningless. | bduerst wrote: | It's from sources vetted by Reuters. Their public-facing | anonymity was required for coming forward. | | https://www.reuters.com/article/uk-usa-cyber-treasury- | exclus... | Consultant32452 wrote: | Right, so anonymous sources who provided no evidence to the | public. It's meaningless. | dragonwriter wrote: | Having the capacity isn't an act of war, in the same way that | having the much more significant capacity to obliterate major | population centers isn't. | | How the capacity is applied may be another story. | [deleted] | beamatronic wrote: | Are you personally willing to go to war? Are you willing to be | a foot soldier? Do you wish to kill? Do you wish to be killed? | skinkestek wrote: | I do not want to go to war over _this_ , and generally I have | friends from a number of countries in the east but make no | mistake: if my country asks me to defend its borders or even | NATO borders I'll be there[1], even if it is many years since | I finished draft and I know have a family. The alternative | will probably be worse. | | Anyways, no sane, decent person should wish a war. | | [1]: I am a whole lot less interested in defending us around | the middle East and in Afghanistan though. | SpaceRaccoon wrote: | Did you also consider this[0] an act of war? | | [0] (U.S. Escalates Online Attacks on Russia's Power Grid) [ | https://www.nytimes.com/2019/06/15/us/politics/trump-cyber-r... | ] | citilife wrote: | > the Russian government | | You sure about that? "They" have been claiming Russia is the | boogie man for years, but it's _never_ been proven. In this | case, it does appear like a complex hack. Wouldn 't be | surprised if it's China, Iran, North Korea, Russia, U.S. | Government (yes, hacking itself), etc. | mrlala wrote: | Who is "they"? And what hasn't been proven, are you referring | to Russian interference in 2016? | anaganisk wrote: | And how many such tools have been employed by CIA? So are all | the other countries supposed to wage war against US? Govt's all | over the world do shady shit, constantly. Sometimes they get | caught, sometimes they dont. Men in power use tensions to stay | in power, waging wars against more powerful/equal, wont help | men in power neither of the sides. | kerng wrote: | Tense is wrong, they have this ability RIGHT NOW to a very high | degree of certainty. | | Just because the tip of the iceberg has been discovered doesn't | mean its mitigated. Even Fireeye is probably still compromised. | It will take a while to understand the actual scope of this. | | And in the meantime new attacks are likely happening also. | jessaustin wrote: | Hopefully they'll find out some horrible things that our | public servan^Wmasters are doing, and leak it to Wikileaks... | where have I heard that before? | COGlory wrote: | If it wasn't Russia (and the evidence supporting that it was | hasn't been released yet) it would be literally anyone else. | North Korea. Iran. Even our allies. Some 400lb dude sitting in | his parents basement in New Jersey. And the US is doing this, | or attempting to do this, to many other countries. | | Ultimately, the hack is the practical responsibility of the | victim. | | Don't fall for the Kissinger style war mongering. | tessierashpool wrote: | The entire Trump administration's been an act of war. They got | classified intel, private phone calls with the president, | numerous concessions, everything they could have possibly | wanted in terms of foreign policy, including an abrupt and | chaotic withdrawal from Syria where Russian troops literally | took over American bases, and a significant number of GOP | congressional representatives visiting Moscow on July 4th | together, with no American press there to cover the event or | tell us who they met with, what they discussed, or why they | went. | | There's also evidence that Russia infiltrated the Treasury in | 2015, unrelated to the election interference afterwards. | | It's been war for a long time, and we have not been winning. | robertlagrant wrote: | On the plus side, no actual wars were started or joined. Like | Jimmy Carter. | nromiun wrote: | Am I missing something? Why is everyone so sure that it is | Russia? Are they the only ones with access to computers beside | US? | Consultant32452 wrote: | Because Russia has somewhat of an oil monopoly in Europe and | the US doesn't like that. We've been being fed Russia war | propaganda for at least a decade. If it even feels like a | "Russia kind of thing" to