Judge temporarily halts work on JEDI contract until court can hear AWS protest

A sealed order from a judge today has halted the $10 billion, decade-long JEDI project in its tracks until AWS’s protest of the contract award to Microsoft can be heard by the court.

The order signed by Judge Patricia E. Campbell-Smith of the U.S. Court Federal Claims stated:

The United States, by and through the Department of Defense, its officers, agents, and employees, is hereby PRELIMINARILY ENJOINED from proceeding with contract activities under Contract No. HQ0034-20-D-0001, which was awarded under Solicitation No. HQ0034-18-R-0077, until further order of the court.

The judge was not taking this lightly, adding that Amazon would have to put up $42 million bond to cover costs should it prove that the motion was filed wrongfully. Given Amazon’s value as of today is $1.08 trillion, they can probably afford to put up the money, but they must provide it by February 20th, and the court gets to hold the funds until a final determination has been made.

At the end of last month, Amazon filed a motion to stop work on the project until the court could rule on its protest. It is worth noting that in protests of this sort, it is not unusual to stop work until a final decision on the award can be made.

This is all part of an ongoing drama that has gone on for a couple of years since the DoD put this out to bid. After much wrangling, the DoD awarded the contract to Microsoft at the end of October. Amazon filed suit in November, claiming that the president had unduly influenced the process.

As we reported in December, at a press conference at AWS re:Invent, the cloud arm’s annual customer conference, AWS CEO Andy Jassy made clear the company thought the president had unfairly influenced the procurement process:

“I would say is that it’s fairly obvious that we feel pretty strongly that it was not adjudicated fairly,” he said. He added, “I think that we ended up with a situation where there was political interference. When you have a sitting president, who has shared openly his disdain for a company, and the leader of that company, it makes it really difficult for government agencies, including the DoD, to make objective decisions without fear of reprisal.”

Earlier this week, the company filed paperwork to depose the president and Secretary of Defense Mark Esper.

The entire statement from the court today halting the JEDI project:

**SEALED**OPINION AND ORDER granting [130] Motion for Preliminary Injunction, filed by plaintiff. The United States, by and through the Department of Defense, its officers, agents, and employees, is hereby PRELIMINARILY ENJOINED from proceeding with contract activities under Contract No. HQ0034-20-D-0001, which was awarded under Solicitation No. HQ0034-18-R-0077, until further order of the court.

Pursuant to RCFC 65(c), plaintiff is directed to PROVIDE security in the amount of $42 million for the payment of such costs and damages as may be incurred or suffered in the event that future proceedings prove that this injunction was issued wrongfully.

As such, on or before 2/20/2020, plaintiff is directed to FILE a notice of filing on the docket in this matter indicating the form of security obtained, and plaintiff shall PROVIDE the original certification of security to the clerk of court. The clerk shall HOLD the security until this case is closed.

On or before 2/27/2020, the parties are directed to CONFER and FILE a notice of filing attaching a proposed redacted version of this opinion, with any competition-sensitive or otherwise protectable information blacked out. Signed by Judge Patricia E. Campbell-Smith.

Model9 gets $9M Series A to move data between mainframes and cloud

Model9, an Israeli startup launched by mainframe vets, has come up with a way to transfer data between mainframe computers and the cloud, and today the company announced a $9 million Series A.

Intel Capital led the round with help from existing investors, including StageOne, North First Ventures and Glenrock Israel. The company reports it has now raised almost $13 million.

You may not realize it, but the largest companies in the world, like big banks, insurance companies, airlines and retailers, still use mainframes. These companies require the massive transaction processing capabilities of these stalwart machines, but find it’s difficult to get the valuable data out for more modern analytics capabilities. This is the hard problem that Model9 is attempting to solve.

Gil Peleg, CEO and co-founder at Model9, says that his company’s technology is focused on helping mainframe users get their data to the cloud or other on-prem storage. “Mainframe data is locked behind proprietary storage that is inaccessible to anything that’s happening in the evolving, fast-moving technology world in the cloud. And this is where we come in with patented technology that enables mainframes to read and write data directly to the cloud or any non-mainframe distributed storage system,” Peleg explained.

