From Microsoft’s blog post on the incident (Mitigation and Hardening section):
- On June 26, OWA stopped accepting tokens issued from GetAccessTokensForResource for renewal, which mitigated the token renewal being abused.
- On June 27, Microsoft blocked the usage of tokens signed with the acquired MSA key in OWA preventing further threat actor enterprise mail activity.
- On June 29, Microsoft completed replacement of the key to prevent the threat actor from using it to forge tokens. Microsoft revoked all MSA signing which were valid at the time of the incident, including the actor-acquired MSA key. The new MSA signing keys are issued in substantially updated systems which benefit from hardening not present at issuance of the actor-acquired MSA key:
- Microsoft has increased the isolation of these systems from corporate environments, applications, and users.Microsoft has refined monitoring of all systems related to key activity, and increased automated alerting related to this monitoring.
- Microsoft has moved the MSA signing keys to the key store used for our enterprise systems.
- On July 3, Microsoft blocked usage of the key for all impacted consumer customers to prevent use of previously-issued tokens.
I’m not a security expert. What are the holes in this strategy?
The problem is that you have no way to verify what may or may not have been done by malicious actors using compromised keys in the meantime.
If you have immutable, permanent audit logs, you can go through all actions authenticated with something directly or indirectly signed by the leaked key. However, building such an audit log in a way that someone with maximum permissions still can't tamper with it is not easy — and not cheap. (And, worst case, the audit log may not have the necessary detail; e.g. just listing an authenticated identity, but not the way authentication was established — thus not allowing easy identification of possibly compromised access.)
As such, the hole in the strategy is that it doesn't account for other persistent backdoors that may have been added while access using this leaked key was possible. It only prevents further exploitation of the issue. But depending on the sophistication level of the attackers — which seems extremely high considering how the key was apparently stolen — it's nigh impossible to figure out how many secondary avenues of access they have established.
* We already have confirmation that the US government has been tapping internet infrastructure, accessing back doors in BigTech backends, and compromising industry-wide encryption and RNG standards.
So there is no way to prove that SOMEONE at the NSA doesn't have the ability to access all of the information on the internet.
And, since the NSA is just more humans, that means there's no way to prove that someone else hasn't sold that ability or specific subsets of the data to malicious actors.
Post Snowden revelations, you have to do risk analysis. Is some US or Five Eyes Government Agency able to access all your personal information or business competitive secrets? Probably Yes. Can one of your competitors? Probably Not. Can a malicious neighbor or drug cartel that would then use it to extort you for money? Probably not.
So even in this hypothetical example where everything authenticated by Microsoft is tainted, it's not clear if it actually changes this equation significantly.
Could this be said for just about _any_ intrusion? Once you’ve been compromised, is there any way to know that no back doors were installed? Is this situation different than others?
Well, it really depends on the maximum privilege achieved by the intrusion, a user getting compromised hopefully can't do much more than exfiltrate data they have access to; local admin could compromise the OS or even the BIOS, then there's possibly multiple levels of domain admin, and then there's a compromise of the authentication system itself…
One big problem is that there's no way of knowing what other holes/backdoors were introduced during the period when the attacker had all those credentials. Maybe they are immediately able to get the new key.
Why is there no way of knowing? I would think Microsoft is able to do forensic snapshot comparisons for their datacenters -- at least, I would assume a trillion dollar company does.
Establishing that ability costs money (i.e. having snapshots & co.), and actually executing it costs further money.
Absent either customers paying for it, or regulations requiring it, Microsoft certainly won't sink money out of the goodness of their heart. I don't believe there are a lot of regulations for this — and how many customers do you think would pay for something like this? Realistically? :-(
I mean, they at least have SOC2 compliance, and obviously a lot more (FEDRAMP). To get those certifications an auditor is going to make sure you have basic shit in place like logging, etc.
They're not going to make sure of anything, in my experience, except that an org's IT management had a disappointing conversation with their team and then aspirationally checked boxes claiming to have things in place.
It's gonna depend on the auditor, but yeah of course SOC2 doesn't mean "you're secure" but unless you actively lie to your auditor you're going to have some basic stuff in place.
The article does not claim the keys are still in use. It specifically says "missing containment actions". Everything is tainted because you don't know what secondary actions were executed using the compromised keys.
This issue is specific to Azure and Microsoft. I find AWS and GCP to be fine.
Microsoft has some of the worst security vulnerabilities and practices I have ever seen. I can’t for the life of me figure out how executives at big Fortune 500 move their workloads to Azure.
The only selling point Microsoft has for Azure in some domains is that Amazon is their competitor. I wish Amazon
just let AWS be it’s own thing.
I also hope that Microsoft step up their security game but at this point it’s kind of a lost cause.
Microsoft is luring in non-tech companies with Active Directory and Office 365 and then catches them with promises about good integration into all services. Once the companies are in the Azure dashboard, why not try those fancy services they offer?
I'm honestly surprised they haven't been trying to bundle GitHub more (or vice versa).
It does work and it is very compelling, at least on the tin. The problem is convincing powers that be that it doesn't do what it says is borderline impossible. The most they've built is equal parts astounding and terrifying.
In a sort of funny twist I feel like this is an area Google could really excel in if they got their shit together. Signing up for Workspace and GCP and everything else makes you feel like they don't want you to use their products.
TFA seems strangely relevant as there seems to be some cultural values reflected in both Microsoft's security posture and reputation, and the ability to bundle and market disparate and downright broken (at least in some cases) products effectively.
Observation from german companies (smaller eg 250 employees, mid, big): Azure DevOps is used. Noone uses GitHub. I am sure it's widespread, but rather for small companies
Where I work (globally well-known brand) GitHub is chosen as the future platform, since apparently that is where MS invests more. DevOps is seen as legacy. Curious if others have different info.
ADO was dead, until customers told Microsoft ADO wasn’t dead.
Once Microsoft learned that ADO was not, indeed, dead, they began to reformulate the path forward for ADO and have actually released a fair amount of preview and release features since the pivot back.
Enterprises like ADO and even when ADO was “legacy”, MSFT continued to see an uptick in adoption. ADO has better integration with Azure, at least for the web app space I play in.
From open source documentation commits and feature lag (new features for DevOps are old GitHub features and even now include GitHub branding) I think it is impossible to avoid the impression that GitHub is active development and DevOps is legacy.
The problem is that Microsoft still hasn't said that officially and directly out loud despite the writing on the wall. They continue to sell DevOps to new teams and point to its "active roadmap" (despite it being mostly unambitious and increasingly "copy X from GitHub"). So a lot of companies still have just enough doubt in the message that DevOps is legacy/dead that they keep inside it and don't migrate to GitHub, because Microsoft keeps giving them that doubt. I'm not sure if it is superstition on Microsoft's part to not kill DevOps (it is an ancient team with quite a legacy; it's maybe Microsoft's albatross), some sort of "magic" migration strategy they want to keep secret until complete, or just that Microsoft loves telling customers what they want to hear and enough companies want to hear "DevOps is alive and in good health" for a number of sunk cost or emotional support reasons.
Are you sure? I have had the "pending/reviewed file" feature in DevOps for years, months before it was available at GitHub afaik. But maybe I'm mixing it up.
From what I've heard from cloud consultants in Scandinavia (which is going through a huge move to the cloud as many places) the Microsoft Azure sales machine is on another level compared to competitors.
Microsoft will show up with 10 sales engineer, while others might just be a contractor or a zoom call.
They present themself as the authority for non-technical business and is winning a lot on that.
They're good at capturing market share, no doubt about it.
My old boss directed us to Azure because one potential benefit was 'getting all invoices from Microsoft.' It was a separate invoice and not with O365...
> I can’t for the life of me figure out how executives at big Fortune 500 move their workloads to Azure.
Almost every organisation already has a huge-ass contract with Microsoft for Windows, AD, Office, Teams, Exchange and whatnot, deeply integrated with their core IT. So if the organisation doesn't already have AWS set up as a supplier, it's usually easier to push for an existing supplier instead.
I think of our company as an "indie" startup and we use Office365 for email. There are a bunch of things that I hate about it but what are the plausible alternatives? Before we moved to O365 85%+ of our emails landed in spam folders.
There's google, which is less infuriating to use than microsoft stuff from what I've heard. Microsoft, google and yahoo regularly block or delay mails from independents[1].
Fastmail is very good and has been running for 24 years, with good deliverability. Migadu I hear is good. There's quite a few email providers that aren't Microsoft or Google that have their shit together.
Yeah, fastmail is pretty close to office 365. As long as you're not dependent on Aszure for other components. I suggest businesses think about migrating away from 03 65 because this problem will probably get worse in the future, since Microsoft is either too big, or not able to secure their own security implementation.
Sometimes you get a bad roll of the dice when you choose a lesser known email provider and you start with worse than average reputation. Can never go wrong with Gsuite, O365, etc.
This is what I used to do (and what my father still does). Essentially if you don't have 20+ years of history you appear to be doomed on this. Adding DKIM / SPF even configured correctly didn't seem to do much good.
> I can’t for the life of me figure out how executives at big Fortune 500 move their workloads to Azure.
Blame CTOs and system admins who are either married to the stack because it's the most familiar OR they were forced onto it by a CTO because, "no one ever got fired for picking a Gartner upper right quadrant option."
It’s not just workloads, but all of the Azure AD and Active Directory things along with office 365. It’s a ton of services and few companies actually don’t use AD.
I used to work as a federal contractor for the US Military in 1996-1997 and they replaced their Windows Web Servers with Macintosh ones because the Mac had better security.
I used to run a Windows 2000 Pro web server, after lack of security I switched to Linux.
Microsoft may be popular, but they have big holes in their security. Always has been.
No, that is not worth mentioning because that problem had nothing whatsoever to do with the operating system.
What happened was that someone entered a 0 on a data entry form in a field that was not supposed to be 0. That form was submitted to an application on a server, which used it as a divisor and got a divide by zero exception.
