Ex-White House Cyber Policy Director: Microsoft is a National Security Risk (theregister.com) 124
This week the Register spoke to former senior White House cyber policy director A.J. Grotto — who complained it was hard to get even slight concessions from Microsoft:
"If you go back to the SolarWinds episode from a few years ago ... [Microsoft] was essentially up-selling logging capability to federal agencies" instead of making it the default, Grotto said. "As a result, it was really hard for agencies to identify their exposure to the SolarWinds breach." Grotto told us Microsoft had to be "dragged kicking and screaming" to provide logging capabilities to the government by default. [In the interview he calls it "an epic fight" which lasted 18 months."] [G]iven the fact the mega-corp banked around $20 billion in revenue from security services last year, the concession was minimal at best.
That illustrates, Grotto said, that "they [Microsoft] just have a ton of leverage, and they're not afraid to use it." Add to that concerns over an Exchange Online intrusion by Chinese snoops, and another Microsoft security breach by Russian cyber operatives, both of which allowed spies to gain access to US government emails, and Grotto says it's fair to classify Microsoft and its products as a national security concern.
He estimates that Microsoft makes 85% of U.S. government productivity software — and has an even greater share of their operating systems. "Microsoft in many ways has the government locked in, he says in the interview, "and so it's able to transfer a lot of these costs associated with the security breaches over to the federal government."
And about five minutes in, he says, point-blank, that "It's perfectly fair" to consider Microsoft a national security threat, given its dominance "not just within the federal government, but really in sort of the boarder IT marketplace. I think it's fair to say, yeah, that a systemic compromise that affects Microsoft and its products do rise to the level of a national security risk."
He'd like to see the government encourage more competition — to the point where public scrutiny prompts software customers to change their behavior, and creates a true market incentive for better performance...
That illustrates, Grotto said, that "they [Microsoft] just have a ton of leverage, and they're not afraid to use it." Add to that concerns over an Exchange Online intrusion by Chinese snoops, and another Microsoft security breach by Russian cyber operatives, both of which allowed spies to gain access to US government emails, and Grotto says it's fair to classify Microsoft and its products as a national security concern.
He estimates that Microsoft makes 85% of U.S. government productivity software — and has an even greater share of their operating systems. "Microsoft in many ways has the government locked in, he says in the interview, "and so it's able to transfer a lot of these costs associated with the security breaches over to the federal government."
And about five minutes in, he says, point-blank, that "It's perfectly fair" to consider Microsoft a national security threat, given its dominance "not just within the federal government, but really in sort of the boarder IT marketplace. I think it's fair to say, yeah, that a systemic compromise that affects Microsoft and its products do rise to the level of a national security risk."
He'd like to see the government encourage more competition — to the point where public scrutiny prompts software customers to change their behavior, and creates a true market incentive for better performance...
ssshhhh (Score:2)
wait 'til after the election to say such. MS has deep pockets, can easily influence election by lubricating politicians with "campaign donations" and lobbying.
Re:ssshhhh (Score:5, Informative)
Microsoft donates mostly to Democrats.
The big exception (and biggest single recipient) is Republican Doug Burgum for governor of North Dakota.
Microsoft political donations [opensecrets.org]
Re: ssshhhh (Score:3)
These are only the required-to-report hard donations.
Plus, thereâ(TM)s probably plenty of blackmail.
Re: (Score:3)
Microsoft? Yes. They are even more corrupt than, say, Intel, but they have better lawyers and are more careful in their bribery.
Just gotta do the ol FTC Slice up (Score:2)
Honestly, if the federal gov't really had such major qualms about MS's practically absolute monopoly in the gov't space, all they have to do is use the FTC scissors to slice and dice up MS.
Either MS Shape up or ship out w/ the FTC.
Done and dusted.
Re: (Score:2)
Mostly windows XP continuation due to government usage, keeping special versions of MS for government use that dont include all the shit everyone gets that spies on them, and much more.