This has several important use cases. For starters, it can act as a disaster recovery system, eliminating the need to maintain expensive tape backups. It also can move this data to the cloud where customers can apply modern analytics to data that was previously inaccessible.

The company’s solution works with AWS, Google Cloud Platform, Microsoft Azure and IBM’s cloud solution. It also works with other on-prem storage solutions like EMC, Nutanix, NetApp and Hitatchi. He says the idea is to give customers true hybrid cloud options, whether a private cloud or a public cloud provider.

“Ideally our customers will deploy a hybrid cloud topology and benefit from both worlds. The mainframe keeps doing what it should do as a reliable, secure, trusted [machine], and the cloud can manage the scale and the rapidly growing amount of data and provide the new modern technologies for disaster recovery, data management and analytics,” he said.

The company was founded in 2016 and took a couple of years to develop the solution. Today, the company is working with a number  of large organizations using mainframes. Peleg says he wants to use the money to expand the sales and marketing operation to grow the market for this solution.

Microsoft Patch Tuesday, February 2020 Edition

Microsoft today released updates to plug nearly 100 security holes in various versions of its Windows operating system and related software, including a zero-day vulnerability in Internet Explorer (IE) that is actively being exploited. Also, Adobe has issued a bevy of security updates for its various products, including Flash Player and Adobe Reader/Acrobat.

A dozen of the vulnerabilities Microsoft patched today are rated “critical,” meaning malware or miscreants could exploit them remotely to gain complete control over an affected system with little to no help from the user.

Last month, Microsoft released an advisory warning that attackers were exploiting a previously unknown flaw in IE. That vulnerability, assigned as CVE-2020-0674, has been patched with this month’s release. It could be used to install malware just by getting a user to browse to a malicious or hacked Web site.

Microsoft once again fixed a critical flaw in the way Windows handles shortcut (.lnk) files (CVE-2020-0729) that affects Windows 8 and 10 systems, as well as Windows Server 2008-2012. Allan Liska, intelligence analyst at Recorded Future, says Microsoft considers exploitation of the vulnerability unlikely, but that a similar vulnerability discovered last year, CVE-2019-1280, was being actively exploited by the Astaroth trojan as recently as September.

Another flaw fixed this month in Microsoft Exchange 2010 through 2019 may merit special attention. The bug could allow attackers to exploit the Exchange Server and execute arbitrary code just by sending a specially crafted email. This vulnerability (CVE-2020-0688) is rated “important” rather than “critical,” but Liska says it seems potentially dangerous, as Microsoft identifies this as a vulnerability that is likely to be exploited.

In addition, Redmond addressed a critical issue (CVE-2020-0618) in the way Microsoft SQL Server versions 2012-2016 handle page requests.

After a several-month respite from patches for its Flash Player browser plug-in, Adobe has once again blessed us with a security update for this program (fixes one critical flaw). Thankfully, Chrome and Firefox both now disable Flash by default, and Chrome and IE/Edge auto-update the program when new security updates are available. Adobe is slated to retire Flash Player later this year.

Other Adobe products for which the company shipped updates today include Experience Manager, Digital Editions, Framemaker and Acrobat/Reader (17 flaws). Security experts at Qualys note that on January 28th, Adobe also issued an out-of-band patch for Magento, labeled as Priority 2.

“While none of the vulnerabilities disclosed in Adobe’s release are known to be Actively Attacked today, all patches should be prioritized on systems with these products installed,” said Qualys’s Jimmy Graham.

Windows 7 users should be aware by now that while a fair number of flaws addressed this month by Microsoft affect Windows 7 systems, this operating system is no longer being supported with security updates (unless you’re an enterprise taking advantage of Microsoft’s paid extended security updates program, which is available to Windows 7 Professional and Windows 7 enterprise users).

If you rely on Windows 7 for day-to-day use, it’s probably time to think about upgrading to something newer. That might be a computer with Windows 10. Or maybe you have always wanted that shiny MacOS computer.