That application did not handle divide by zero exceptions and so was terminated by the OS.
With the server application no longer running terminals around the ship that relied on that application were no longer useful.
That's not as crazy as it sounds, because the problem they were trying to address was website security against threats from the internet.
As long as the underlying OS is secure enough that attackers can't get in via something like a buffer overflow in the TCP code, website security is almost entirely a matter of web server application security.
A well written web server application on Classic Mac OS then could be more secure than a less well written web server application on a more secure operating system such as NT.
There is a book on Linux Hardening that helps secure Linux.
Win 2K Pro is limited to 10 connections. In 2002 I worked for a surgical tool company with sterilizing software for 300 clients and they tried to do it on Win 2K Pro, so I switched them to Server with SQL Server 2000 instead of Excel.
> This issue is specific to Azure and Microsoft. I find AWS and GCP to be fine.
This issue.
Services get compromised often, cloud or customer managed. Microsoft has a mature, professional and effective security team. They got compromised, due to implementation flaws and one or more (my conjecture) corrupted insiders. Most organizations would have no idea wtf happened and would not be able to identify what has been revealed to the public.
The issue isn't that they were compromised in 2021. The issue is that they didn't purge their systems and the key/backdoor created then are still available after 2 freaking years.
I'm not surprised, it's Microsoft after all. They lied about their data security to win bids in health market, only to let everybody down after a year when they finally understood the cost to secure that particular data were too high for them.
It's not about securing user's data, it's about not being blamed for it.
It doesn't matter that China/Whichever state actor is snooping on all your user's data. Either no-one finds out and you're good. Or the blast radius is _so_ wide, that all blame falls on Microsoft
> I can’t for the life of me figure out how executives at big Fortune 500 move their workloads to Azure.
Because they’re not financially liable for the mistakes of Microsoft. They go to these services because they sign contracts offloading that risk to another company. If Microsoft leaks your entire datastore because of poor security on their end, you sue them for damages because ensuring the protection of your digital property is part of the reason these companies are enticing to use in the first place. They use Microsoft because everyone uses Office 365 because it integrates well with Active Directory which they’ve used for their corporate directory for 20+ years.
The sentence is worded a little confusingly, but my interpretation of it is that for certain companies, since Amazon is a competitor in the business domain of that company, AWS is a nonstarter even if it's product offerings are a better choice. Walmart is the canonical example.
Such hyperbole. This was a bad breach, for sure, and we may not fully understand its scope at this point. But...
> They were able to implant #backdoors, self-made keys, ... all over the place.
I mean, emphasis on able to, as in "in theory, based on what I know, it is POSSIBLE", not that they did.
> If you didn't understand until now: basically EVERYTHING at Microsoft got hacked and Microsoft can't (or won't) get rid of the intruders. Everything authenticated by Microsoft is tainted. Even #Windows auth.
Microsoft's response also seems to clearly state that they have rotated the keys, moved them to a more secure storage, etc. They don't say they've removed the attackers, I guess, but they certainly don't indicate that the attack is ongoing. Certainly they don't indicate that all auth is forever broken.
I feel like the conclusions being drawn are extreme.
> I feel like the conclusions being drawn are extreme.
You linked Microsoft's investigation report on the exploit.
The attackers first managed to get access to Microsoft's development network, noticed a crashdump, understood the possible significance of that, dug through it, found a private key, then acquired enough insight into Microsofts authentication systems to understand how this key could be used beyond its intended purpose and then executed on that.
And you don't believe they left persistent backdoors in some high-profile targets?
The conclusions being drawn are … entirely appropriate. Your argument maaaaaybe makes some sense applied to general public random cloud customers. Backdooring indiscriminately just increases the risk of discovery. But large companies and government users? You have to assume compromise, anything else is incredulously naïve.
> Storm-0558 operates with a high degree of technical tradecraft and operational security. The actors are keenly aware of the target’s environment, logging policies, authentication requirements, policies, and procedures. Storm-0558’s tooling and reconnaissance activity suggests the actor is technically adept, well resourced, and has an in-depth understanding of many authentication techniques and applications.
I think there's a huge difference between "maybe there is a backdoor" versus "literally all of microsoft, across all orgs, is owned and they have to shut it all down and start from scratch", call me crazy.
That's really wishful thinking. Which is fine if you're a small company throwing non-sensitive things into Azure. If OTOH you were working as a SIEM at some company providing 2nd-order cloud services, this is where I would start questioning your qualifications and that company's overall policies.
(… especially when you're not even bringing up the fact that the compromised key was mainly usable to access e-mail)
The "start from scratch" (or as we used to call it, 'nuke from orbit') approach is the only feasible one.
If an attacker had full root across the org for an undetermined (but not short) period, I'm unsure what other approach you think you could take? You can't just run MalwareBytes and call it a day.
Step 1 is to review your existing telemetry. You determine the possible scope of the attack based on the evidence you find. You remediate based on that. You may also want to consider scope that you don't have evidence for but that you lack telemetry for and that you believe an attacker could have accessed - that's fine too.
This comes down to a risk assessment. No company has a breach and just shuts everything down, that is insane. When we perform IR we build a detailed timeline, we collect the scope of potential access, and we form a remediation plan. We don't just go "well hey, anything can happen right? shut it all down".
Nukes can be applied to all kinds of shit. It's easy enough to understand the implication of the phrase that there's no need to pretend it can only apply to specific items.
> This was a bad breach, for sure, and we may not fully understand its scope at this point
> I mean, emphasis on able to, as in "in theory, based on what I know, it is POSSIBLE", not that they did.
When you consider the potential implications, and possible scenarios, from a security perspective you have to assume that they're not just "possible" but a reality.
If you find a zero day exploit, you don't just ignore patching it because "well nobody else probably has it".
> When you consider the potential implications, and possible scenarios, from a security perspective you have to assume that they're not just "possible" but a reality.
No you don't. You definitely don't want to assume otherwise and you spend the time derisking and investigating, but if you have zero evidence to support the situation you don't just consider it the case anyways.
Of course you patch it, but you don’t assume that every system affected by this 0-day got exploited.
You try to check if some were and it’s obvious that people at Microsoft are doing exactly that.
Not saying that MS’s response was great, but I agree with GP that the whole thing is hyberbolic.
> Of course you patch it, but you don’t assume that every system affected by this 0-day got exploited.
Uhh, what? Of course you do. Why give the benefit of the doubt to hackers who hacked you with malicious intentions? That's the type of security nonsense that I'd expect from... Well, Microsoft lol
If you find yourself owned by, and not only from a 0-day, then yes, you wipe everything clean and re-build with mitigations in place from the start as to not get reinfected in the process.
That's pretty much the only option if you safeguard valuable data for your customers. Yes, it's expensive to get breached, so take precautions to make it a rare event and contain it as much as possible when it happens.
I don't think the article is unreasonable. This is cloud infrastructure sold to companies with defense industry contracts where breaches are taken seriously.
I mean, yes, obviously, you have malware on a box you rotate that box. They had keys and they rotated the keys. But the implication here is that the attacker could have done anything and therefor they have to destroy everything, which is unreasonable.
Rotating keys are far from enough. If your keys are compromised, you need to revoke everything. Then you need to assess what the impact is and wipe anything the compromised keys had access to during the period.
This is not theoretical. When the openssl fiasco hit, I worked in a place under financial regulation. Not even the defense sector, which is under much stricter rules. We had to go through all logs to ascertain customer data was intact, and since leaking private keys did not leave a trace in the logs we then wiped clean all systems these keys secured.
This was a massive undertaking to coordinate and minimize downtime for customers but it was deemed necessary to comply with security regulations. To hear that a big juggernaut such as Microsoft doesn't even do this without facing much consequences is mind boggling. I can not understand how that would ever pass an audit.
Everything a potentially compromised key has signed, yes. What are we discussing here? This is standard procedure by every compliance processes I have ever had the misfortune to work with, but for quite good reasons. Hope alone won't pass an audit.
Evertime a 0day thar granted privilege escalation was found on installed bins/libs, we ran a script that looked at setsuids on anything and everything and did a report on what was found. We managed to find a crypto miner once.
Obviously I won't run it on my personal computer, but i'm not renting my pc to anyone.
I'm sure Microsoft is provided all the resources they need to flush out any embedded binaries and ill-configurations including every federal agency available.
This story has been widely under-reported and the impact is potentially huge. My beef with MS is this: the keys were leaked in 2021 and were still signing authentication tokens in 2023, but there's not a single Azure service that allows me to enter credentials with a 2 years duration. It's a classic case of "do as I say, not as I do".
Imagine what the CA/Browser Forum would do if they discovered that a PKIX CA had lost control of its signing keys, didn't revoke them and in fact carried on using them for 2 years without telling anyone...
$ dpkg -l ca-certificates
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-===============-============-============-=================================
ii ca-certificates 20230311 all Common CA certificates
$ trust list | grep Microsoft
label: Microsoft ECC Root Certificate Authority 2017
label: Microsoft RSA Root Certificate Authority 2017
On RHEL 9:
$ rpm -q ca-certificates
ca-certificates-2023.2.60_v7.0.306-90.1.el9_2.noarch
$ trust list | grep Microsoft
label: Microsoft ECC Product Root Certificate Authority 2018
label: Microsoft ECC Root Certificate Authority 2017
label: Microsoft ECC TS Root Certificate Authority 2018
label: Microsoft Identity Verification Root Certificate Authority 2020
label: Microsoft RSA Root Certificate Authority 2017
label: Microsoft Root Authority
label: Microsoft Root Certificate Authority
label: Microsoft Root Certificate Authority 2010
label: Microsoft Root Certificate Authority 2011
label: Symantec Enterprise Mobile Root for Microsoft
Interesting that RHEL has many more certificates, when both packages take whatever's bundled into NSS.
According to 'rpm -q --changelog ca-certificates' RHEL take their certs from "CKBI 2.60_v7.0.306 from NSS 3.91" and according to /usr/share/doc/ca-certificates/changelog.Debian.gz, Debian take theirs from "Mozilla certificate authority bundle" 2.60.