I dont care what party people are in, those that allowed it in the 90s fucked us over.
Remember what happened? (Score:2)
Back in the good old days, when Ma Bell was considered a (considerably lesser) problem?
Well?
Re: (Score:3)
Yes, now they've almost all merged back together. And they've adapted.
Good Lord (Score:4, Insightful)
Re:Good Lord (Score:5, Insightful)
Replacing MS in the Fed. Gov. will cost money. That money is detailed in appropriations from Congress. If it is not a line item in their budget, they cannot spend money on it. And if it does become a line item in their spending ask to Congress, Congress will tell them whether it stays or not. Congress could also mandate they spend x on replacement. However, if they do that without increasing the budget, they have to be precise in what cuts will be made elsewhere.
Re: (Score:1)
No mod points for me today. Someone please mod parent up as (VERY) Insightful.
Re: (Score:3)
By the way, I've participated in a couple of studies about what it would take to replace Microsoft on both desktops and back office situations. There's a lot of costs, even if you use low cost/free Open Source products. Those include conversion from the MS product to the replacement, qualification/testing to make sure the replacement isn't worse than what you're replacing, engineering costs for designing and implementing the solution including the transition, retraining for both end users, security infras
Re: (Score:2)
Good insightful comment. ...But *I* don't need support. ...I wish the Feds would allow devs like me to use something besides Windows, since as a developer I know what I'm doing and now I'm being restricted and that costs real money. The servers I develop for are all FOSS/LAMP anyway. The excuse I always hear is, "but then you might install Rando App X, or run a virtual machine and that'd also give you root access to install anything you want. Maybe your machine has malware."
To which I always reply, you Feds
Re: (Score:2)
Don't know if that would have helped.
We see that the central complaint is that Microsoft was upselling "logging capabilities". Question is what, specifically, is he talking about? I wager it's not just logging, I'm sure even Microsoft provides at least those. I suspect it's about some sort of log analysis, since 'analytics' is a favorite upsell opportunity in the industry (Cisco paid $28 billion for Splunk for example).
Whether it's Linux or Microsoft technology, I'm wagering they'd still be complaining ab
Re: (Score:2)
It's not clear that Linux would fix anything here. If the feature you need happens to be open source and actually works, great, but if it's some proprietary extension that your vendor offers or you didn't pay them to fix the bugs, you are on your own.
That is assuming that the software you need is even Linux native. If you are running it in WINE then good luck.
Re: (Score:1)
The entire SolarWinds product offering could have been replaced quite effectively with OpenSSH and a couple shell scripts. Even if this wasn't a feigned fuck-up orchestrated by criminals who had more to gain by failing at their job than by succeeding at it, it would still be the biggest boondoggle of all time.
Re: (Score:2)
Then they can just run Linux (preferably SELinux)
SElinux is not a kind of Linux. It is a feature of Linux.
Re: (Score:2)
Then they can just run Linux (preferably SELinux) and solve the problem.
I wish, and I would welcome it if they did.
However, as one of the foremost SELinux advocates in its early days, I doubt that the government of all places has the capability to do so. Few sysadmins can configure SELinux halfway decently (i.e. beyond the default policies) and the government (outside the military and secret services) isn't a good tech employer.
Also, MS is far more than the OS. With Office and a bunch of other tools, plus lots of custom software made only for Windows, the entrechnment is really
Too big to fail (Score:5, Insightful)
After the 2008 debacle, one thinks of banks, when one hears "too big to fail". We (the collective world) were supposed to ensure that no single institutions remained "too big to fail" - not that we've done that.
Anyway. No single company should be allowed to become so large that its failure would be a catastrophe. That's just another aspect of anti-trust regulations. I submit that Microsoft has long since passed that threshold. Entire governments, indeed, all governments in the West are utterly dependent on Microsoft software. That should ring all sorts of alarm bells.
Re: (Score:3)
Yep, pretty much. MS is a massive problem these days, nothing else. And they behave like a problem too.