If cost is a primary motivator and the user you have in mind doesn’t do much with the system other than browsing the Web, perhaps a Chromebook or an older machine with a recent version of Linux is the answer (Ubuntu may be easiest for non-Linux natives). Whichever system you choose, it’s important to pick one that fits the owner’s needs and provides security updates on an ongoing basis.

Keep in mind that while staying up-to-date on Windows patches is a must, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re not losing your mind when the odd buggy patch causes problems booting the system.

So do yourself a favor and backup your files before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips. Also, keep an eye on the AskWoody blog from Woody Leonhard, who keeps a close eye on buggy Microsoft updates each month.

From Storage to SaaS Cybersecurity: The Why

Mark Parrinello, recently with Cohesity, joins SentinelOne as Senior Vice President of Worldwide Sales 

After decades in the enterprise market, specifically in storage, I joined SentinelOne to lead global sales. Many have asked, why? The connection might seem unintuitive at first, but the reality is that we have witnessed an increasing overlap of these two sectors: in today’s enterprise, storage and security are fundamentally intertwined. 

The enterprise is concerned with two main challenges relating to data, its greatest asset. Namely,

  1. Where should we store our data?
  2. How can we secure our data?

As the cyberthreat landscape evolved over the last decade, the frequency of these two dialogues intertwining has reached an all time high. In selling storage, Cohesity’s buyers were interested in security, which was a realization point for me. 

The Intertwined Tale of Storage and Security

The question of where we should store our data has never been more complex. The range of solutions is not only vast and ever-changing, but it’s likely that in any modern enterprise a variety of solutions will be in play. From on-premise hardware to cloud storage and hybrid cloud networks, to containers, buckets and silos and the transfer of our prized asset to remote, intangible data centers, mirrored on servers and repositories worldwide to ensure accessibility no matter where we or our customers are physically located, the question of ‘where’ can never be isolated from today’s new security challenges. 

Such data fragmentation creates complex security challenges, and visibility into what is happening with our data, both at rest and in transit, is enough to keep a CISO awake at night. We live in an age where data incurs unprecedented business risk, from industrial espionage, APTs and cybercriminals intent on extortion and theft to the penalties of failed data protection with regulation like GDPR and CCPA. These and more are challenges that turn the question of where to store our data into a question of how we shall secure it.

CISOs face these challenges knowing that the matter is both urgent and pressing. We rarely have the luxury to build infrastructure from scratch, with security “built-in” at the design stage, and even as organizations increasingly adopt the SecOps and DevOps paradigms moving forward, the amount of legacy infrastructure most large enterprises already have in play will remain a security problem for years, if not decades, to come.

And so inevitably, the question of where to store our business-critical data led me to the question of how we can store it securely; in the past, the present, and the future. Enterprise needs a cybersecurity solution that can provide unparalleled protection and visibility in an autonomous way across the entirety of the technology environment – from device to datacenter to cloud to container.

So Why SentinelOne?

When I left Cohesity I knew that I wanted three things in my next company.

First, I wanted to go into security. This is a market where the opportunity to deliver exceptional products that meet a critical business need is huge. Delivering security products that protect the enterprise from the continuing escalation of cyber threats is one of the most exciting areas to be involved in both now and for the foreseeable future. 

Secondly, I wanted to work in a subscription-based business (SaaS). SaaS consumption is where customers are trending, and it offers both customers and vendors the ability to be more predictable and aligned in outcomes.  SentinelOne was recently recognized as the fastest growing company in Silicon Valley and was widely recommended as one of the most innovative SaaS companies by my channel partners and other friends in the field.  

Thirdly, as culture has always been my passion, I picked a company with a culture that represents my passions and beliefs. To me, a great culture is one that is maniacally focused on customers success. Passionate. Intense and accountable. While interviewing with SentinelOne, I realized that it was a strong cultural fit for me.  As we scale the business with rapid expansion in every function, I look forward to contributing and incorporating a “greater good” mentality into our approach.  This will be our greatest asset when it comes to delighting our customers and winning their loyalty.  

I believe SentinelOne meets and exceeds all three of my criteria.