the general public that is just the | result of intentional conditioning by warmongers. | | It could have been literally any major world power, including | our allies. No evidence has been presented whatsoever as to | who the culprit is. | jessaustin wrote: | Hell, it could be a different part of the USA government, | like those "sonic embassy attacks" were. | Anon4Now wrote: | Don't you know? Liberals automatically blame Russia. | Conservatives automatically blame China. Me, I Blame Canada. | Damn you, Gordon Lightfoot! | DethNinja wrote: | Because it definitely couldn't be China or any other country. | mistermann wrote: | Psychological conditioning is my theory. If you think about | it, has this not been a rather popular news item for many | years? If people should not get their perception of world | affairs from the news, then from where should they get it? | justaman wrote: | It is an act of war. Be suspect of anyone downplaying. | jessaustin wrote: | That's what all the SolarWinds people are saying! | justaman wrote: | I suspect I'm being downvoted by foreign agents. | jessaustin wrote: | We can't rule out that possibility, but I also downvoted | that comment. HN needs less paranoia. | | [EDIT:] although, with the more recent comment you have | approached tantalizingly close to possible irony. So, I | upvoted that. | sorokod wrote: | If you had an experince of an actual war, you would NOT have | asked this question. | rossdavidh wrote: | Well, that is very similar to asking how it is that | conventional spying is not an act of war. It isn't, because | everyone is going to be doing it anyway, so if you make that an | act of war we have war all the time, rather than nations not | doing it. | bluedino wrote: | If it were Iran, Turkey, etc the missiles would already be in | the air | randmeerkat wrote: | If the U.S. didn't go to war over Crimea why would they go to | war over this? | xtracto wrote: | Because Crimea is another country/outside of usa | jurisdiction? Whereas this is a direct attack to USA | institutions/government. | randmeerkat wrote: | This isn't an attack _yet_. This is potentially a part of | the process of developing the capabilities for a later | attack. | | Crimea is the first time a nation state has meaningfully | changed its borders that I know of since WW2. As a result I | would consider Crimea a much more egregious attack on | American values and western interests than a software | vulnerability that hasn't been leveraged to cause actual | harm. | 8note wrote: | The US executive branch is favourable to Russian interference. | They're invited | ars wrote: | > How is this NOT an act of war? | | Because spying is not an act of war. | | If it was, the entire world would be at war with the entire | world. | aaomidi wrote: | Lmao act of war. You going to fight? | | This is just what countries do to eachother. Welcome to the | 21st century. | lovecg wrote: | And 20th, 19th, 18th, etc. The methods change, the spying is | constant. | maedla wrote: | It is appalling how so many people seem to have such little | regard for what the consequences of the next "war to end all | wars" would be. | georgiecasey wrote: | > How is this NOT an act of war? | | So you want bombing to start over this? I don't. | jimbokun wrote: | So it's an act of war. Now what? | | Does the US escalate to a shooting war with the second biggest | nuclear power in the world? | | So it's not surprising Russia thinks they can act with a lot of | impunity without facing catastrophic consequences. | swalsh wrote: | We can try sanctions, but we've pretty much maxed out that | route after the Crimea annexation. | | If we do nothing, we're sending the message that these | actions are okay. | nemothekid wrote: | > _If we do nothing, we 're sending the message that these | actions are okay._ | | I think it sends the message that these actions won't | trigger nuclear war. How would you even get public support | for war with Russia? | [deleted] | spand wrote: | Does anyone believe the US isn't doing similar shit | themselves ? In that light it seems pretty disingenuous to | call out others for the same act. | jessaustin wrote: | Maybe we should "send the message" that we won't install | insecure shit on our networks? | asimovfan wrote: | no... nuclear war before free software. | alasdair_ wrote: | Microsoft's rejected new slogan. | wonder_er wrote: | The US Government does stuff like this to other countries | all. the. time. | | We don't hear about it much. But if