Re: (Score:3)
Problem is, do you want security handled by a bunch of companies where expertise and communications gaps become massive liabilities? Then, when there are failures, fingers will get pointed all around the world, nobody will take responsibility and mistakes will be perpetuated because nobody was accountable,, til the next crisis. Yes, we have some of that now under MS, but using a patchwork o companies, it would be much worse.
If I ky there was another choice (Score:2)
We were forced to use MS OneDrive (Score:4, Interesting)
Re:We were forced to use MS OneDrive (Score:5, Interesting)
Let's be clear that this has been the experience for a LOT of people in a lot of companies.
My firm is an ardently left-leaning European manufacturer who is all-in about a host of left-of-center values such as sustainability, DEI, etc etc. ...and we too are compelled to move to Onedrive, despite lots of objections and (by now) many examples of Onedrive's shortcomings.
Maybe the point of this isn't political, it's about a shit piece of software that's not ready for the critical needs to which it's being put, management choices that have little to do with actual staff needs, and IT accountability for following those dumb fads.
WHETHER we're talking about an organization led by an orange-colored nutball, or a senescent child-sniffing grandpa.
Re: (Score:3)
That's my feeling too. I work in a private sector business that's basically "all Microsoft" (like most of our competitors). Once you get on the "Microsoft train", you ride their rails and go to the stops they dictate. You have to jump back off otherwise.
We ran into the typical situation where once people saw they had OneDrive capabilities to share files or folders with other people or groups, they started trying to create folders of information needed by entire teams. If they left the company, all of that
Microsoft is a national security risk (Score:2)
Duh (Score:5, Insightful)
It has been for a long time. And while MS is not actually getting (much) worse, they are not getting any better at security (or reliability and usability), while pressure from attackers and more and more critical functions done with their systems raises and raises. At the same time, MS still makes beginner's mistakes with critical and very critical functions, see, for example, their catastrophic Azure compromise in 2023, were they did _everything_ wrong they could do wrong where that would not be immediately obvious. Oh, and that is for the attack path they think the attackers might have taken, because they _still_ do not know what happened and they do not keep security audit logs for that "long". For functions that handle cloud master-keys. Fucking up on top of fucking up.
MS should have been kicked to the curb as the 3rd rated wannabe technology provider they are 10 or 20 years ago. They are not just incompetent and careless, their whole organization is fundamentally incapable of doing competent IT security or producing good and reliable products. Incompetence that bad cannot be fixed without replacing the whole organization. Instead most people just looked the other way and continue looking the other way. Not smart at all, but all to common with the human race.
I would say use linux (Score:3)
... but thats undergoing a slow and sad fucking up process thanks to Poetterings (now an MS employee, not even ironic) systemd. Also the fragmentation doesn't help - it would be good to have a standard base layout, system setup and standard apps (beyond the default *nix cmd line tools) that all distros use, eg package manager, and they just build whatever eye candy they want on top of that but of course many large egos would prevent that ever happening.
Re:I would say use linux (Score:5, Insightful)
Yes, that process is definitely there. My take is that more and more people that do not understand the Unix philosophy are getting into Linux and that takes a big toll. Probably many are refugees from Windows that now apply their low-insight mindset in the Linux space. Systemd is one crass example, but all the crap distros like Debian patch into sshd is another. Pure stupidity, grossly bad engineering and prioritization of questionable convenience over security.
That said, Devuan works nicely. That there is a whole distro now with the single selling point of "no systemd" means there are still a lot of people in Linux that actually understand and can do good engineering. As to fragmentation: That is actually far less of an issue than generally claimed. Again, Unix philosophy. Sure, a specific organization should standardize on one distro, but that already fixes the issue.
Re: (Score:3)
"Devuan works nicely. That there is a whole distro now with the single selling point of "no systemd""
I use Slackware and its never used systemd and hopefully never will. If it didn't exist Devuan would definately be my next distro choice.