SentinelOne was first to converge the protection and visibility spaces with a single solution, leading the market for AV replacements with a converged EPP and EDR solution; it’s a platform that extends to datacenters, IoT, and cloud workloads to secure the enterprise of today and tomorrow.

SentinelOne solves the critical problem facing all enterprises that I’ve been talking about: no matter where data lives, it needs to be secure. Security needs to be frictionless, flexible, autonomous, and easy to manage. Sadly, legacy technologies leave security teams chasing problems instead of solving them. With an AI-powered platform, SentineOne prevents and protects against tomorrow’s threats today.

Due to the costs, disruption, and implications of a data breach, cybersecurity is no longer hidden within the IT organization; it is no longer a problem for this team or that team, but for every team across the entire business. To store our data securely, cybersecurity must be at the center of technology strategy.  It is my belief that SentinelOne is best-placed to provide the solution upon which that strategy can be built for any enterprise.

Our team is excited to showcase what the future of cybersecurity looks like in your enterprisejoin us for a demo and POC today!


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Negotiatus, looking to help businesses optimize purchasing, raises $10 million

Negotiatus, a SaaS business meant to optimize and streamline the purchasing and procurement process for businesses, has today announced the close of a $10 million Series A round.

The funding was led by Rally Ventures, with participation from ERA, 645 Ventures, Green Visor Capital and Stage 2 Capital. This brings the company’s total funding to nearly $20 million.

Negotiatus was founded by Zach Garippa and Tom Jaklitsch with an idea to detangle the process of purchasing supplies for a business. Garippa told TechCrunch that most solutions to this problem focus on one piece of the puzzle, serving finance or operations or the purchasers themselves, but ultimately making the process more difficult for the other functions in the business.

Negotiatus pulls all of those stakeholders into a single platform where they can shop, place orders, track delivery information and manage spend all from one place.

For example, finance departments often have to manually review and remit payment for thousands of invoices a month, normally across at least several vendors and various formats. Negotiatus allows the finance department to view all of that in a weekly or monthly invoice.

Before Negotiatus, purchasers had to cross-reference approved brands, vendors and products each time they needed a new set of pens or toilet paper, jumping from one website to another and tracking shipments across multiple websites. Negotiatus scrapes your past purchase history to show purchasers what they want in a single place. And, of course, users can track those products directly from the Negotiatus dashboard.

Operations can centralize order requests and approvals within the Negotiatus platform, and leverage analytics provided by the company to make better purchasing decisions. Negotiatus scrapes the SKUs themselves, across vendors, to make sure that businesses are making the smartest possible decision with their budget.

The company says that it takes less than a day to get going on the platform.

Negotiatus generates revenue in two ways. The first is a regular subscription model that charges on a monthly basis for each location on the platform. The second is based on spend volume on the platform (which comes from the vendor side).

Thus far, Negotiatus has 300 customers, with a particular popularity among health and wellness businesses (SoulCycle, Orangetheory, CorePower Yoga) and co-working businesses (WeWork, Zeus, Domio). The company hopes to soon expand beyond physical products into software services.

Google backs productivity startup building algorithmic inbox for Slacks, emails and texts

There have been plenty of stories written about the so-called “Slack-lash” and the growing unrest among workers dealing with DM interruptions that take their attention away from the task at hand. Slack is a poster child for the problem, but VCs have invested heavily in a number of collaboration tools over the past several years that have compartmentalized chat and commenting systems and have left workers reeling.

It seems fairly likely that we’ve reached peak VC interest in collaboration, but VCs are dealing with any slowdown by betting more heavily on tools that help workers make sense of the panoply of slick interfaced messaging tools. The latest bet, ’nuffsaid, is, yes, yet another productivity startup, though one that seems devoted to making the messaging realities of 2020 employment a bit more tolerable.

The Utah startup is emerging from stealth, launching the first element of their productivity platform in early access, and disclosing that they’ve raised $4.3 million in seed funding from General Catalyst, Google’s Gradient Ventures, Global Founders Capital, Work Life Ventures, SV Angel and Wasabi Ventures.

