Notes from the field: Jetbrains, Trust, and software

Widely Used Software Company May Be Entry Point for Huge U.S. Hacking (Published 2021) ( https://www.nytimes.com/2021/01/06/us/politics/russia-cyber-hack.html?smid=url-share)

This article isn’t about Jetbrains. It’s about the circle of trust that we have to live with on the internet that is rapidly shrinking to and should already be zero. The words to live by are most famously from Reagan and Gorbachev, “trust, but verify” (“Doveray no proveray”).

The article above is from end it last year, but we are still living everyday with the consequences. It really doesn’t matter any more whether the company, founded by three Russian engineers in the Czech Republic with research labs in Russia, was actually breached and used as a pathway for hackers to insert back doors into the software of an untold number of technology companies. Nor does it matter whether that months long intrusion is the biggest breach of United States networks in history. Jetbrains has lost our trust, and we are all compiling our own versions of IntelliJ and PyCharm off of freeware and dumping TeamCity.

Trust is something that is a necessity in a marriage and family. It’s not the basis of a sound CyberSecurity program, especially in the Wild West that has become the Internet today.

So, what do we do, ourselves, within our homes and companies?

At home, don’t download any piece of software you get off the internet. Find out where it’s from and scan it for malware first. I’ve spent too many hours fixing computers (ok, my in-law’s) that have done just that. Really ask yourself too, if all I do at home is browse the internet, play online games, and write some word docs and excels, do I really need to buy a full blown computer with a lot of software that a hacker can attack, or is a tablet enough and easier for me to maintain? My brother is just getting an iPad with a keyboard.

Apply the same at work. I spend a TON of money every year keeping a global financial institution that has dependencies from the major world economies clean. I can’t break up that environment into enough discrete parts yet to contain everyone’s risk. Why would I let you install your piece of software when you can’t tell me who wrote it, what language it’s in, what software modules it’s composed of (a software bill if materials (SBOM)), and what vulnerabilities I am accepting into my environment (static and dynamic code scanning)? None of that is new tech, so any vendor should be able to provide it. One way, if I can’t test that software myself, is it better have a report from a reputable 3rd party tester. Otherwise, it’s like letting someone’s untrained dog into my house.

The usual explanation I get, even from younger coders who you’d have hoped would understand more, is the same one I’ve been getting for 20 years: “business x needs this and we trust vendor y” or “government a says we have to produce their reports in this way, and here is the vendor they recommend.”

Well, I don’t know why the business thinks they can put the whole firm at risk for their priorities, and I don’t know vendor y from a hole in the wall. I have no desire to be the next Maersk, who did just that with a piece of vendor accounting software in Odessa that turned out to be riddled with Russian malware. They shutdown their whole computer network, their whole company, the world shipping lanes and a good part of the global economy. Thank heaven for that one server in Ghana that just happened to be offline.

Similarly, when a programmer tells me I have to install some government’s piece of software without the same controls above, I’m gonna say, “you mean the same government whose auditors would give me a finding if I did just that.” Most governments software is either underfunded/poorly written or not trustworthy at all (China, Russia). If I have to run it, and I can’t test it, I’m gonna put it on some very walled off part of my network where the dozen SSL connections it tries to open to places all over China are blocked.

This is the world we live in today: trust your family, your friends, no one else. Your vendor is not your friend. Your regulator/government is not your friend.

You are the first line of defense, realize your actions have direct consequences and the company isn’t a bubble anymore that can absorb YOUR mistakes. Everything is interconnected today, and it only takes one link to break to cause massive problems for all. Don’t take the east way out: that is what the hackers and Intell agencies are counting on from you.