Re: (Score:2)
Well, Slackware is the Holy Grail, obviously. I am lazy, so I use Devuan and occasionally have a look at Gentoo.
Re:Duh (Score:5, Insightful)
Logs are often a huge liability. I am not saying this is right, but in my experience very very few IT shops treat them like tier one confidentiality required data that they are.
developers rarely think critically about what can end up in a log, operating under the assumption that whatever logging framework is responsible for sinking them somewhere safe and if anyone has access all bets are already off; of course in the era of centralized logging, SEIM analysis, and data lakes etc, that is nonsense. I have seen a lot applications that have a ton code and thought dedicated to handling various types of secrets only to have it all wrapped and in ... } catch ... {} catch ... {} .. catch Exception => ex { Logger.log("Unhandled " + ex.name + " exception - " + ex.message + "Sacktrace:\n" + ex.stacktrace);} and equivalent that under the write conditions will result in these secrets getting into the logs. That is the most innocent case, the far more common pattern in logs is:
try {
Login failed for user P@$$word!1
Login success for user gweihir
and is almost the norm...
Right now the only things saving corporate and probably government IT from total disaster due to negligent log handling are:
1) The data volume is large so its difficult to exfil or search in situ without being notices
2) Searing logs you are not familiar with is hard and regex augmented with traditional correlation rules will only get you so far,
However attackers will start using ML and similar tools to start slogging thru it and pulling useful data out soon enough and all these data lakes, cloud trails, security workspaces, etc - are going to get some big organizations well and thoroughly pwnd.
At the very least actual APTs (not some ransomware gangs) will get hold of some Fortune 50s and large government logs and do some next gen-analysis to make sure their trade craft and tools leave exactly NO detectable IOCs. Which frankly I think boads quite badly for having a large WFH work force; nobody is going to be able to separate malicious remote access from legitimate. That is drifting off the topic however.
In the short term I would suggest to most operators, you don't know what is in your logs, you don't what signals someone might be able to extract from those logs even if you do have all the content identified. You probably should NOT be retaining logs for longer than either a few months or whatever regulatory requirements demand, whichever is greater.
In this specific instance its unfortunate, but I don't think MS actually got it wrong in terms of policy here.
Re: (Score:2)
Sure. But when you have systems that handle your keys to the kingdom, you want to find out who successfully attacked them. Without logs that is next to impossible. And you need that info to fix the vulnerability the attackers came in on. Not saying that you should keep any and all logs and I have personally edited logs when I screwed up pretty much like your example, but for systems with very high criticality you need to spend the effort and handle the logs on the same criticality and confidentiality level
Re: (Score:2)
I don't fundamentally disagree. The thing is Azure is to big and complex with to many cooks in the kitchen for there being really any hope of getting it right.
Microsoft absolutely needs to have a hard, delete after-N policy, and then start writing very specific exceptions around certain critical components of Azure infrastructure. The Federal government should be 'beta-testing' the could with the rest of Industry. Azure / Office 365 are good examples of to much to fast at to high a value.
Re: (Score:2)
That's demonstrably untrue. Look at the Windows XP days, an OS that launched without even enabling the firewall. Then there was Vista that everyone hated because Microsoft beefed up the security model, resulting in large numbers of security warnings. And now the same people are moaning about Windows 11 requiring TPM 2 for securing the boot process, which was of course one of the favourite attack vectors back before Secure Boot became mandatory for OEMs.
Meanwhile, as Linux's popularity increases, so does the
Re: Duh (Score:2)
What? Secure boot hasnt fixed jack squat. It was about confusing the linux install process.
Prior to secure boot I could have talked someone into booting a linux installer over the phone.
After each system was vastly different, and big scary warnings were shown. Also options to delete keys were placed next to the options for basic enable/disable purely to confuse users more.
All this and attacks that completely bypass secure continue to be found.