> Imagine what the CA/Browser Forum would do if they discovered that a PKIX CA had lost control of its signing keys, didn't revoke them and in fact carried on using them for 2 years without telling anyone...
Are these certificates affected? Or perhaps the CA/Browser Forum aren't aware of the scope.
I sure hope not. But I suppose only Microsoft are able to confirm whether their PKIX CA private keys are or are not affected by their various security incidents, including the Azure token leak mentioned by ggeorgovassilis.
Are you aware of what applications and services are verified by these keys? I am thinking it might be worth removing these specific root certificates if they are used only for a select number of purposes, considering that the vast majority of 'normal' websites use other CAs like DigiCert or Let's Encrypt.
No one has any business trusting Microsoft, apparently?
I’m under no delusions that an intelligence agency with ‘home team advantage’ wouldn’t already have the keys to the kingdom. If they are in the apparent habit of leaving the keys sitting around in random Cafes, the odds that other non-home team intelligence agencies have a copy increases dramatically too. Or even random miscreants.
The worst part of the story to me is —- those were not even the right keys, those were something issued to a client and scoped, but scoping check was broken. It’s unbelievably bad all around
You can still create "app registration secrets" that last for up to two years. Until recently, you could create essentially unlimited-duration secrets.
This seems overly hyperbolic and alarmist. I do not think the sources prove the scope of breach the post asserts ("all of Microsoft"), seems more like a temporary key leak that was subsequently revoked.
2023-07: Hackers stole a Microsoft Azure Active Directory certificate which gave them full access to basically all Microsoft cloud services including Outlook, Office, SharePoint, Teams, "Login with Microsoft", and so forth. (MS blog entry [1], Source[2], German source)
The issue was specific to services that used Microsoft's .NET libraries for Azure AD authentication without doing additional checks for auth token validity [1], which was not "all of Microsoft". There's no public list of what components are used where AFAIK, we just know that MS says forged auth tokens were successfully used on Exchange Online email. It is sensationalizing to say the entire Azure cloud was hacked.
This is not to downplay how bad Microsoft's security lapses were, and how bad their announcements were. The most horrifying part to me, besides the need for "premium" logs to detect a breach which I'd been complaining about before this, was how PR seemed to blame the Exchange Online team for misusing the authentication libraries, but later they updated the libraries and said the token validation issue was "corrected using the updated libraries". That feels like internal blame shifting out in public.
Which has these among a long list (retaining the reverse order from link above). NB I have just copied and pasted for convenience; neither removed text which refers to links nor added the actual links. You can click through yourself if you want to follow the links.
8<---
023-08: Again Microsoft, again Azure: "unauthorized access to cross-tenant applications and sensitive data (including but not limited to authentication secrets)". If you aren't tech-savvy: this is very bad. (Source)
A reoccuring pattern emerges more and more: Microsoft didn't fix the issue in months and as of 2023-08-03 it is still an open vulnerability in Azure, risking the data of all Azure customers.
related:
Microsoft comes under blistering criticism for “grossly irresponsible” security | Ars Technica
BrianKrebs: "The CEO of Tenable just ripped Microsoft a new on…" - Infosec Exchange
2023-07: Hackers stole a Microsoft Azure Active Directory certificate which gave them full access to basically all Microsoft cloud services including Outlook, Office, SharePoint, Teams, "Login with Microsoft", and so forth. (MS blog entry, Source, German source)
With the default logs, customers could not even detect intruders as you would need to pay extra to get access to those log files.
Microsoft did not communicate which services were affected and which not.
Any Microsoft cloud service was potentially compromised.
Most probably, the usual "any compromised system needs to be thrown away and re-created from scratch will not be applied here. As a consequence, you can't trust any data from Microsoft services any more.
Security experts like Mike Kuketz think that most probably we need to consider all Microsoft systems that are using their cloud authentication including all Windows hosts are compromised.
According to this German source, Microsoft is still refusing to tell what happened and which systems are affected to what extend.
2023-08-18: German comment: Many similar comments like that underline that Microsoft disqualifies as a trustworthy partner.
2023-09-06: first public explanation by MS: Microsoft: Results of Major Technical Investigations for Storm-0558 Key Acquisition
Press reactions: heise (German), fefe (German)
Mastodon is often really slow. The krebs link loaded after like two minutes with an error, then a soft refresh finally loaded it. That happens regularly with Mastodon links for me
> HN buried Mastodon as a viable social media platform a year ago.
It should be:
> HN buries Mastodon as a viable social media platform every time an HN user posts a moderately popular link to Mastadon.
I want to love Mastodon but until they figure some stuff out they're never going to be a viable platform to (for instance) explain to all those who need to know how one of the largest cloud providers is deeply compromised.
Don't forget that it was then Microsoft CEO Steve Ballmer who in 2001 compared Linux to cancer. If there is childish vitriol somewhere, it did start neither on HN nor on /.
You keep saying that they're different, but to my old eyes you're just buying their marketing.
They still have horrible security.
They are still product dumping.
They're still ignoring user preferences and forcing their agenda (eg: Edge)
They're worse than ever about user privacy.
I could go on. I don't like Google either, but your corporate loyalty is silly. Both can be and are terrible.
Why do you think people hated Microsoft? Let's see if you know actually know anything about their deep and wide business sociopathy.
One of the big reasons that monopolies are really bad is that they are also inevitably incompetent. The fact those two things go hand in hand makes the inherent corruption of monopoly / cartels doubly damaging.
....almost all markets are cartels at a minimum these days
It's quite ironic that the recent centralization and cloudarisation of the Internet (& electronic devices).
When everything was local and private, the attacker could only access a specific device or network, even if the security was often very weak. Now a single attack on a centralized entity has such a big payoff, that it makes if viable to allocate much bigger resources by attackers.
I feel like once google had enough of a stranglehold on email for gmail to start blocking independent email servers (for valid security purposes probably) it was basically game over. It became incredibly difficult for an individual to run their own communications platform, even when following best practices. Luckily there are solid paid services, but as you point out, those are still "the cloud."
This has largely held true for AWS and I think it's still a meaningful argument in a broader discussion when determining how you want to build your company infrastructure.
Key part is simple. For some apps I wondered why I had them in the "cloud" in the first place. And then I had to do something every month or two because I had to migrate to some stupid new version of an environment, do some DNS entries because the apps couldn't send mails anymore, configure the shitty IAM of the cloud provider I didn't need. Register my apps for some stupid database access.
Now I have apps where I need 15 minutes of maintenance a year, install and configuration takes 5 minutes.
Some cloud providers have amazing stuff, but I feel they all start to bloat and I don't have use cases that need whole clusters.
It's already started. I design systems in a european country and there are already municipal and state agencies requesting us to make more on-prem stuff. I also heard of various projects to create more European cloud services.
On-prem hardware may become fashionable but simple server hosting most likely not. If it ever becomes fashionable then most likely it will be some form of container (or Kata Container) orchestrator on top of on premise hardware.
Also even for softwares deployed on on-prem hardware, big orgs will still need single sign on, which will still be open to these kind of attacks.
I half hope so.. for the larger companies who can afford and will maintain their infrastructure security i absolutely agree. At the same time i do see the benefits of a managed system for the smaller not so rich companies or businesses!
There is a best of both worlds in there and I think we've gotten where we are now because of cloud providers marketing themselves suitable for everyone.
These problems are specific to Microsoft though; outside of service outages and customer misconfiguration, AWS and GCP don't have a history of such incidents.
Was the Capital One breach not a result of gross internal malpractice on the part of Amazon? That allowed an Amazon employee to gain priviledged access to CC data in Capital One's environment.
Doubt it. Data governance and access control is just getting to be a bigger deal with each passing year, and nobody wants to (pay enough to) self-manage that. Or to take personal responsibility for it.
Maybe “on prem” but largely managed by someone else, which is already a thing.
It's ironic that data governance and access control are getting to be a bigger deal every year exactly because everyone migrated off premises to the cloud. People lost control over their data when they migrated it to the cloud and now they try to take control back by imposing more and more policies.
Kinda, but a lot of it’s managing and auditing internal and external access, and maintaining data and source catalogs and crap like that, down to granular levels and across multiple levels of data-cleanup/polish/transformation and reporting. The machine learning/LLM push (biiiiig hype in companies) is making that even messier. The solutions that don’t involve a horrifying amount of DIY are heavily cloud-oriented.
[edit] to editorialize, I also think ~everyone is going to get this very wrong. I think doing this stuff such that you don’t grind productivity to a halt but also don’t have mile-wide vulnerabilities is goddamn near an Apollo Program level of difficult, and basically nobody is treating it that way (and a lot of them would probably sooner abandon their grand mass-data-total-control plans if they had to treat it that way—which is exactly what I think most of them should do, but execs just love the idea of perfect legibility of data and processes end to end on their phone or whatever, even if it’s in-fact just a money-wasting and risk-generating fantasy for most companies)
That's part of it, the other parts are the rise of ransomware (enabled by cryptocurrency?), geopolitical drama with Russia/China, and large commercial ML models appetite for data. I would say cloud is 3rd or 4th down the list.
Microsoft obviously cares about its stock but it also relies on long term contracts with large enterprise and government - those aren't rolling overnight, maybe not at all, but there will be immense pressure from these massive organizations to fix things.
What I think one of most potential future, low code or no-code will be last resort of hosting stuff somewhere affordably. Given how WordPress introduced 1 century subscription. With the complexity of systems there is no such thing as simple server hosting.
It's actually often cheaper[1], assuming you need a relatively fixed amount of compute and have the capital for upfront costs. Cloud gives you a lot of flexibility, but at a premium, and trades CAPEX for OPEX which is very appealing if you're a startup and don't know if you'll be around in a year.
Careful with blanket statements like these. Run a system with high sustained compute and data egress; even when accounting for engineer time (and people often neglect to account for time spent administering cloud infra), the cloud markup is huge. While it works for some companies, cloud is not universally cheaper.