The oddly named company is releasing its first oddly named product, ‘nflow, into early access, bringing multiple collaboration platforms and a calendar into a single inbox. Just as the algorithmic timeline shaped how we digest the firehose of social media content, algorithmic inboxes might be the solution to a Slack-lash. And ’nuffsaid is taking this algorithmic approach for prioritizing Slack messages, as well as emails, texts and Zoom messages, with ‘nflow. The searchable unified inbox brings all of your messages into a single app, letting you know what’s urgent and what can probably wait until you’re finished taking care of the task at hand.

“We think there’s going to be an entire category of products that are all about adding AI into existing workflows. With ‘nflow, we think we’re taking our first baby step to our vision of that future,” CEO and co-founder Chris Hicken tells TechCrunch. Hicken was previously COO of UserTesting.

One of the more exciting elements of ‘nflow is the way it brings the calendar inside the communications hub. Google Calendar is still among the more estranged elements of productivity workflows. Using messages and emails as the basis for calendar events has always been a wishlist item, but the integration is rarely tight enough. Although ’nuffsaid’s drag-and-drop interface for creating calendar events while tagging team members and adding additional info showcases seems to be a pretty attractive solution, I’ll wait until I can poke around the app myself before making any full-throated endorsements.

The ’nuffsaid team says ‘nflow will launch commercially at (a rather pricey) $25 per month, but that people who sign up for their early access waitlist will unlock a lifetime rate of $10 per month.

The team of 18 has bigger near-term ambitions than the product they’re launching in early access today. If ‘nflow represents a more mass-market approach to delivering a productivity tool to workers frustrated by a messaging overload, their future launches signify a desire to dig deeper into specific enterprise workflows and bring specific types of teams on board.

Over the summer, the company plans to roll out a separate AI-driven customer success module that integrates with a variety of apps to give workers more actionable insights on what tasks are the most critical to maintaining and building customer relationships. The startup plans to build and roll out dedicated versions of the module for engineering, product and marketing, as well.

“There are so many collaboration tools, what I like about ’nuffsaid is that it’s where the work is actually happening and they’re not asking users to change their procedures,” General Catalyst Managing Director Niko Bonatsos tells TechCrunch. “Users still have the same email address, they’re still contacting their customers the same ways, they don’t have to start doing unnatural things that disrupt their workflows.”

Tangle EE project joins Eclipse Foundation to bring distributed ledger apps to enterprise

As the number of IoT devices proliferate, and machines conduct transactions with machines without humans involved, it becomes increasingly necessary to have a permissionless system that facilitates this kind of communication in a secure way.

Enter the IOTA Foundation, a Berlin-based open-source distributed ledger technology (DLT) project, which has hooked up with the Eclipse Foundation to bring IOTA DLT to the enterprise via the Tangle EE project. For starters, this involves forming a working group.

The distributed ledger idea first emerged as a way to distribute digital currency on the blockchain. Since then, there have been multiple ideas, both open source and commercial, to bring this concept to the enterprise to provide a secure, immutable and frictionless way to share data.

One such open-source project is IOTA, which saw an issue with DLT as it was being implemented by other entities. “IOTA is the first distributed ledger technology that went beyond blockchain with a completely new architecture that resolves the bottleneck problems of blockchain that has prevented real-world adoption,” Dominik Schiener, co-founder of IOTA Foundation, told TechCrunch.

The broad vision is to provide a way for machines and devices to communicate securely. “We provide a protocol layer that enables both humans and machines to bulk transact value without fees, as well as ensure data integrity, which is, of course, increasingly important in the age of Internet of Things, where hundreds of billions of devices are being connected over the next decades,” Schiener said.

Tangle EE is the part of the project aimed at enterprise users — EE stands for Enterprise Edition — that can take this technology and enable larger organizations to build applications on top of the project. For starters the foundation is working with the Eclipse Foundation to bring corporate entities on board who can help better define the requirements of the large business user.