Re: (Score:2)
Secure Boot ensures that the OS boot files have not been modified. One popular technique malware used was to replace ntfs.sys (the NTFS filesystem driver) or the SATA driver with one that hid the malware's own files. Virus scanners could tell you were infected, but couldn't remove the infection. The only way to get rid of it was to boot a Linux CD with anti-virus software from someone like Kaspersky, which used its own NTFS and SATA drivers. Or move the HDD to another machine for scanning etc.
That became im
Re: (Score:2)
You have far too much faith in this crappy thing that MS essentially forced on everybody to implement DRM.
Re: (Score:2)
What DRM has it facilitated?
Re: (Score:2)
Microsoft certainly counts on incompetence being a benefit for secure boot keeping out Linux but it wasn't the purpose. Linux can benefit just as much from securely signing boot code. What's needed is getting OEMs on board with a simpler process for adding new keys. It's basically all a manual process for non-Microsoft keys. I don't think there's anyone to blame but Linux distros if there isn't even an organized push at this point.
Re: (Score:2)
At the same time, MS still makes beginner's mistakes with critical and very critical functions, see, for example, their catastrophic Azure compromise in 2023, were they did _everything_ wrong they could do wrong where that would not be immediately obvious.
Experience is not worth paying for. These new people will get it right. They were trained for many years and there is no excuse for 'not knowing', so everything should be fine and if it isn't, we will discipline them until they do get it right... but, once they get too much experience, they become too expensive, so, freshly trained people again. They were trained for a long time. They have no excuse for getting it wrong. Everything will be fine. Who needs experienced people when experience is so expensive?
Re: (Score:2)
Probably. That is a business mind-set though and those universally lead to crappy engineering. Just look at Boeing for a second example.
Make it product liability (Score:2)
Re: (Score:3)
Do you know how much money MS has? And who all does not have an exit strategy for their crap?
Yes, product liability would mean MS is dead in 10 years and that would be a very good thing. But it is not going to happen.
Windows is malware (Score:5, Insightful)
Re: (Score:2)
That is nice and sensible, but what about your local supermarket that cannot order new food anymore after the next big attack on the insecure MS crap? All it takes is for one of the more competent bad actors to really want to do damage.
Re: (Score:2)
Re: (Score:2)
All the while you and them are starving...
Unless the have "old school" as a tested (!) BCM measure in place, it is _not_ going to work.
Re: (Score:2)
Well, I do that. But if all hell breaks loose around you, that does not help much.
Re: (Score:2)
This is about MS and either a massive outage of their crap cloud or a massive attack on their crap desktop offering. Which is getting more and more likely. That will not be over in a day or two. "Weeks" is a more realistic time-frame.
Microsoft Prepared Responses (Score:1)
Maybe it's a feature... Didn't you think about it?
You can leak misinformation to the enemy knowing that they will think it was a mistake based on shitty software rather than counter-intelligent maneuvers.
Option 2:
It's not us! It's god damn Ritchie, Kernighan and Bjarne! The White House says so!
Option 3:
Well, we didn't have AI back then but now, we're putting every single bit of it in every single bit of software we make and made. Things should be better now.
I don't buy it (Score:4, Funny)
Microsoft makes 85% of U.S. government productivity software
Government... productivity?
Re: (Score:2)
They measure productivity in dollars spent per minute.
Bill Gates ... (Score:1)
should burn in Hell.
Re: (Score:2)
Gates is long gone from Microsoft. He set the corporate culture of "let the users debug our software", but the current security problems at Microsoft can't be blamed on Gates (or Ballmer.)
Me, I blame Congress for not passing legislation to make -all software vendors- legally liable for flaws in their products, including security holes. If you want secure software, you'll have to pay for it, and make the companies pay for the consequences of their failures.
I want my logs (Score:2)
https://www.c [cisa.gov]
Security? (Score:2)
"He'd like to see the government encourage more competition"
I think we all would like that, but let's be clear that is an ECONOMIC preference and (in essence) an ideological preference, not a security one.