This is the sentiment i share, which i think it's important to hammer down the point that it's the fault the cloud providers marketing themselves to be suitable for everyone. Because if they don't get as much money as possible then they don't see a purpose.
For on-prem or cloud, you need some engineers (either SRE or SysEng) to handle your hosting infrastructure. So, not much difference in cost there. Then, there is all of that compute. Currently, an AMD EPYC 7551 system can be put together for about $2.2K USD. That’s 64 threads, 256GB of RAM, redundant 2TB NVMe in RAID1, plus chassis, power and such. The equivalent amount of compute being available 24/7 is going to be extremely pricey over time.
My current employer handles things where internal service at the org are on-prem while customer facing services are cloud. Even the cloud stuff backs up to an on-prem storage system (though it also gets backed up to an off-site S3 provider).
I also held this view for a long time but what you are talking about is basically Amazon EC2. There are, what, 200-250 AWS services, however, and that's where things begin to become more interesting. Can you replace any of them with in house solutions? Certainly. But the costs of doing so might not be favorable.
You could operate an on premise bakery but most companies just order donuts.
True, but even a single server is a lot cheaper on Linode, and cheaper still on OVH, even the best quality colo and dedicated server providers, than on any cloud. On-prem is going to be cheaper than that. And internet connectivity ... is more expensive than it was in 1990, and generally pretty much free in colo or dedi services.
Most software vendors switched to subscription model, so that’s not obvious anymore. Yeah and as you mention, good luck getting experts for all of your software and hardware components unless you are a big tech company.
And not guaranteed to solve problems like this. Because at the end of the day, the maintenance of a cloud infrastructure is irreducible complexity so you replace having a breach because a centralized controlling authority made a mistake with having a breach because your own hired staff made a mistake and you got infiltrated by either a lucky drive by or a persistent attacker against your organization.
It's not exactly a replacement. Your own hired staff can still mess things up in the cloud and leave a door open. The cloud doesn't magically apply all the best practices on its own. See all the people caught with open access to S3.
This is actually wild.. I'm only reading about this properly now thanks to this article but how did this fly under the radar?
The company i work for just recently integrated all of our internal apps and services authentication through azure .. That feels like it was a mistake now.. or am I just over paranoid??
I don't understand either how it got to keep such a low profile. Not long before this came out, there was an "incident" where everyone could alter specific Bing search results (and probably other services too), and as a consequence gain access to all data the browser shares with bing, and that includes the access keys to all the MS accounts of the user that happens to use Bing for that specific search. Impact unknown, because they didn't divulge that. Why? Your guess is as good as mine.
While the post is great, terrifying, and seems to contain only true and verifiable information, I’m not sure what we expect.
„Normal“ people will not read this, nor be able to understand, nor gauge or grasp the impact. It’s become way to complex. We can’t simply stop using mentioned services anymore as a society.
Wouldn’t it be more reasonable to teach:
1. You have no privacy, it is impossible to ensure or guarantee privacy, and there’s no incentive at all for anyone to ensure privacy. (Scott McNeally of Sun said that already in the late 1990s)
2. There is no security and every kind of security has been, was designed to, or will be compromised.
3. All your digital information is already public or will become public at some point. (btw: Every top-tier consultancy operates under that assumption)
> „Normal“ people will not read this, nor be able to understand, nor gauge or grasp the impact.
Disagree. You don't need 10 years in IT to understand the meaning of: "M$ allowed customers to use their house-keys to open everyone's office safe, lied about it for 2 years, and still doesn't have a plan for fixing it".
McNeally was simply wrong, but despair is easier than fixing things, so a lot of people went with despair. The popularity of cloud and SaaS is the result. But this isn't a foretold destiny; just don't "trust" people you don't actually trust.
Those 3 points are only teaching despair. The more useful thing to teach is who we can blame, and how to reclaim actual privacy and security… even if it means using the dreaded regulation hammer.
None of which will change those three points practically.
For any bit of information, they may not apply, but if you assume they’re true you’ll:
1) not record information that is truly damaging in a damaging way (which is really good practice in general if you’ve got something to lose!)
2) have practical operational practices which do not rely on these being false - which is a really good idea if that actually matters (you have actual enemies somewhere).
3) you’ll focus on safety and building value in areas which are not mere information at rest, which is a good modern practice.
Osama Bin Laden already knew all this, which is why it took so long to find him. A decade or so. I guarantee you the CIA has been learning this with all their leaks. The FBI learned this this after COINTELPRO.
What is not written down can’t show up as a grainy photocopy in the New York Times, or a viral video from Wikileaks, or whatever.
What you’re talking about is a hammer to use to punish someone after a leak. But by then it’s far too late for anything actually valuable.
Necessary and important for ‘day to day’ stuff like bank account balances I guess, as long as you assume that they’ll be violated with little practical recourse if you have anything actually valuable in it.
Government regulation is what created and propped up Solar Winds.
I have to believe it's possible, but I have never seen any reasonable proposal for government regulation of infosec. Even disclosure requirements become bullshit and only harm everyone faster than they can get published.
While it's true that the best way to keep a secret is to keep it off the internet, regulation could absolutely improve the prospects of keeping secrets by requiring encryption in every context, imposing heavy penalties on companies that fail to properly secure sensitive data (much heavier than what we currently see, up to the corporate death penalty), and enshrining in law the people's right to strong encryption.
The best way to keep a secret is to never write it down, period. Or tell anyone.
If you do have to write it down (for practical reasons), it’s best to assume it will be leaked eventually and write it down with that in mind.
Even better, is in your operational assumptions, assume it will then be leaked shortly afterwards and build in ways to work around that.
So for instance - key material should have easy ways to be revoked, rotated, etc.
Operational rules should be easy to update/push new versions, etc.
Authentication shouldn’t rely on parroting a well known value (SSN, a plaintext shared secret, a biometric, etc.), and should be easily changeable/rotatable.
Most of these we’ve been steadily baking into our day to day lives anyway.
What you’re talking about is necessary, but insufficient for anyone who has a secret they actually need to keep. At least in the modern world. None of those penalties are ever likely to actually occur either, because no one wants to pay them. And they know they will end up paying them at some point, because anything else is just not how the world works.
For classified top secret information all those rules apply in some form, yet we’ve had numerous high profile leaks of TS information for years. The intelligence apparatus has done everything they can to destroy said leakers, but with limited success - and those secrets are still out there.
And that is without financial incentive!
That’s all. Most folks won’t have those kinds of secrets thankfully! And when they do, they usually just don’t tell anyone.
WTF?
I would only expect this view from an organization pushing for total transparency (like advertisement industry or national security) or from somebody brainwashed by them. There is no need for such despair yet.
All of the points are not true I think:
1. People can still have guaranteed privacy (e.g. going into the woods with no devices). As with many laws an incentive to ensure privacy of others could be punishment in case of failure.
2. There is no absolute security, but there is security against certain threat models.
3. Why would data I keep on a device that is not connected to any network ever get public?
>While the post is great, terrifying, and seems to contain only true and verifiable information, I’m not sure what we expect.
Well we expect people and corporations to fix a problem when confronted with it. That is what we expect.
> „Normal“ people will not read this, nor be able to understand, nor gauge or grasp the impact. It’s become way to complex. We can’t simply stop using mentioned services anymore as a society.
Have to give you a pass on "normal" people. I don't know any. I see no reason why we cannot go without the (by the way) unmentioned services or why we cannot change them to be more privacy conscious.
>Wouldn’t it be more reasonable to teach:
No it would be more reasonable to teach that privacy is vitally important to have a functioning society and economy. Anyone claiming different think they can exploit the information disparity between you and them to make money in the short term.
>1. You have no privacy, it is impossible to ensure or guarantee privacy, and there’s no incentive at all for anyone to ensure privacy. (Scott McNeally of Sun said that already in the late 1990s).
Well I respect Scott, but this is not his great moment. Let's change this to be still completely true: You have no property, it is impossible to ensure or guarantee property and there's no incentive at all for anyone to ensure property. Well we did find a way to actually do ensure property. It is called the law (and a government to enforce it). Just an idea to use this tried and tested concept on privacy as well.
>2. There is no security and every kind of security has been, was designed to, or will be compromised.
First this has always been true. Every lock can be picked. Fortunately not everyone can pick a lock. That is the reason why most of us still lock the door.
>3. All your digital information is already public or will become public at some point. (btw: Every top-tier consultancy operates under that assumption)
You mean those top-tier consutancy firms mentiond in this book: "The Big Con" by Muzzucato and Collington, Penguin, 2023? I can see that they sell the assumption, but they are not operating by it. If that were true McKinsey for example would have known their advice to Purdue Pharma would become public and they would lose big on it.
In short people who claim privacy is not important mean: _your privacy_ is not important and they are overly confident they can keep ahead of the information disparity to keep themselves private. See how hard, ironically, Google is working to keep all their information private in a public anti-trust trail.
This is abismal advise (and potentially self-serving advise, if you work in the industry) to give. As ever, there are nuances; "only a Sith speaks in absolutes" and all that.
#1. You have no privacy ONLINE. Providers have perverse incentives to sell you out down the river. Therefore, you DEFEND yourself by keeping a shallow online presence. If you are a casual user, you keep as little information online, specially in social media, as possible. If you need an online presence, you ASSESS the risks and pay time and money to MITIGATE those risks. If you don't see a Return-Of-Investment on those mitigation efforts, chances are you have been CONNED into thinking you need an online presence, but you probably DONT.
#2. There is no ABSOLUTE security. All possible defense measure CAN be circumvented, not not necessarily WILL be circumvented. You ASSESS as many risks as you can imagine, and MITIGATE only those where you expect a positive ROI. The ones you don't mitigate, you ASSUME. The ones you cannot afford to assume, you DO NOT TAKE by refusing to use the system.
