One Article Review
| Source |  Errata Security |
|---|---|
| Identifiant | 2401343 |
| Date de publication | 2021-02-25 20:31:46 (vue: 2021-02-26 02:05:23) |
| Titre | No, 1,000 engineers were not needed for SolarWinds |
| Texte | Microsoft estimates it would take 1,000 to carry out the famous SolarWinds hacker attacks. This means in reality that it was probably fewer than 100 skilled engineers. I base this claim on the following Tweet: When asked why they think it was 1,000 devs, Brad Smith says they saw an elaborate and persistent set of work. Made an estimate of how much work went into each of these attacks, and asked their own engineers. 1,000 was their estimate.— Joseph Cox (@josephfcox) February 23, 2021 Yes, it would take Microsoft 1,000 engineers to replicate the attacks. But it takes a large company like Microsoft 10-times the effort to replicate anything. This is partly because Microsoft is a big, stodgy corporation. But this is mostly because this is a fundamental property of software engineering, where replicating something takes 10-times the effort of creating the original thing.It's like painting. The effort to produce a work is often less than the effort to reproduce it. I can throw some random paint strokes on canvas with almost no effort. It would take you an immense amount of work to replicate those same strokes -- even to figure out the exact color of paint that I randomly mixed together.Software EngineeringThe process of software engineering is about creating software that meets a certain set of requirements, or a specification. It is an extremely costly process verify the specification is correct. It's like if you build a bridge but forget a piece and the entire bridge collapses.But code slinging by hackers and open-source programmers works differently. They aren't building toward a spec. They are building whatever they can and whatever they want. It takes a tenth, or even a hundredth of the effort of software engineering. Yes, it usually builds things that few people (other than the original programmer) want to use. But sometimes it produces gems that lots of people use.Take my most popular code slinging effort, masscan. I spent about 6-months of total effort writing it at this point. But if you run code analysis tools on it, they'll tell you that it would take several millions of dollars to replicate the amount of code I've written. And that's just measuring the bulk code, not the numerous clever capabilities and innovations in the code.According to these metrics, I'm either a 100x engineer (a hundred times better than the average engineer) or my claim is true that "code slinging" is a fraction of the effort of "software engineering".The same is true of everything the SolarWinds hackers produced. They didn't have to software engineer code according to Microsoft's processes. They only had to sling code to satisfy their own needs. They don't have to train/hire engineers with the skills necessary to meet a specification, they can write the specification according to what their own engineers can produce. They can do whatever they want with the code because they don't have to satisfy somebody else's needs.HackingSomething is similarly true with hacking. Hacking a specific target, a specific way, is very hard. Hacking any target, any way, is easy.Like most well-known hackers, I regularly get those emails asking me to hack somebody's Facebook account. This is very hard. I can try a lot of things, and in the end, chances are I cannot succeed. On the other hand, if you ask me to hack anybody's Facebook account, I can do that in seconds. I can download one of the many ha |
| Envoyé | Oui |
| Condensat | 000 100 100x 2021 @josephfcox about according account achievement acquire acquiring acquisition acquisitions across actual address addresses again against agenda ahead airgap all almost alone also always amazed amount analysis another answer any anybody anything apple are areas aren ask asked asking assure attack attacks average base based because become been being better big bit brad bridge build building builds bulk bunch business businessnow but buys can can and candidate cannot canvas capabilities capitalizing carry centrifuges certain chain chances cisco claim clever code collapses color companies company complete conclusioni consequential controllers corporation correct cost costly could cox create creating decade destabilize devs didn different differently difficulty divulging dollars don done download dumps each eager easy effort either elaborate else email emails end engineer engineering engineering is engineeringthe engineers entire estimate estimates etc even eventually every everything exact exactly exaggerate example experience expert extremely facebook famous february fewer figure fine following foothold forget fraction from full fundamental gems get getting good growing hack hacked hacker hackers hacking hackingsomething hacks had hand hard has have how hundred hundredth immense impossible incredible infect initial innovations insiders instead invested investors involved itself joseph jumping just know known large last least less let lifetime like likely limited lines log look looked lot lots luck lucky made managers many market masscan meaning means measuring meet meets metrics microsoft millions mixed money month months more most mostly move much narrow nearly necessary needed needs next not number numerous often one ones only open operationalized opportunistic order original other out outsiders over overwhelmingly own paint painting partly password password1234 people persistent phishing piece point popular potential price principle probably problem process processes produce produced produces product programmer programmers property purchase pushing put question random randomly rarely rather reality reason reflected regularly replicate replicating reproduce reproducing requirements result run running s facebook same satisfy saw says seconds see sending serve set several share should shows similarly simply skilled skills sling slinging slinging by small smith software solarwinds sold some somebody something sometimes source spec specific specification spent start startup startups steady step stodgy strokes stuxnet subtly succeed such sure take takes talk target targets techniques tell tenth than that then there these they thing things think those three throw thus times together tools total toward train/hire tricking true try trying tweet: two types uranium use using usually verify very view want wasn way ways well went what whatever when where which who why words work works would write writing written years yet you: yourself |
| Tags | Hack |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.