I do NOT believe that the security environment of the US government - a government were a lot of sites (esp internal) look more like myspace pages - would be materially IMPROVED by having a vast array of churning alternative vendors of uncertain provenance being managed by IT depts that can barely keep up
If only (Score:1)
Well (Score:2)
Sergeant I hope you like chow mein.
You mean capitalism is a security risk. (Score:2)
When profits matter most, everything else suffers eventually.
late stage capitalism != competition (Score:2)
"He'd like to see the government encourage more competition — to the point where public scrutiny prompts software customers to change their behavior, and creates a true market incentive for better performance..."
He'd like for capitalism to work that way, but that's not how late-stage capitalism works.
He's absolutely right! (Score:2)
Re:Oh nice... (Score:5, Informative)
China didn't buy TikTok, they made it.
I guess technically a private Chinese company made TikTok
It wasn't until 2021 that the Chinese government put themselves on the board of ByteDance
Re: (Score:2)
"China didn't buy TikTok, they made it."
China make TikTok, but one of the first things TikTok did was buy Musical.ly. That is where most of the western users came from, as well as the corporate structure which technically doesn't exist in China.
Re: (Score:2)
Musical.ly was tiny when they acquired it. They got the vast majority of their userbase organically.
Re: (Score:2)
Musical.ly , being another Chinese produced product.
Tiktok doesn't exist in China because it's a western brand.
Douyin is the same product, for the Chinese market.
Both owned by ByteDance.
I doubt they bought Musical.ly for the users. They would have bought it for the licensing agreements they had for music.
Re: (Score:2)
When was it sold?
Biden wants it to be sold.
China has claimed the algorithm to be sensitive information and has placed export controls on it, so ByteDance requires permission to sell.
Re: (Score:3)
"These people waste so much of our money. " Wrong, it is the American People who take most of the taxpayer money. The social programs far outstrip everything else and those are relatively cheap to run day-to-day, it is their payout to the American People that take the money.
And foreign aid is decimal dust when it comes to the Fed. Budget and are about 1 - 2 percent of expenditures:
https://www.crfb.org/blogs/bre... [crfb.org]
Stop repeating Fox talking points.
Re: (Score:2)
Re: (Score:2)
Sorry I was incorrect about losing land mass, it looks like we'd actually gain overall land mass (antarctica).
Re: Humans won't go extinct from climate change (Score:2)
/facepalm
No, not Antarctica, rather regions further away from the equator will become arable land even without it. And as it turns out, the further away from the equator you go, there's more landmass overall without even considering Antarctica. That's not a coincidence either because Earth's rotation naturally raises the sea levels at the equator while also lowering them elsewhere. In fact, if there was no rotation, all of Canada and Europe would be under water with one big contiguous land bridge spanning t
Re: (Score:2)
No, not Antarctica, rather regions further away from the equator will become arable land even without it.
All credible projections for AGW show an overall reduction in arable land.
This is not just because it takes more than warming to make a cold place a good place to grow crops, but also because weather is becoming more chaotic, so you can't count on having a growing season anywhere... But especially at higher latitudes, where the lows will be lower.
Re: Humans won't go extinct from climate change (Score:2)
All credible projections for AGW show an overall reduction in arable land.
Like this one?
https://www.nature.com/article... [nature.com]
Or what about this one?
https://journals.plos.org/plos... [plos.org]
This is not just because it takes more than warming to make a cold place a good place to grow crops, but also because weather is becoming more chaotic, so you can't count on having a growing season anywhere... But especially at higher latitudes, where the lows will be lower.
The day after tomorrow wasn't a documentary.
Besides, think about what you're saying for at least ten minutes, because I know it's going to take at least that long for you to process what I'm telling you: You're saying the cold season, which already isn't suitable for growing in higher latitudes anyways, is going to get colder, therefore unsuitable for growing. See if you can figure out where you went wron
Re: (Score:2)
The day after tomorrow wasn't a documentary.