#2.a Corollary to #2. If you take ZERO risk management, you still have a BASELINE level of security based on the risk-reward analysis by the criminogenic/sociopath portion of the population; they will not attempt an invasion if they do not expect to get away with it, or to gain something out of it. The more cynical people in the know claim there's no security, the more this baseline approaches zero and the more vulnerable the general population is.
#2.b Even if you are not part of the general population, the lower the BASELINE, the more time and money you PERSONALLY have to invest in risk management to achieve a bearable level of safety. Cynicism is costing US time and money, pal; don't pee/shit on the village's wheel just because it looks edgy!!!
#3. All your CURRENT digital information is already public or will become public AT SOME POINT. You can do better and pick the technologies that will push that point FURTHER into the FUTURE. And for not yet digitalized information, you may make conscious decisions whether the convenience is worth the risk.
I think a new approach to privacy is likely around the corner. Why have one conversation with somebody when you can have as many as you want all at once?
There were already addons like that that created garbage traffic a while ago. Just wasnt practical without language networks.
I keep my secrets in a safe with an old school lock.
My elderly aunt keeps her secrets on a notepad in her desk. I suppose a spy or a housecleaner (if she had one) could know her secrets but it won't be "hacked".
The whole "you have no privacy or no security" is false and only impacts the terminally online.
Do what the intelligence agencies do. Stop letting other people store your secrets. Put them in a nice heavy locking box. Guard them with a firearm.
I think that would be a bit simplistic - a burglar who specifically wants your personal digital secrets could put a hidden camera on your ceiling, a bug between your PC and USB keyboard, or just hold you hostage for it! Having a safe is pretty useful, but is neither a guarantee of security nor strictly necessary.
Having a firearm only works as protection if (A) you are present and armed 24/7 to protect your safe, (B) you are actually willing to shoot and (C) capable of doing so better than your assailant.
In a business context, if the company is large enough, it might well be worth hiring day-and-night security guards and heavy steel safes. But for the average PC user, the security can be improved much more effectively with simple improvements like creating passwords with 'diceware' or using separate accounts for financial tasks.
Almost no data breaches are targeted at a single user.
The value of your personal info individually is $1? Maybe $4?
If you can hit someone who has 100k records, hey that's a solid payday.
But no thief is gonna go break into a safe, risk being shot by an angry homeowner, or kick off targeted attacks over.. $4. Even your flatscreen tv is worth more and is MUCH easier to steal.
Almost all adversaries don't care about a specific target. They want an easy target. A safe + upset well armed owner is not an easy target.
> Security experts like Mike Kuketz think that most probably we need to consider all Microsoft systems that are using their cloud authentication including all Windows hosts are compromised.
This is a giant claim.
It does seem theoretically possible that a stolen signing key could have been used as part of a bigger attack to access critical services like Windows Update or the Azure control plane, but it does feel like someone would have noticed that kind of systemic compromise.
A lot later. The damage was done. Whoever had those keys could have had access to all MS accounts and services.
And those people had already hacked an engineer's account. Because the chances of stumbling upon this key when only hacking one engineering account are very low, it's reasonable to assume many MS engineering accounts had already been hacked.
> many MS engineering accounts had already been hacked
This isnt being focused on enough here. MS is set up in such a way that there are individual members of staff, with individual devices, that just need to be compromised for all their infrastructure is compromised.
This fact alone means that's its near certainly presently compromised. states have the resources to place an engineer at MS, let alone compromise one of their devices.
This, critically, is not necessary. There is nothing technologically necessary about one person, or one device, having the keys to the kingdom. It's security malpractice.
Microsoft knows which accounts were targeted by the attacker. They say so in the first link: "Our telemetry and investigations indicate that post-compromise activity was limited to email access and exfiltration for targeted users." Therefore, no, it is hyperbole that this attack means any and all MS data is compromised.
The key that was compromised from one MS engineer was used in conjunction with a specific bug - crash dumps were including secret keys, accessible on a debug environment -, this is not how the system is intended to work at all and they implemented measures to fix it. So this is another hyperbole from the original post.
If you would read the first link, you would see that what you're claiming is unsubstantiated. They could track it to a great level of detail because they identified the threat vector and patched it quickly.
So here's a little brain teaser about what you have to do when dealing with potential nation-state actors. This scenario is for the folks who are calling "hyperbole" when the actor is clearly, potentially a nation-state. This scenario is based upon an event that actually occurred.
1. You have a $200 million piece of defense-critical equipment.
2. You know that there was a 5-minute period where a potential member of a foreign intelligence service was alone and unattended in the same room as this piece of equipment.
What do you do with the equipment? You can:
a) Put the equipment into service
b) Disassemble the equipment on both a hardware and software level and try to detect if anything was altered
c) Destroy the equipment
If you choose anything other than c) you have probably never been, nor should you ever be, in charge of securing critical assets that can be targeted by a nation-state. This incident seems to indicate that the leadership at Microsoft would choose a).
Also, bear in mind that these are the people that you just sent all your ChatGPT data to.
Hi, person here who said that this is hyperbole. I said that because it states unfounded things in an extremely confusing way that implies that they are facts. No question, this was a very bad breach and I hope to learn more about it as the investigation continues.
Anyways, I've worked at companies that are absolutely targeted by nation states.
We are not talking about a vulnerability in Azure's system here, we are talking about a vulnerability that was exploited. The worst has happened, somebody got in and grabbed that key.
The idea that an attacker went to this length to get the key and then did nothing with it is absurd.
The titanic (cloud) is sinking, the engine room is already full of water, but the people in the ballroom (execs) are still celebrating with champagne, even though the warnings have been called multiple times.
How is that a good analogy when the cloud computing sector has been growing year on year? There's literally no evidence to support that analogy. It's not even remotely accurate.
I'm not saying cloud computing is the solution to every problem, and nor should it be, but calling it a sinking ship is simply absurd.
Frankly, I grow so tired of people thinking everything is a boolean choice. The real problem with the cloud is people who see things as binary statements: "cloud is cheaper", "cloud is more expensive", "self hosting is easier", "cloud is easier", "cloud is more secure", "on-prem is more secure", etc. All of those statements are true just as all of those statements are false. The reality is far more nuanced and it depends entirely on the constraints of your business at that point in time. Such as what engineers / skill sets do you have on your team? Capital to buy hardware, your physical location, the product you're trying to build... etc.
But the problem with nuanced arguments is they're subjective to the immediate problem you're trying to solve. So you cannot debate them with other people as those other people are trying to solve different problems with different teams and different tools. And thus we end up with people posting bullshit blanket statements like "the cloud is a sinking ship" or the linked article that boasts that the cloud is less secure.
"Security researchers agree" is a very broad statement. I don't believe there is a consensus at all.
Fragmentation creates different problems than centralization, but it isn't a magical bullet either. Depending on your resources, you are far, far better off trusting even Microsoft than trying to come up with your own security implementation.
I like how you open with "you are correct" then go on to completely ignore the GPs comments.
I've been doing this stuff for longer than a lot of people on here have been alive and the biggest risk is always your weakest link. The weakest link in most companies isn't the cloud, it's the engineers deploying to the cloud. That weak link exists regardless of whether those engineers deploy to a centralised place or on-prem.
Is there an additional risk having something centralised? Sure. But in the vast majority of use cases, that risk is going to be marginal (and for those types of businesses where it is an unacceptable risk, they are largely not using public clouds for exactly this reason).
And we are back to my point about these conversations being nuanced. A security team, if they do their job correctly, doesn't just make blanket statements like "centralised systems are insecure" -- instead they identify the risks and develop an IT strategy based around which risks a business is willing to accept and which are not.
Well, the supposition GP made was that Security Experts AGREE ON ANYTHING. Which is a patently false supposition.
Some warn, others ignore. Is true. It's true for every industry, every walk of life, in every country, on the entire planet.
Experts, though, when have they agreed on anything, in any field?
One must ascertain for themselves which authoritative sources can be relied upon. The experts that warn of centralization are authoritative and masters in their fields.
Centralization in any other area of life tends to be bad for citizens, so I ask you this: Why would centralization lead to MORE security, or MORE benefit to the users and citizens of the world?
> Well, the supposition GP made was that Security Experts AGREE ON ANYTHING.
That’s not what they said
> Centralization in any other area of life tends to be bad for citizens, so I ask you this: Why would centralization lead to MORE security, or MORE benefit to the users and citizens of the world?
I had already addressed the point about centralisation and risk. This additional question you’re raising is, at best, a straw man argument.
If you go back and read, and I mean properly read, pause and think about the comments being made, you’d realise that we aren’t saying risk doesn’t exist. We are saying the reality of that risk depends on numerous factors specific to each business, project, and even team. Thus you cannot distil “the cloud” down to a single truism such as what you keep trying to do.
Arguably much of this is caused by governments getting into the zeroday market / blackhat position removing the incentives to fix stuff. IT security got degraded so far that it starts effecting the economy. There was a reason initial cryptocontrol had exceptions for businesses.
Bloated security theater being profitable also doesnt help. One example is smartphones as TAN generators for online banking replacing TAN lists. While you can now charge customers per SMS, the second factor got quite a bit more easy to attack.
Unfortunately i dont see yours either. We have governments arguing against stronger encryption due to fears of going dark. Which means against having secure systems.
This is in addition to a lot of government agencies sitting on, and investing into the knowledge about vulnerabilities. Some of the more public ones getting fixed doesnt change the overall vulnerability of the system. There is a clear incentive mismatch. One cant pretend that those vulnerabilities are "safe" due to only spooks knowing of them. If you can find them, so can others. Especially if you are actively exploiting them.
I would argue that this shows both an unwillingness to accept improvements in security as well as actively degrading the current state. And this is before talking about governments actively adding vulnerabilities, which now even possible by law in some jurisdictions.
It's pretty impressive that the most accurate depiction of how the future will play out was written before even computers were a thing. Perhaps also a bit sad in what that says about us.
I think this is a pretty big leap to conclusions. Some guy on Mastdon doesn’t know what Microsoft’s security team knows about the breach.
