Lapsus$ Shames Okta/Sitel | Bitcoin Nukes Climate | EU DMA E2EE FAIL

Welcome to The Long View—where we peruse the news of the week and strip it to the essentials. Let’s work out what really matters.

This week: Okta and Sitel under fire over Lapsus$ hack, Greenpeace and others call for bitcoin change, and Europe still hates encryption.

DevOps/Cloud-Native Live - Washington DC

1. Lapsus$ Embarrasses Okta and Sitel

First up this week: New research uncovers the deeply worrying timeline of January’s Okta hack. Okta and its low-code contractor Sitel are under fire for doing precious little for two months.

Analysis: Paralysis

Both Okta and Sitel knew that they were compromised in January. But it took them two months to ‘fess up—only revealing the hack when Lapsus$ went public with the news. And, as we discussed last week, even then they tried to wriggle out of it.

Zack Whitaker: Lapsus$ found a spreadsheet of passwords as they breached Okta, documents show

Lapsus$ hackers used compromised credentials to break into the network of customer service giant Sitel in January, days before accessing the internal systems of authentication giant Okta. … The documents provide the most detailed account to date of the Sitel compromise, which allows the hackers to later gain access to Okta’s network.

The attackers used remote access services and publicly accessible hacking tools to compromise and navigate through Sitel’s network, gaining deeper visibility to the network over… five days. [They] accessed a spreadsheet on Sitel’s internal network … called “DomAdmins-LastPass.xlsx.” The filename suggests that the spreadsheet contained passwords for domain administrator accounts that were exported from a Sitel employee’s LastPass password manager.

Customers only learned of Okta’s January security breach on March 22 after the Lapsus$ hacking group published screenshots revealing it had accessed Okta’s internal apps and systems some two months earlier. … Okta has faced criticism for not warning customers sooner of the Sitel breach. … Okta chief security officer David Bradbury said the company “should have moved more swiftly.”

Who discovered the info? Bill Demirkapi:

My questions for Okta: You knew that the machine of one of your customer support members was compromised back in January. Why didn’t you investigate it? Having the ability to detect an attack is useless if you aren’t willing to respond.

For the Sitel Group: Why weren’t your customers immediately informed upon the first sign of compromise? Why did your customers have to wait two months to even hear that you were breached?

I bet there’s a “get off my lawn” angle. Here’s Canberra1:

The root cause is Agile: … No documentation, go fast, onboard people fast (give every one admin, with a trove of plaintext accounts). … There must be a sacrificial scapegoat person who has to be fired out of this.

2. “Change the Code, Not the Climate”

Environmental change want bitcoin to stop causing climate. Funded by Chris Larsen, they’re calling on the bitcoin community to replace its “proof of work” mechanism with something that uses far less energy.

Analysis: Unstoppable force meets immovable object

The calls for bitcoin—and cryptocurrencies in general—to emit less CO₂e continue to grow. But the “community” of crypto-bros continue to stick their fingers in their ears and pretend it’s not a problem. This will not end well, for any of us.

Paul Vigna: Environmental Groups Pressure Bitcoin Community to Lower Energy Use

A consortium of environmental groups launched a campaign… seeking to change bitcoin’s code to decrease its energy use. … Bitcoin is popular among some investors, but its energy use has riled environmental groups, alarmed some lawmakers, and put the cryptocurrency at odds with a green movement that has some supporters on Wall Street.

Greenpeace USA, Environmental Working Group and others will run ads… highlighting bitcoin’s environmental impact and advocating for change. The campaign is funded by Ripple co-founder Chris Larsen [who] provided $5 million.

The goal is to persuade bitcoin’s community of investors and backers to change the network’s code, removing the “proof of work” mechanism [which] requires miners to expend vast amounts of computing power to make it prohibitively expensive for somebody to take over the network. … Bitcoin’s environmental effects have been an issue for years, but the people in control of it have rejected the kinds of changes being proposed.

I have a feeling it’s not going to meet a warm reception. Eliza Gkritsi illustrates the point:

The bitcoin community is reacting harshly and incredulously to a planned ad campaign by … Chris Larsen and Greenpeace USA that would advocate a code change. … The ad campaign, which is dubbed “Change the Code, Not the Climate” [is] set to roll out over the next month … and some of the ads will take aim at … Elon Musk [and] Jack Dorsey.

Larsen recognized efforts … to use renewable energy, but said many other miners “are repurposing old coal & gas plants.” … Using renewable energy is not a long-term solution because the PoW system incentivizes miners to find the cheapest energy, he argued.

The chances of such a measure being implemented from the top down, without widespread consensus, are dubious. … The reaction from bitcoin proponents was swift and harsh.

Such as? Such as this eloquently argued rebuttal, from the pen of Zack Voell:

The only thing I have to say is: **** off, Chris.

3. EU Digital Markets Act Will Kill End-to-End Encryption

Europe’s new “DMA” proposal aims to force messaging apps to be interoperable—even if they use E2EE. Stand by for a bunch of graybeards telling us how that’s impossible.

Analysis: Europe doesn’t care

But the European Commission’s Frau von der Leyen and her ivory tower crons aren’t listening. And why would they? It aligns perfectly with their twin aims: To add socialist friction to US tech firms’ business, and to outlaw strong encryption.

Corinne Fayfe: Security experts say new EU rules will damage WhatsApp encryption

Sweeping legislation to target Big Tech in Europe, known as the Digital Markets Act (DMA) [is] an ambitious law with far-reaching implications. The most eye-catching measure … would require that every large tech company … create products that are interoperable with smaller platforms. For messaging apps, that would mean letting end-to-end encrypted services like WhatsApp mingle with less secure protocols… which security experts worry will general hard-won gains.

The consensus among cryptographers is that it will be difficult, if not impossible, to maintain encryption between apps, with potentially enormous implications. … The result could be that some, if not all, of WhatsApp’s end-to-end messaging encryption is weakened or removed, robbing a billion users of the protections of private messaging. … There’s no simple fix.

Alec Muffett, an internet security expert and former Facebook engineer who recently helped Twitter launch an encrypted Tor service [quipped] “If you went into a McDonald’s and said, ‘In the interest of breaking corporate monopolies, I demand that you include a sushi platter from some other restaurant with my order,’ they would rightly just stare at you.”

Will this be another “green iMessage bubbles” thing? kogir:

I’ll wait to see the details but modern messaging apps are super complex and have tons of features. The odds of a third party implementing them all (and correctly) is low.

Instead it’ll be like how iMessage “interoperates” with SMS, where non-native users are shunned for breaking everything for the group.

Won’t somebody think of the children? Not geekmux:

Come on. … This law isn’t about interoperability. It’s about banning encryption.

The Moral of the Story:
Uneasy lies the head that wears the crown.

You have been reading The Long View by Richi Jennings. You can contact him at @RiChi or [email protected].

Image: Javier Queipo Menéndez (via Unsplash; leveled and cropped)

Leave a Comment