I haven't even seen it. I don't watch most movies.
Besides, think about what you're saying for at least ten minutes
Wow, you really think you know something, don't you? Hilarious.
You're saying the cold season, which already isn't suitable for growing in higher latitudes anyways, is going to get colder, therefore unsuitable for growing.
Well, at least we know your reading comprehension is shit.
What I said is that the higher latitudes will have colder temperatures than lower ones when they are at their coldest.
This is a fact.
When you learn to understand English, come back for a debate. The best you can do now is be berated.
Re: Humans won't go extinct from climate change (Score:2)
Well, at least we know your reading comprehension is shit.
It's way better than yours, trust me on that.
What I said is that the higher latitudes will have colder temperatures than lower ones when they are at their coldest.
This is a fact.
You're starting to get somewhere, but you're still missing something big. Though it just occurred to me that I'm probably overestimating your intelligence. It might help if you read up on what kind of crops are popular in Alaska.
Re: Humans won't go extinct from climate change (Score:2)
They may be able to continue producing potatoes. The rest of that stuff is going to suffer from the increased unpredictability, especially the grain
Re: (Score:2)
Funny thing, Montana is a big grain-producing state, and we have possibly the most unpredictable, and definitely the most absurdly-variable climate in North America.
https://montanakids.com/facts_... [montanakids.com]
Oh, and we also grow potatoes, but only in very limited areas (potatoes need more predictable conditions), whereas grain is grown here pretty much anywhere the ground is near enough to level.
Re: (Score:2)
And whoops this comment was on the wrong article mod down off-topic if you have mods to blow..
Re: (Score:1)
Offtopic -10
Stupid -100
Re: (Score:2)
Pretty much. That person has no idea what 10C means.
Re: (Score:2)
I do. People in Dubai live 15 to 25C higher than the global mean surface temperature (15C) and they're alive aren't they? Hm...
Re: (Score:2)
As I said, you have no clue what 10C global warming means. You just demonstrated that nicely. It is not a simple temperature increase. It means much more _variable_ temperatures and much less stable weather. At this time there is no more excuse left to not know that.
Now, the models have long broken down at 10C increase, because too much goes to hell. So we do not know how bad that case will be. But 10C would probably come with 30C or even more variability. When the people in Dubai have 70C one day and -10C
Re: (Score:1)
Your sig is spot on today.
Re: (Score:1)
That was one of the dumbest statements I've ever read. We won't all die, so it's no problem. Fucking brilliant.
Re: (Score:1)
The US Government Has a Microsoft Problem (Score:5, Interesting)
Microsoft has stumbled through a series of major cybersecurity failures over the past few years. Experts say the US government’s reliance on its systems means the company continues to get a free pass.
https://archive.is/9MGtk [archive.is]
= = = =
A snippet from the Wired article:
When Microsoft revealed in January that foreign government hackers had once again breached its systems, the news prompted another round of recriminations about the security posture of the world’s largest tech company.
Despite the angst among policymakers, security experts, and competitors, Microsoft faced no consequences for its latest embarrassing failure. The United States government kept buying and using Microsoft products, and senior officials refused to publicly rebuke the tech giant. It was another reminder of how insulated Microsoft has become from virtually any government accountability, even as the Biden administration vows to make powerful tech firms take more responsibility for America’s cyberdefense.
That state of affairs is unlikely to change even in the wake of a new report by the Cyber Safety Review Board (CSRB), a group of government and industry experts, which lambasts Microsoft for failing to prevent one of the worst hacking incidents in the company’s recent history. The report says Microsoft’s “security culture was inadequate and requires an overhaul.”
Re: (Score:2)
Microsoft has stumbled through a series of major cybersecurity failures over the past few years.
Microsoft has stumbled through a series of major cybersecurity failures, as it has throughout its entire lifetime of existence. Not merely the past few years.