It’s irresponsible to make broad claims like this, that everything in Microsoft’s cloud has to be replaced to mitigate the breach. That doesn’t pass the sniff test.
I get that Microsoft has a vested interest in mitigating the PR aspect of it, but I doubt they’ve just done nothing to correct the issue.
if you follow all the links you'll find out that the keys stolen gave the hackers (probably the Chinese state) access to all managed MS applications for all customers; and enabled faking having an organizational account for arbitrary MS customers.
This essentially makes all key western companies and public orgs, hosted on azure, probable targets. It's highly unlikely that they only stole state dept. emails, when they had access to banks, finical orgs, etc.
Indeed, their very ability to steal emails from the US state dept! makes it likely a breach at other less protected vital biz/orgs occured.
The whole of the azure cloud, and esp. the whole of managed MS apps at major institutions was compromised for at least a year. This is apocalyptic.
Microsoft, Apple, Oracle, Google are commercial companies, they want money and don't care about the people who use their software. If you want true freedom and honesty, use free software https://fsf.org
When I worked at Microsoft, I found a case internally where it appeared that a service was accepting expired certificates as a form of authentication for admin-level calls. I was fairly new, so I brought it to someone who had been at Microsoft for the better part of a decade. We didn't own the service in question, and he told me that, since it wasn't our service, I should just focus on continuing our work, and that it wasn't our responsibility to raise the security concern.
In the end, it turns out it was not accepting expired certs -- there was another auth method superseding the certs -- but the behaviour I saw in this case was not unusual to encounter.
Microsoft has many excellent engineers, even in security. But decades of culture rot take longer than a few years to fix, and a lot of old-timer Microsofties have this "not my problem" viewpoint that can lead to major security risks. No doubt, the way Microsoft has handled this year's layoffs -- staggered, leaving people in the lurch and in serious stress for months on end -- has wiped out much of the progress they've made under Satya.
tl;dr I'm not surprised by (a) Microsoft having breaches and (b) Microsoft not dealing with security issues in a timely manner.
Facebook had the same. First it was “nothing at facebook is somebody else’s problem”, but eventually it became “everything at Meta is somebody else’s problem”
Fascinating insight. This is not dissimilar from other megacorporations that become too bureaucratized over their lifetimes. When growing quickly, bureaucracy helps to organize people and hold a team accountable for their own mistakes. As time moves on, these different teams begin to act as independent entities who no longer successfully communicate or collaborate and the entire business becomes both fragile and ossified, hence that “not my problem” attitude.
Off-topic, but I was surprised to see that this was a Mastodon server created specifically for the people of Graz, Austria, a city I lived in for a semester in college and have very fond memories of. I like the idea of providing self-hosted services for their local region, and I wish them well. I'd consider joining myself if I wasn't so ashamed of my poor German skills...
Going through this article of the author https://karl-voit.at/cloud/ it seems to me that it is mainly Azure that has security issues. Google and especially AWS have no comparable incidents. If security would be important for the cloud market one would see now a movement away from Azure. But Microsofts office monopoly keeps everyone in the Azure cloud. The cloud market is broken and only huge antitrust cases against the cloud providers could fix that. But our government officials are all cowards nowadays.
If the lesson the author is ultimately trying to convey is "You can't trust cloud infrastructure providers to protect your data, especially Microsoft." My answer is, "Okay. What can a company do when there is no choice?" The number of enterprise-grade applications that are cloud-only offerings is only increasing. Regardless of whether or not my company actually wants to to own the risk of storing its data in a third party, the day is coming where they have to choose to accept the risk that comes with storing data in the cloud, or re-inventing someone else's wheel at great development and operational cost.
> "Okay. What can a company do when there is no choice?" The number of enterprise-grade applications that are cloud-only offerings is only increasing.
I'd be curious to know what kind of problems could be only solved through a cloud-only solution. It's a honest question; I'm not old enough to remember actually using mainframes but in my days companies had their own IT staff, gear and storage.
I understand that hiring a IT team of 3 could not be viable for a small 10 people startup, but I'm sure there are solutions in between before being forced to entirely surrender everything to someone else's data center.
Software security is a good example. Lets say you work for a large company, you have 50K repos in your git instance, and you have 10K developers on staff churning out all of that software from the mundane to the mission critical. You want to provide a means for your developers to be good citizens to get out in front of security vulnerabilities.
Building an in house solution to do this is extremely costly in every way imaginable, from the extreme expertise needed, to the ability to do it at a very large scale.
There are a number of vendors out there who provide great software to do things like scan source code, scan dependencies, or scan a live environment for vulnerabilities. The best of those vendors have cloud-only solutions.
You're stuck either accepting the risk that, at the very least, vulnerabilities about your software would be potentially exposed for the world to see, or installing an inferior product on-premise. That potential risk is even greater if your customers depend on you to store things like private and/or financial data.
Hum... We are still dealing with the last cloud-based security scanner that injected malware into every large IT related company, and still discovering what companies are completely hacked because of it but are hiding this.
> Okay. What can a company do when there is no choice?
The company can recognize that "there is no choice" is not a valid option. There are many choices if the company actually cared to invest into choices. That requires learning and actually vetting your vendors though. That's hard work. Good luck getting people to do hard work.
I've been through multiple vendor vetting processes at my company, and there has always been a line drawn at whether or not the company's data is stored with the vendor in the cloud. My company is very cloud averse due to the nature of the business, and the kind of data they store. The vendor products that make that cut are usually not the best, and if they have a cloud offering, it's almost always superior to their on-premise offering. Every time I go through this process, it shifts even further in the direction of more + better cloud offerings, and fewer on-premise offerings.
You can implement security measures on top of what is provided by Microsoft. If you have encryption at rest and you hold the keys locally, for example, even this high-level leak would not expose you.
That said, good luck implementing and managing that in a large organization.
Maybe this explains why Defender (Microsoft's AV) became so overly aggressive during previous few months. They had a problem and acted in a semi-panic mode forcing Defender to mark nearly everything as a "virus" when its Cloud Protection mode was turned on.
People fled from mainframes to client server. Running a Windows Server with BackOffice in their IT department and having Windows clients. Now they are flocking to the cloud.
I remember when the Network Computer was going to put Microsoft out of business. It was Sun providing the NC and JavaOS, Netscape providing the Web Browser and anyone who wanted to license the NC to make their own. Internet was too slow then as everything was stored on the Internet, which because the Cloud model. Microsoft bundled IE with Windows to destroy Netscape and made Dotnet destroy Java.
This is embarrassing for Microsoft. All their cloud services have been hacked. Data has been leaked. Could lead to lawsuits.
I just remember the Microsoft 2fa flow was very janky. And that there would be a pointless prompt that would popup everytime replete with a don't ask again checkbox. However none of the options actually did anything it was a pointless thing you had to click through every time. That corporate pastel coloured jank. That inattention to small details to help out the user. Classic MS
Unrelated, but this afternoon Microsoft decided I couldn’t use my laptop for 10 minutes for mandatory updates, which was a serious problem.
And now the search feature doesn’t work anymore.
If it wasn’t for the game support being important for work I’d happily leave and avoid every aspect of their ecosystem. What other reasons do people have for sticking with Microsoft apart from software compatibility?
Many people prefer the traditional Windows UX over the Apple and Linux offerings. I’m saying “traditional” because Microsoft has been trying hard at sabotaging it since Windows 8.
If you are running a consumer MS desktop of win 11 (which forces you to be logged in to their cloud), are you compromised? If so, what's the best way to act from this point on?
Microsoft should have done a clean room implementation of their cloud and used that to pivot their customers into more manageable technology for both parties.
That they've chosen to integrate it with all their legacy stack (which is one of the most complicated ones in existence) is understandable and what 99% of companies would have done but... it's a horrible experience using it. Maybe people with only Microsoft experience don't feel the pain anymore.
Your viewpoint isn’t without merit. I think it’s just a cost/benefit analysis issue though. Each platform has its own warts. For Microsoft, they built much of their business on backward compatibility, so breaking with that would be tough. As concerns the cloud, MS does partner with Canonical quite a bit, so it isn’t as if they are dogmatic in their tech stack. This issue seems more of a company one and not a technical one.
He's absolutely right, you really can't trust anything they sign anymore. This is why Microsoft has been so defensive about their stance since it occurred. I've said the same since the news got out, but all my Microsoft-y friends I told didn't care. In fact, they all shrugged it off like "what are ya gonna do?"
That's exactly the problem - what ARE companies going to do? Migrate OFF windoze? Migrate out of Azure? To Linux?
Certainly not, Microsoft-y admin only know Microsoft, they usually can't do much else, it's all they know. They certainly won't bite the hand the feeds them. That means the organizations are stuck, which is exactly what Microsoft wanted all those years ago with a monopoly, and got it.
Customers too stuck in their own ways to do anything but be a slave to Microsoft and their constant insecurity deserve what they get sadly.
Ok. So are you suggesting that the most practicable alternative is to be a slave to [list of 100+ other vendors]? Going out of your way to defenestrate a trillion dollar technology vendor is a bit bananas to me. If you are trying to run a business, I think you are completely fucking yourself over with this sort of attitude.
How much business convenience are you willing to squander over these principles? And, are you truly upholding your principles on a consistent basis or is this a reductive "at least it's not Microsoft" line of thinking? Microsoft is a big place. Some parts good some parts bad. You may be leaving a lot of upside on the table by never considering them as an option.
We are a "Microsoft shop", but we still use other vendors when it makes sense. I don't trip over myself trying to get 100% off AWS over some ridiculous tribalism. Their domain registration and S3 object stores work really well for us so we continue to use them, even when it creates a bit of integration overhead (SCIM identity sync w/ AAD, etc).
