Buzzfeed posted a long story last week about leaked penetration test results for Palantir, Peter Thiel's $20 billion private data analysis company funded by the CIA and considered the backbone of US intelligence gathering.
Based on a confidential report, Buzzfeed says HACKERS COULD TAKE CONTROL OF PALANTIR'S ENTIRE NETWORK!!!! AND…! AND…! AND…!
This looked sensational at first glance.
Palantir's valuation and reputation are built on knowing more than everyone else. So how could it do such a lousy job on security? The real-world ramifications would be serious. Well-known clients include big-time financial firms like Bridgewater (world's largest hedge fund) and an alphabet soup of law enforcement agencies (FBI, CIA, NSA, etc.).
Midway through reading the Buzzfeed story, though, a couple things became apparent:
- The story reads like a rewritten version of the confidential report. There is little to no analysis.
- The pen testers praised Palantir's internal response team. Repeatedly.
Thankfully, Forbes published an accompanying piece just afterward that analyzes Buzzfeed's story and sums it up nicely with one sentence:
Penetration Tests Almost Always Win
"That Palantir succumbed to the cyber squad it hired specifically to discover its vulnerabilities is no surprise," Forbes wrote. "That's how it goes. One could argue that Palantir should be praised for conducting such proactive testing—as not every company does—and for having an "excellent" response, as the organization called in to conduct the hack said. Nice work, PALs. Patch up and keep at it."
Our two cents is that the Buzzfeed story does a good job breaking down a thorough penetration test for regular folks: How the penetration testers conducted their attacks, what they found, how they would start at Point A to get to Point Z, some cat-and-mouse with the internal Palantir team defending the company against the attack, etc. But the Buzzfeed's reaction feels breathless. Forbes reached the same conclusion:
"Why single out this one company?" Forbes asks. "The implication is that if Palantir can be hacked, then A) anyone can be hacked and B) it probably has been hacked already—especially considering the highly confidential government work it handles as well as the persistence of the United States' adversaries. Even a company as locked down as Palantir has holes."
"To BuzzFeed's credit," Forbes continued, "the story does an excellent job detailing how hackers can make their way around a computer network, hopping from node to node, compromising accounts and servers, and escalating an attack along the way. Still it does a disservice in blasting a firm for taking the very measures it should to learn about and fix its weaknesses."