this is an "act of war" | the US has conducted dozens of these kinds of "attacks" on | others over the last ten or fifteen years. | | _Countdown to Zero Day: Stuxnet and the Launch of the | World 's First Digital Weapon_ [0] | | [0]: https://www.amazon.com/Countdown-Zero-Day-Stuxnet- | Digital-eb... | eunos wrote: | One of the shortcoming of maximalist position, you lost | your leverage. | tfehring wrote: | We aren't even close to maxing out what could be | accomplished with economic sanctions! The US and Russia | still have a direct trading relationship! | smithza wrote: | US imposed individual sanctions and explicitly named hackers | from the GRU after the DOD investigated 2016 election | hacking, effectively authorizing their arrest if stepping on | western soil. This will be handled diplomatically through the | State Dept. first. There is little incentive to starting a | war with Russia I don't think. | x86_64Ubuntu wrote: | I may be wrong, but I thought members of the security | apparatus weren't allowed to leave the country in Russia? I | may be horrendously wrong, but I thought someone mentioned | that when these sanctions came out about Guccifer 2 and | such. | tomatotomato37 wrote: | There are ways for US to retaliate through espionage, such as | doing a mass round up of minor russian spy assets that | usually aren't worth the effort to go after, going after | russian operations in places in which neither country have | jurisdiction in, exposing blackmail of some random oligarch, | stirring up unrest with plausible deniability, etc. | | Essentially make life difficult for the people who actually | run Russia. | hn_throwaway_99 wrote: | > Malicious code added to an Orion software update may have gone | undetected by antivirus software and other security tools on host | systems thanks in part to guidance from SolarWinds itself. In | this support advisory, SolarWinds says its products may not work | properly unless their file directories are exempted from | antivirus scans and group policy object restrictions. | | Ouch! | dj_mc_merlin wrote: | Not uncommon for software that has to do very "shady" stuff, | although their other advisories are quite bullcrap. | octopoc wrote: | It's not just shady stuff. Recently, on a customer's Windows | server, antivirus software randomly decided to permanently | delete some our DLLs (!). We weren't doing anything remotely | shady; it was a normal ASP.NET Core app. | mandevil wrote: | Also, any task that involves reading or writing files will, | in the presence of cutomer antivirus software, turn into a | random number generator on whether the read/write goes | through at all, how long it takes, etc. We are constantly | having issues with customer AV because of this. | dj_mc_merlin wrote: | Yes, the shady was in quotes. It's hard to tell some | classes of malware from a security program in general. | thesimon wrote: | SolarWinds hasn't bothered to revoke their certs or remove the | package | | https://twitter.com/KyleHanslovan/status/1338360093767823362 | | Back in 2019 apparently their FTP server credentials were exposed | on GitHub, allowing automated updates being pushed | | https://twitter.com/vinodsparrow/status/1338431183588188160/... | | Edit: If updates failed due to signature not matching, SolarWinds | recommended downloading the package and installing it manually, | LOL | | https://twitter.com/KyleHanslovan/status/1338419999665508354... | Merman_Mike wrote: | Am I understanding the last one correctly? | | 1. Customers complain that they can't install latest version | because it's checksum doesn't match what SolarWinds posted | | 2. The checksum doesn't match because malware has been inserted | into the package during build/delivery | | 3. SolarWinds tells customers to ignore this and install it | manually | | Did no one think to check _why_ the checksum didn 't match? | [deleted] | jessaustin wrote: | One suspects they've given this advice for a long time... | because their shit has been hacked for a long time. | gitweb wrote: | I don't understand why anyone would pay for SW in the first | place. It has been garbage software for a long time. If | government clients are paying for this and installing in on | their servers, we have bigger worries. | RobRivera wrote: | Solarwinds is def. Used by acrive duty cyber units at | Lackland afb...and they wonder why we tell them they can't | just install what they feel like. | eli wrote: | #2 is speculation. Seems possible that there's an unrelated | bug causing checksum errors. In any event, it's not a good | look right now. | swiley wrote: | I guess if you can be as successful as SolarWinds with that | level of incompetence I should stop worrying so much about | myself. | spondyl wrote: | You'd be surprised honestly | 1vuio0pswjnm7 wrote: | Is it possible that there could be SolarWinds customers who are | not vulnerable because, for whatever reason, they did not | enable/install updates. Were updates to the Orion software | necessary for the original software to continue to function or | were they optional. | zimpenfish wrote: | They've said that 33k customers were potentially exposed but | only 18k actually downloaded that update. | | https://www.zdnet.com/article/sec-filings-solarwinds- | says-18... | Nightshaxx wrote: | LOL that last one. Why bother having the checksum at all in | this case.... | coldcode wrote: | Clearly whoever is the CIO/CISO could care less? I find it | hilarious that people get these positions without seemingly a | care in the world. Or maybe they do care and the CEO didn't? | Hardly anyone ever gets fired in these circumstances. | ilikeerp wrote: | Surely he COULDN'T care less? | 35fbe7d3d5b9 wrote: | > SolarWinds hasn't bothered to revoke their certs or remove | the package | | _Amazing._ While I 'm sure the attackers have already shut up | shop and the threat no longer exists, this feels insanely tone- | deaf from SolarWinds. | bluedino wrote: | Maybe they were just bribed? | 35fbe7d3d5b9 wrote: | An employee, possibly. The whole company, unlikely. And | either way, even if someone was bribed to introduce the | attack there's zero reason to allow the hacked software to | be downloaded now. | | I work at a large and highly regulated (HIPAA) company and | we have the equivalent of Electric Dylan/Pete Seeger with | the axe: if someone at the VP+ level declares a major | incident, our infosec team has a script that will lock down | all inbound/outbound traffic, snapshot all our running | machines for later forensics, lock our AWS IAM access down | to a single incident response account, and move DNS for our | web properties to a "we've been hacked" page. (OK, it | obviously doesn't say _that_ , but something similar that | has been heavily vetted by legal and marketing ;-)). We've | drilled and timed it out and can stop the ship in ~5 | minutes. | | Either SolarWinds doesn't have a major security incident | response plan, or they don't have the stomach to pull the | trigger. Neither is promising. | whatshisface wrote: | > _if someone at the VP+ level declares a major incident | [...]_ | | I read this as, "we have a policy that under no | circumstances will someone at a VP+ level declare a major | incident." | strogonoff wrote: | Sounds like a solid information security incident | response mechanism! | | The only missing piece is making sure that VP+ level | folks are not incentivized in any way to suppress | incidents. However, that's beyond infosec--in that | treacherous area between information security, | shareholder interests and organizational politics. | | I wish business continuity planning (which would include | infosec procedures but has a much wider overall scope) | was paid more attention and more widely scrutinized. | NikolaNovak wrote: | 1. That's impressive | | 2. My own knowledge of folk rock and subsequent visits to | Google and Wikipedia have not helped me interpret this | reference, in this context: | | "Electric Dylan/Pete Seeger with the axe" | | Help, please :-D | 35fbe7d3d5b9 wrote: | Ha! | | https://en.wikipedia.org/wiki/Electric_Dylan_controversy | | http://communityvoices.post-gazette.com/arts- | entertainment-l... | | > The Cliff Notes version is Dylan, whose latest album | Bringing It All Back Home had upset many folk purists | with its amplified accompaniment, performed at Newport on | July 25 with amplified backing by the Paul Butterfield | Blues Band, who played the festival on their own. As an | offended audience booed Dylan performing with | Butterfield's band (minus Butterfield himself), an | incensed Seeger, outraged at his friend's apostasy, | wanted the audio shut off and sought an axe to cut the | cables as Dylan and the band ripped through "Maggie's | Farm" and "Like A Rolling Stone," Dylan's just-released | single. | thrower wrote: | Have there been any statements / postmortems released from | SolarWinds itself yet? ___________________________________________________________________ (page generated 2020-12-14 23:00 UTC)