From a security angle, every vendor you use will have a security incident at some point in time given enough time. The real question is how the incident is handled. My issue with the “Microsoft had a security incident obviously you should Migrate away” mentality is that this could be any one of your vendors and if your philosophy/strategy is to ditch your vendors whenever a security incident happens you’re not going to get very far. Anything else like ditching Microsoft but not vendor X or using this to justify no more MS is inconsistent logic.
Edit:
Adding a quote from the OP’s linked blog on the subject:
> There is this well cited argument that cloud companies like Google, Apple, Amazon, Facebook, and you-name-it are able to protect your personal data much better than you are able to. They have military grade security restrictions, better backup methods, and are able to do this much cheaper.
> While this argument being absolutely true, people seem to forget that giving away your data to any third party is the root of many problems in the first place. It is not relevant to whom you are giving your data to.
>Let me explain…
So OP is arguing that this is why you can’t trust anybody not just MS. That’s a stance too, and perhaps for an incredibly security sensitive product the correct one, but definitely an impractical one for probably 98% of software products.
This would sound like ChatGPT if I didn't know better...
All of your arguments are "made up" arguments, they contradict themselves or each other or assume some very unlikely situations, especially on behalf of what the post you replied to wanted to say, where it's clear it's not what it wanted to say.
Let's dive in!
> So are you suggesting that the most practicable alternative is to be a slave
Clearly, the post you replied to doesn't suggest that. (But you went on arguing as if it did).
> a trillion dollar technology vendor is a bit bananas to me.
Nobody's killing Microsoft. But even if they were, maybe that's the right thing? You make no arguments not to.
> If you are trying to run a business, I think you are completely fucking yourself over with this sort of attitude.
The company I work for runs on Linux. The company I worked for before this runs on Linux. The company I worked for before the last one also runs on Linux. And the one before those two -- yes, you guessed it, also runs on Linux. The operating system chosen to run a business was never a serious factor in terms of whether the company succeeded or failed. By and large, it's not important.
Are there specific technologies / products only available on Windows? -- You bet! What should be done about those? -- find a way asap to not make them exclusive to that platform. One of the most tragic situations in this respect is in medicine. Windows is ubiquitous in this field. To the point that I'd say that governments should step in and invest into the healthcare they control to change the situation. I.e. to do the complete opposite of what you are suggesting.
> Microsoft is a big place.
All under the same roof, with the same objectives and strategy, which are to screw you (the "Microsoft shop") in particular, but also, if possible even those who managed to stay away from them. The problems Microsoft creates for the world aren't somehow local to one or two departments of the company. The company, no matter how big is responsible for its policies.
You said it best yourself: The operating system chosen to run a business was never a serious factor in terms of whether the company succeeded or failed.
While I don’t think that statement is universally true because for certain products OS matters, but generally, why would anybody migrate away from windows just because of a security incident? Linux has had its fair share of RCEs and 0-day exploits. Are you saying Linux is intrinsically better?
The thing is: Windows and Office is insecure by default. Admins react by sprinkling anti-virus on top of it, but that doesn't help any.
It still enables users to open random mail attachments in Office or similar. And Office doesn't have any sandboxing or other mitigation in place, again it's insecure by default. If you enable users to do stuff like this, you have noone to blame if you get owned.
Are the usual Linux distro's better? Hell no! They have the same flawed security architecture as Windows, only without any motivated attackers (yet).
But there are actually secure alternatives: QubesOS and ChromeOS.
QubesOS is probably not that suitable to end-users, they can do too much wrong to twart it's security (using the "financial" qube to browse p0rn... etc.).
ChromeOS is a reasonably secure OS: It's root filesystem is read-only with tamper-proof authentication, user's home directory is encrypted. Chrome runs with the usual privilege separation in multiple processes each in it's own tight sandbox. There is no way to autostart anything.
Even in the nuclear case of a 0-day RCE + chained sandbox breakout + privilege escalation to root, the threat can not persist itself... you just reboot the device and are save again.
And Google has lot's of experience in security, they one of the few who build their own browser, the most hostile environment. They are clearly thinking about security front and center and not as an afterthought (like Microsoft).
The market is an illusion. Until recently I had no means to buy Linux, I was forced to buy Windows (and it is illegal here, but all you get for going to a trial is not even the price of a licence). Even today the options are very few.
The idea of a market works if it costs ~0 to enter a market, consumers have an infinite access to knowledge and infinite time to make a decision BUT make it in 1s when at the store, and also enough money so as to not be a problem. Basically, consumers have all the power and vendors have none.
Nothing is really a market, and operating systems definitely shows it.
> The idea of a market works if it costs ~0 to enter a market, consumers have an infinite access to knowledge and infinite time to make a decision BUT make it in 1s when at the store, and also enough money so as to not be a problem. Basically, consumers have all the power and vendors have none.
I keep trying to communicate this whenever people are attempting to manifest an Invisible Hand to control bad behavior. More people need to be aware of this.
I like your succinct point. I wish there was something so short and understandable for an even fuller picture. Like including that for a marked to price things in a way that works for societies, consumers need to choose long term over short term gains and that the price needs to not make economic externalities of human rights or destroying the climate.
Are you serioulsy implying that everyone had hundreds of MB to spare, the knowledge, the material and the time to do it ? I'm talking about the beginning of the century when the only connection was through 56k. I'm talking about being an underage kid who discovers computing, through whatever exists in the store, and you think downloading an iso is straightforward ?
It's still true today, machines with Linux can barely be found in stores. You can find them online but that's not always easier for people who are not knowledgeable
> only having dial up speed - that's strictly a 90s problem.
Dial up was widespread well into the early 2000's, and even then ADSL started to spread slowly.
> You don't see them in stores because there is not enough demand for them
There is no demand because, again, the market is a lie. One OS is forced to consumers, on the computers they buy in the stores, they use at school, they use at work. That's exactly what I'm saying.
> Very easy to find them online to buy.
Computer literacy of the population is not comparable to the one of people on HN, so no, I wouldn't say it is as easy as buying a linux computer online than buying any computer offline.
Bro you are really arguing for the sake of arguing now.
> Dial up was widespread well into the early 2000's, and even then ADSL started to spread slowly.
Cable became common in the early 2000s, and even if you couldn't get it at home you could go somewhere that had decent speed, certainly to download a 600mb ISO.
Not bothering to address the rest of your contrarian points.
Microsoft aggressively abused its monopoly position in order to make sure that Linux would never win in the desktop market, and then inertia took over, so no we can't say that the market has said anything useful
I didn't argue for moving to Linux. My argument is that we need redundancy. If one system has a huge failure like this one -- we shouldn't find ourselves being hostages of this system.
Similarly, I'm not against Microsoft products being used in hospitals. I'm for transparency of standards, rules used by hospitals to acquire and maintain software, public interfaces, reporting...
If such rules are created and Microsoft is playing by the rules -- then I have no problem with it, but having Microsoft decide what the rules are is a disaster.
> How much business convenience are you willing to squander over these principles
I haven't seen such a clear statement of this idea in a very long time[1].
The "principles" you are trading for convenience include control of your network.
[1] Last time was a talk by Bruce Schneier, a long time back. He famously declared if you give people a choice between security and dancing pigs, they'll take the pigs every time.
If only there were an alternative software development modality in which development is distributed, source available, and modification permitted to any party, with open review and analysis for vulnerabilities, and far less capacity for lock-in.
What you're arguing is essentially the Too Big to Fail proposition. The solution of which is to Not Let Things Get That Way.
> You may be leaving a lot of upside on the table by never considering them as an option.
Maybe, but you're also avoiding a whole lot of downside. I don't think it's unreasonable to avoid Microsoft products, either as a business or as a person.
Whether or not it makes business sense to depends on your business, of course, but there are plenty of successful businesses who avoid Microsoft.
Moving off Windows or Azure or whatever probably isn't adequate.
All architectures based on certificate authorities are fundamentally fragile in the same way. People look at me like my head is spinning when I suggest just adding ephemeral self-signed CA root certs to deployment pipelines (or, god forbid, use SSH keys, or even symmetric keys).
However, those approaches have a much, much smaller attack surface than HTTPS or standard X.509 SSH authentication, so I'll keep recommending it.
I think the reason for the pushback is that, in this space, attack surface is roughly proportional to monetization potential.
I’m not sure exactly what role in what sort of deployment pipeline you’re suggesting for ephemeral root certs here, and you may well have a solid handle on how to do this safely.
But one reason I might initially look at you with alarm if you suggest self-signing or symmetric keys as part of a solution in general is… while it might reduce the attack surface, attack surface is not the only thing to worry about. Another thing to consider is the ‘fuckup surface’ of a particular architecture.
And one problem that self managed key distribution strategies tend to run into is that they massively increase your fuckup surface. Losing the keys to everything can become a real danger.
I’m a big believer in building security systems that also reduce the blast radius of dumb errors (accidentally running rm -rf /* is harmless if you religiously run with least privilege).
Saying ‘I’m going to build my own trust root’ generally seems to me like it probably increases the blast radius.
> That's exactly the problem - what ARE companies going to do? Migrate OFF windoze? Migrate out of Azure? To Linux?
The short answer is...yes.
Of course it isn't easy. Of course it would take time. But it's certainly not impossible. It's certainly been done.
I'm not defending MS but the idea that they're some sort of siren and companies can't help themeselves...well, please get me a list of those companies so we short the shocks if they're that incompetent.
Unfortunately even much of the open source world generates and distributes their official builds from Microsoft infrastructure. And even the distros themselves will get the source to do their own builds from the copies hosted on Microsoft infrastructure. So it's not a cure all if you suspect you can't trust GitHub.
It's not the first time that a company got compromised due to microsoft software. This time it was their cloud offering, the previous N times it was AD, Exchange, Outlook, WSUS (for delayed updates), ...
And even if they'd move to something else they'd reach for solutions that also get their tentacles into everything because those solutions are convenient during those time windows where they're not exploited.
Wasn’t SolarWinds Microsoft software being compromised too?
When the US govt got hacked they actually did something about it government-wide. Started new security standards. For themselves and their vendors like M$
> the question is whether SolarWinds was owned due to an MS vuln
No, but the other way around happened. It may be even this hack on the article, it's not very clear.