Dell Technologies and STMicroelectronics are the first major companies joining the project, but the hope is that through discussion and dialogue, Tangle EE will begin to gain traction. “The main reason why we created Tangle EE was because of the discussions that we’ve had with corporations. They really understood that we need to have a working group around IOTA to discuss the application layer, to discuss what kind of solutions we can develop broadly across industries, but also really start having more serious discussions about the protocol,” Schiener said.

Much like the Linux Foundation, the Eclipse Foundation will provide a governance framework for the project. “The Eclipse Foundation will provide a vendor-neutral governance framework for open collaboration, with IOTA’s scalable, feeless and permissionless DLT as a base,” Mike Milinkovich, executive director of the Eclipse Foundation, explained in a statement.

If it gains traction, more companies will join in the coming months and years, and begin building out Tangle EE, while developing applications based on the protocol.

Infosys is acquiring Simplus for $250M to grow its Salesforce consulting arm

Infosys is a huge consulting organization based in India, which works with clients as they implement complex software integrations. Today, the company announced it was buying Simplus, a Salesforce integration consultant, for $250 million.

The company, which is based in Salt Lake City, Utah, launched in 2014 and has raised almost $50 million, according to Crunchbase data. It brings a wide range of Salesforce consulting, training and integration services along with general Salesforce expertise, which Infosys hopes to put to work.

The acquisition follows the purchase of Fluido, another Salesforce consulting shop, in 2018. The moves suggest that Infosys wants to build deeper expertise around Salesforce and make that a key piece of its consulting operations moving forward.

Brent Leary, a CRM industry veteran, who is owner at CRM Essentials, says that Simplus is well-positioned in the Salesforce ecosystem to capture lucrative cloud integration services, and it should help expand Infosys’s Salesforce consulting arm. “By acquiring Simplus, it allows Infosys to grab more market share, while extending Salesforce capabilities to offer existing clients,” Leary told TechCrunch.

Ravi Kumar, president at Infosys, sees it in similar terms. “Simplus will be a valuable addition to the Infosys family. Complementing our industry knowledge and existing Salesforce footprint with their strong presence in key markets, deep Salesforce consulting and advisory expertise will help accelerate the transformation journey of incumbent companies,” Kumar said in a statement.

Holger Mueller, an analyst at Constellation Research, says Simplus should especially help in the area of Quote-to-Cash, that period after the sale when quotes are shared, contracts are signed and cash is collected on the sale. “It creates the opportunity for Infosys to break out of the vendor services silos and connect its Salesforce services with its ERP services (SAP, Oracle),” he said.

The deal is expected to close in Infosys’s fiscal 2020 fourth quarter. Per usual, it is subject to standard regulatory approval.

Good news for enterprise startups: SaaS helped kill the single-vendor stack

In the old days of enterprise software, when companies like IBM, Oracle and Microsoft ruled the roost, there was a tendency to shop from a single vendor. You bought the whole stack, which made life easier for IT — even if it didn’t always work out so well for end users, who were stuck using software that was designed with administrators in mind.

Once Software-as-a-Service (SaaS) came along, IT no longer had complete control over software choices. The companies that dominated the market began to stumble — although Microsoft later found its way — and a new generation of SaaS vendors developed.

As that happened, users saw a way to pick and choose software that worked best for them, as they were no longer bound to clunky enterprise software; they wanted tools at work that worked as well as the ones they used in the consumer space at home.

Through freemium models and low-cost subscriptions, individual employees and teams started selecting their own tools, and a new way of buying software began to take hold. Instead of buying software from a single shop, consumers could buy the best tool for the job. This in turn, led to wider adoption, as these small groups of users led the way to more lucrative enterprise deals.

The philosophical change has worked well for enterprise startups. The new world means a well-executed idea can beat an incumbent with a similar product. Just ask companies like Slack, Zoom and Box, which have shown what’s possible when you put users first.

U.S. Charges 4 Chinese Military Officers in 2017 Equifax Hack

The U.S. Justice Department today unsealed indictments against four Chinese officers of the People’s Liberation Army (PLA) accused of perpetrating the 2017 hack against consumer credit bureau Equifax that led to the theft of personal data on nearly 150 million Americans. DOJ officials said the four men were responsible for carrying out the largest theft of sensitive personal information by state-sponsored hackers ever recorded.

