undefined | Better HN

0 pointsbangaladore5mo ago0 comments

Not sure why I'm downvoted. Literally quoted from their incident page.

> We have confirmed that the threat actor exfiltrated files from our BIG-IP product development environment and engineering knowledge management platforms. These files contained some of our BIG-IP source code and information about undisclosed vulnerabilities we were working on in BIG-IP.

> We have no knowledge of undisclosed critical or remote code vulnerabilities, and we are not aware of active exploitation of any undisclosed F5 vulnerabilities.

https://my.f5.com/manage/s/article/K000154696

0 comments

Veserv5mo ago

No, they claimed: "We have no knowledge" and "we are not aware" which does not mean "the vulnerabilities discovered through exfiltration were not used".

That admits nearly every possible class of outcome as long they did not actively already know about it and chose to say they did not. The specific words that their lawyers intentionally drafted explicitly even allow them to intentionally spend effort to destroy any evidence that would lead them to learn if the vulnerabilities were used and still successfully claim that they were telling the truth in a court of law. You should not assume their highly paid lawyers meant anything other than the most tortured possible technically correct statement.

PR statements drafted by legal are a monkey's paw. Treat them like it.

bangaladoreOP5mo ago

Fair point, I certainly missed a word in my summary.

udev40965mo ago

The fact that they didn't know for such a long time makes their statement completely unbelievable. Also pushing new updates? Sure, they'll say it's just a precaution but I'm willing to bet attacker did more damage than they are willing to publicly disclose

stronglikedan5mo ago

> Not sure why I'm downvoted.

I downvoted you for complaining about downvotes, so at least you know the reason for one of them now.

j / k navigate · click thread line to collapse