The Solar Winds thing is probably much larger than what we have been allowed to know. I do expect more of it to come out, for decades because the victims just have no way to know they have a problem.
MS discovered this years ago. And they have refused any recall.
This is also not the first time they cover up some serious problem and refuse to fix it. In fact, that's a daily activity for them. This one is just a larger problem than usual because they are broken too, not only their clients (even though, that makes it only slightly larger).
If I am reading the linked material correctly: more like a nefarious actor was able to get into the production facility and is still in there to this day. With the same false keycard that originally granted them access.
Is it? Every large company has a well compensated CTO whose job it is to think through these sorts of hypotheticals. But “nobody gets fired for choosing Microsoft”, and so the monopoly continues…
"A sound banker, alas, is not one who foresees danger and avoids it, but one who, when he is ruined, is ruined in a conventional and orthodox way along with his fellows, so that no one can really blame him"
The worst part is that very poor diversification / groupthink is exactly what creates financial bubbles and financial crises. We seem to be reaching that uncomfortable too-big-to-fail scale in computing / cyber security.
Other shoe will not drop because the liability for mishandling customer/user data is minimal. I don't expect a scenario where Microsoft (of even Microsoft's cloud division) folds after this. Bear Stearns actually collapsed after their fuckups.
I joined Accenture in 2003 after over three years of onslaught of Windows e-mail Virus after Virus. They were actively transitioning away from Lotus Notes to Exchange/Outlook and migrated everyone a few months after I joined. Within weeks they were hit with Sobig, causing 100,000 employees to spend hours each dealing with it.
Several million dollars gone from one virus. But they forged ahead, entreating further with Microsoft.
Victims absolutely shouldn’t be blamed, however, you don’t buy a Pinto if you are concerned about being trapped in a fiery wreck, you don’t go to Skid Row after dark if you’re concerned about violent crime, and you don’t buy Microsoft if you’re concerned about security. These are all things we’ve known for decades.
Someone complains of getting mugged, you say something about how they brought it on themselves... victim blaming.
But if that someone hunts down the mugger, dances a jig in front of him, starts mocking, "oh come on, I have a thousand bucks cash on me, point the gun at me already"... well, telling them that they're doing it to themselves isn't victim blaming. It's objective truth, the only truth that matters.
They're doing it right now. As we speak. We're having this conversation watching them while they try to throw themselves in front of the gun. It's time to stop worrying about whether or not we're insensitive when we describe what's happening in front of our eyes.
Microsoft is slowly chipping away on-prem Exchange and AD, forcing people into their Azure/O365 offerings little by little. They advertise their Cloud offerings as being more secure.
If it is the case that it is going to be extremely risky to run of MS supplied infrastructure (including Windows) we should see insurance premiums sky-rocket for companies and organisations using those platforms. Eventually, it will become cheaper to migrate off the MS platforms.
This is mixed with an ever increasing legislative push and higher fines for leaking PII.
You also have things like mimikatz - which is only a thing because Windows just stores user's passwords in plaintext in lsass memory -, pathetically weak hashes, pass the hash etc.
Catastrophically-bad-by-design authentication is a Microsoft staple.
> own ways to do anything but be a slave to Microsoft
I guarantee 99/100 humans on this forum either currently host with AWS/GCP/Azure or have worked at a shop that does. And I bet an outsized portion of those AWS/GCP shops also host on Azure for Azure AD.
There is no one that is ready for a de-Microsofted world. Even Linux distros have been increasing their support for integrating into the MS ecosystem and forsaking alternatives because how prevalent AD is. Even the most prominent alternative FreeIPA is designed to compliment an AD installation, not replace it. The best supported directory/central login server on Linux is AD.
It's not that rare for developers and sys admins. It's pretty rare outside of that, particularly if you're on a corporate-managed system. Wander down to HR or finance or legal and see how many *nix systems you see.
Your whole office? Like sure whatever, I don't use Windows but that doesn't count. The IT directory server is Azure AD and is the SSO for everything non-dev related Slack/JIRA/the office VPN.
I wanted to believe the same, until I thought about the Tax Office and, basically, the entirety of my government, who happen to not be USA but is definitely a Microsoft place.
What's wrong with openldap? I mean, apart from being a pita, i thought it was the widely used central auth directory (behind all sorts of sso frontends).
I maintain a small openldap directory for our company and I think it's great. The main problems revolve around being somewhat old-fashioned and not intuitive for modern tech workers. I'm the only one in my org that really knows anything about it. Management software for openldap definitely has room for improvement, and documentation could be improved as well. It works great though! Super fast and flexible.
Yes indeed! When i said it's a pita, i mostly meant that LDAP is a pita (needlessly complex spec with complicated query language and the whole schema extension zoo). openldap is pretty fine as far as it can be.
Personally i'm using lldap, which is a neat no-footgun ldap daemon for small/personal deployments.
The concept of Microsoft-y admins supposedly unable to work with other tools is insane. There is not much in common between let's say Windows and MS365. Even within MS365 the integration between various tools is often not seemless and when you start using powershell admin common there are completely random differences between the way you login, plus where some features are implemented is also completely random (e.g. tons of non email things in exchange, at least accessed through the exchange ps connector)
If an admin is able to navigate in all that shit, I don't know why they would not understand e.g. random unix tools.
> Certainly not, Microsoft-y admin only know Microsoft, they usually can't do much else, it's all they know.
I am a linux sysadmin. Honest question: Would I have an edge on a Microsoft-y admin or are linux sysadmin skillset limited to Linux ? I can find my way around a lot of network appliances (sophos, cisco, junyper, etc.) and I'd expect a windows system to be as capable.
For my smaller clients, I have been migrating them to Synology Directory Services (LDAP/DNS/SAMBA)... I import AD, switch the DNS on the workstations, good to go.
Test it out, if curious - Pretty straight-forward. And a heck of a lot more economical.
This is exactly the same attitude people got to Web3. So many scam tokens and rugpulls, they’re like “what are you gonna do? it’s the wild west.” Worse than that, when Celsius, FTX and other centralized companies imploded due to unsustainable and negligent practices many people were led to conflate that with Web3 blockchain smart contracts ecosystem.
The ironic part is that Bitcoin and Ethereum, altcoins like Filecoin and the entire space of decentralized protocols (EVM, the coming-soon FVM, etc) was designed to eliminate centralized middlemen, including banking cartels, Amazon (which is being sued for monopolistic practices) and the soon-to-come CBDCs etc. In fact, all the responsible protocols (IPFS, UniSwap on Ethereum, Aave marketplace etc etc.) kept humming along regardless of bull and bear markets. It’s just distributed code!
But middlemen were able to convince the public that their centralized companies “ARE web3” and then overpromised yields and other crap.And now the public conflates that with all decentralized protocols that carry value — that’s why we can’t have nice things.
And a bunch of fly-by-night teams cloned contracts delivering no utility at all and some even put backdoors in them. Like PHP “give me the spaghetti codes” crowd and Javascript script kiddies and HTML personal sites with <blink> tags script kiddies… but with some money invested.
Cryptographers were right to protest the word “crypto” being associated with this.
You are spot on with this; you don't need distributed systems and cryptography to run a fraudulent bank! Indeed, much of the 'trust' that comes with traditional financial institutions comes not from an inherent advantage in competence compared to cryptocurrency developers, but the fact that most national governments will bail out bank failures and reimburse vast sums of their citizens' losses.
If cryptocurrency-based financial instruments were regulated and protected to the same degree as traditional companies - but with the relevent technical competence to match! - I'm sure 'pay with ETH' and the like would be as common as PayPal and VISA.
Another reason I am in love with LLMs. You don’t need to know the software like the back of your hand - a new environment is like a new programming language, as long as you’re able to ask the right questions new environments will be far more accessible. Experienced admins should know the requirements, and not be limited to the tools.
Migrating will be relatively cheap.
No wonder they’re hobbling the tools (/tinfoil), they see the threat.
I'm not so convinced a LLM remixing all the tutorial blogs its ingested is a meaningful quality step above those tutorial blogs themselves.
Earlier this year we had a linux task that was above the normal complexity my team deals with. So a few people threw it at chatgpt and were amazed at how good the results were. In reality, it was full of outright factual inaccuracies and non-breaking bad decisions. But their skill ceiling prevented them from seeing how bad the output was.
I didn't want to be a wet blanket, so I let them have their fun and quietly guided the jr working on the resolution through an appropriate implementation.
You should point out to all of them now what the consequences would have been of blindly following the LLM. It's an important lesson they can and should learn from.
Nah dog, I'm good. I'm not young, eager and naive anymore. "Growing the team's skills" and "working towards company goals" are siren calls. I know how to swim in my own lane.
My experience with LLMs is that they distill just the group think from the internet, and remove all rational thought.
I doubt they'll be much help doing anything that is better than whatever standard practice was 6-12 months ago.
If anything, I'd expect them to cement in incumbents and bad practices, since fewer people will be reading documentation and thinking critically about how to do better.
We all ought to be using Qubes OS! We, as the Hacker News community, ought to be more concerned about making it easier to use reasonably secure systems. How do I buy a computer that runs Qubes?
- On June 26, OWA stopped accepting tokens issued from GetAccessTokensForResource for renewal, which mitigated the token renewal being abused.
- On June 27, Microsoft blocked the usage of tokens signed with the acquired MSA key in OWA preventing further threat actor enterprise mail activity.
- On June 29, Microsoft completed replacement of the key to prevent the threat actor from using it to forge tokens. Microsoft revoked all MSA signing which were valid at the time of the incident, including the actor-acquired MSA key. The new MSA signing keys are issued in substantially updated systems which benefit from hardening not present at issuance of the actor-acquired MSA key:
- On July 3, Microsoft blocked usage of the key for all impacted consumer customers to prevent use of previously-issued tokens.I’m not a security expert. What are the holes in this strategy?