The nine-count indictment names Wu Zhiyong (吴志勇), Wang Qian (王乾), Xu Ke (许可) and Liu Lei (刘磊) as members of the PLA’s 54th Research Institute, a component of the Chinese military. They are each charged with three counts of conspiracy to commit computer fraud, economic espionage and wire fraud.

The government says the men disguised their hacking activity by routing attack traffic through 34 servers located in nearly 20 countries, using encrypted communications channels within Equifax’s network to blend in with normal network activity, and deleting log files daily to remove evidence of their meanderings through the company’s systems.

U.S. Attorney General Bill Barr said at a press conference today that the Justice Department doesn’t normally charge members of another country’s military with crimes (this is only the second time the agency has indicted Chinese military hackers). But in a carefully worded statement that seemed designed to deflect any criticism of past offensive cyber actions by the U.S. military against foreign targets, Barr said the DOJ did so in this case because the accused “indiscriminately” targeted American civilians on a massive scale.

“The United States, like other nations, has gathered intelligence throughout its history to ensure that national security and foreign policy decision makers have access to timely, accurate and insightful information,” Barr said. “But we collect information only for legitimate national security purposes. We don’t indiscriminately violate the privacy of ordinary citizens.”

FBI Deputy Director David Bowdich sought to address the criticism about the wisdom of indicting Chinese military officers for attacking U.S. commercial and government interests. Some security experts have charged that such indictments could both lessen the charges’ impact and leave American officials open to parallel criminal allegations from Chinese authorities.

“Some might wonder what good it does when these hackers are seemingly beyond our reach,” Bowdich said. “We answer this question all the time. We can’t take them into custody, try them in a court of law and lock them up. Not today, anyway. But one day these criminals will slip up, and when they do we’ll be there. We in law enforcement will not let hackers off the hook just because they’re halfway around the world.”

The attorney general said the attack on Equifax was just the latest in a long string of cyber espionage attacks that sought trade secrets and sensitive data from a broad range of industries, and including managed service providers and their clients worldwide, as well as U.S. companies in the nuclear power, metals and solar products industries.

“Indeed, about 80 percent of our economic espionage prosecutions have implicated the Chinese government, and about 60 percent of all trade secret thefts cases in recent years involved some connection with China,” he said.

The indictments come on the heels of a conference held by US government officials this week that detailed the breadth of hacking attacks involving the theft of intellectual property by Chinese entities.

“The FBI has about a thousand investigations involving China’s attempted theft of U.S.-based technology in all 56 of our field offices and spanning just about every industry and sector,” FBI Director Christopher Wray reportedly told attendees at the gathering in Washington, D.C., dubbed the “China Initiative Conference.”

At a time when increasingly combative trade relations with China combined with public fears over the ongoing Coronavirus flu outbreak are stirring Sinophobia in some pockets of the U.S. and other countries, Bowdich was quick to clarify that the DOJ’s beef was with the Chinese government, not its citizenry.

“Our concern is not with the Chinese people or with the Chinese American,” he said. “It is with the Chinese government and the Chinese Communist Party. Confronting this threat directly doesn’t mean we should not do business with China, host Chinese students, welcome Chinese visitors or co-exist with China as a country on the world stage. What it does mean is when China violates our criminal laws and international norms, we will hold them accountable for it.”

A copy of the indictment is available here.

ANALYSIS

DOJ officials praised Equifax for their “close collaboration” in sharing data that helped investigators piece together this whodunnit. Attorney General Barr noted that the accused not only stole personal and in some cases financial data on Americans, they also stole Equifax’s trade secrets, which he said were “embodied by the compiled data and complex database designs used to store personal information.”

While the DOJ’s announcement today portrays Equifax in a somewhat sympathetic light, it’s important to remember that Equifax repeatedly has proven itself an extremely poor steward of the highly sensitive information that it holds on most Americans.