Re:Meanwhile, at Microsoft... (Score:4, Informative)
Pure luck, not a security person and actually a FOSS maintainer employed by Microsoft. An individual accomplishment, not one of Microsoft at all.
Re: (Score:3)
Well, he's right here. This was an individual who happened to stumble into this who happened to be employed by Microsoft.
There's plenty to point to to suggest that Microsoft isn't worse than some competitors that people might suggest or even better in some regards, but the XZ situation has nothing to do with Microsoft technical or business leadership other than happenstance of employing the one guy.
Re: (Score:2)
Indeed. Thanks.
As to MS competitors, yes, many are not better. That does not make it OK for Microsoft to be crap. Especially when you think of the damage that, say, Azure going down for few weeks or any Internet-reachable Windows installation getting hacked and becoming non-functional would do. This is in the damage range that can depopulate countries and worse.
Re: (Score:3)
If you read up it was made to look like a Chinese cyberattack but they slipped up just enough to unmask themselves. It was someone from a UTC+2 time zone. Apart from anything else the attacker worked on all the Chinese public holidays but none of the Western ones. That is if you work on Chinese New Year but not Christmas Day you are very unlikely to be a Chinese hacker.
The timezone even precludes Russia unless they where operating out of Kaliningrad but most of the hacking seems to come from either St. Pete
Re: (Score:2)
Possibly. They were careful not to do any damage. If they had wanted, the world would burn. And Microsoft noticed nothing and has learned nothing. I guess the world needs to burn before better IT practices can be established.
Re: (Score:2)
They were careful not to do any damage. If they had wanted, the world would burn.
Since the thread is about the XZ issue, this is an odd statement to make. They weren't careful, they got caught before it hit widespread deployment. It had barely been in a tagged xz release and only barely made it into the bleeding edge rolling test releases of select distributions. We have no information on what they would have done if it had lived long enough to be in widely deployed Ubuntu LTS, RHEL, SuSE, embedded implementations.
Funnily enough, they might have been foiled anyway, because at the sam
Re: (Score:2)
Ah, sorry. I confused threads and then mixed things together that do not belong together. I was thinking about the compromised MS cloud master key from last year. Obviously my statement is nonsense in the context here. My apologies.
Re: (Score:3)
Actually they were extremely careful and slowly wormed their way into a maintainer ship position via sock-puppets and astroturfing where they could insert code with perhaps less scrutiny than say trying to trojan some pull request. Then they put most of the payload in some binary material that ships with the software rather than source codes someone would likely feed to some SAST tool or otherwise audit effectively as part of due diligence. They did this over a long span of time and did legitimate maintena
Re: (Score:2)
But it wasn't that they were careful not to do damage, they were careful, but the damage was yet to be seen.
as what makes it to a general release in the major Linux distributions is 'really pretty solid'.
I think it's hard to say, as no one can point to a party that would have likely otherwise caught it, except some guy that noticed that ssh session establishment was 'a bit off'. In fact, if his random usage of xz had been a couple weeks later, he probably wouldn't have investigated because the attackers had released a "fix" for the performance impact. This was from all appearances pure luck that this
Re: (Score:1)
Yeah, this was on /. a few days ago.
You think China can't do better than that? (Score:2)
A bunch of stuff about it was really amateurish. The valgrind errors, using the same account for multiple parts of the attack, using sockpuppets who had no presence outside shilling for "JiaTan". I'd expect better from any competent government agency.
Re:getting logs out of windows is a problem? (Score:4, Informative)
No logging software is able to record the authentications to AAD, Exchange Online, or other cloud services run by Microsoft, Because they're
Microsoft's servers; Microsoft doesn't provide you the ability to run programs on their servers - you literally Don't have access to the sets of logs, Tools, or APIs necessary to get the log of authentications without Paying extra for security licenses.
Re: (Score:2)
Which was discussed often enough. There is no valid excuse for tposing on this topic and not knowing that.