Equifax’s actions immediately before and after its breach disclosure on Sept 7, 2017 revealed a company so inept at managing its public response that one couldn’t help but wonder how it might have handled its internal affairs and security. Indeed, Equifax and its leadership careened from one feckless blunder to the next in a series of debacles that KrebsOnSecurity described at the time as a complete “dumpster fire” of a breach response.

For starters, the Web site that Equifax set up to let consumers check if they were affected by the breach consistently gave conflicting answers, and was initially flagged by some Web browsers as a potential phishing site.

Compounding the confusion, on Sept. 19, 2017, Equifax’s Twitter account told people looking for information about the breach to visit the wrong Web site, which also was blocked by multiple browsers as a phishing site.

And two weeks after its breach disclosure, Equifax began notifying consumers of their eligibility to enroll in free credit monitoring — but the messages did not come from Equifax’s domain and were in many other ways indistinguishable from a phishing attempt.

It soon emerged the intruders had gained access to Equifax’s systems by attacking a software vulnerability in an Internet-facing server that had been left unpatched for four months after security experts warned that the flaw was being broadly exploited. We also learned that the server in question was tied to an online dispute portal at Equifax, which the intruders quickly seeded with tools that allowed them to maintain access to the credit bureau’s systems.

This is especially notable because on Sept. 12, 2017 — just five days after Equifax went public with its breach — KrebsOnSecurity broke the news that the administrative account for a separate Equifax dispute resolution portal catering to consumers in Argentina was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”

A partial list of active and inactive Equifax employees in Argentina. This page also let anyone add or remove users at will, or modify existing user accounts.

Perhaps we all should have seen this megabreach coming. In May 2017, KrebsOnSecurity detailed how countless employees at many major U.S. companies suffered tax refund fraud with the IRS thanks to a laughably insecure portal at Equifax’s TALX payroll division, which provides online payroll, HR and tax services to thousands of U.S. firms.

Equifax’s TALX — now called Equifax Workforce Solutions — aided tax thieves by relying on outdated and insufficient consumer authentication methods.

In October 2017, KrebsOnSecurity showed how easy it was to learn the complete salary history of a large portion of Americans simply by knowing someone’s Social Security number and date of birth, thanks to yet another Equifax portal.

Around that same time, we also learned that at least two Equifax executives sought to profit from the disaster through insider trading just days prior to the breach announcement. Jun Ying, Equifax’s former chief information officer, dumped all of his stock in the company in late August 2017, realizing a gain of $480,000 and avoiding a loss of more than $117,000 when news of the breach dinged Equifax’s stock price.

Sudhakar Reddy Bonthu, a former manager at Equifax who was contracted to help the company with its breach response, bought 86 “put” options in Equifax stock on Sept. 1, 2017 that allowed him to profit when the company’s share price dropped. Bonthu was later sentenced to eight months of home confinement; Ying got four months in prison and one year of supervised release. Both were fined and/or ordered to pay back their ill-gotten gains.

While Equifax’s stock price took a steep hit in the months following its breach disclosure, shares in the company [NYSE:EFX] gained a whopping 50.5% in 2019, according to data from S&P Global Market Intelligence.

KrebsOnSecurity has long maintained that the 2017 breach at Equifax was not the work of financially-motivated identity thieves, as there has been exactly zero evidence to date that anything close to the size of the data cache stolen from that incident has shown up for sale in the cybercrime underground.

However, readers should understand that there are countless other companies with access to SSN, DOB and other information crooks need to apply for credit in your name that get hacked all the time, and that this data on a great many Americans is already for sale across various cybercrime bazaars.

Readers also should know that while identity theft protection services of the kind offered by Equifax and other companies may alert you if crooks open a new line of credit in your name, these services generally do nothing to stop that identity theft from taking place. ID theft protection services are most useful in helping people recover from such crimes.

As such, KrebsOnSecurity continues to encourage readers to place a freeze on their credit files with Equifax and the other major credit bureaus. This process puts you in control over who gets to grant credit in your name. Placing a freeze is now free for all Americans and their dependents. For more information on how to do that and what to expect from a freeze, please see this primer.