Microsoft slammed for lax security that led to China's cyber-raid on Exchange Online A review of the June 2023 attack on Microsoft's Exchange Online hosted email service – which saw accounts used by senior US officials compromised by a China-linked group called "Storm-0558" – has found that the incident would have been preventable save for Microsoft's lax infosec culture and sub-par cloud security precautions …
The big question is can CISA actually do anything to change Microsoft's behavior? Or is this just a case of saying "Microsoft sux" like everybody has been doing for years?
It's like at work they say "don't say anything proprietary on Teams 'cuz it's cloud and Microsoft" and so it's like "then WTF good is it? discussing business & collaborating on products is what it's FOR!! why the hell are we paying money for this?"
Well, it's a public naming and shaming, which helps a tiny bit. Our voices and opinions here (largely a shared view that Microsoft are shit at security*) clearly don't carry weight. And whilst I'll wager the balance of our opinion is that Microsoft are not going to pause adding new features nobody asked for, or their pel mel rush for cloudy-webby-shite, at least CISA's recommendations can be used as a stick to beat the company when their next screw up happens - and in particular it's the sort of thing that lawyers will be able to throw at juries.
* Unless anybody wishes to claim otherwise - without the cloak of anonymity
But they had those quite cool testing sessions (I don't know the name but can be seen on the training for Windows 95 that is archived on YouTube and archive.org) where users would come into an office, sit at a computer and do what was asked BUT they'd talk as they were doing it. If they were looking for an icon but couldn't find it etc, so they could use that it making an application better.
Sigh.
The changes wrought by Trustworthy Computing were considerable. Microsoft developed an in-house team of software security experts — people such as Howard and LeBlanc — and gave them the authority to establish and enforce security policies and practices. Most feature development was largely paused for a time while developers were educated, tooling was developed or acquired, development procedures were updated, bugs were fixed, and security features were implemented. The result was a huge improvement in security, despite internal (developers, product managers, sales and marketing) and external (whinging users) resistance.
Of course, they were starting from terribly far back, with an enormous code base (much of it ancient and awful) and a huge attack surface, not to mention the legacy of terrible design failures. And attackers got better, quickly.
And now, of course, after a couple of decades, we see that (thanks in no small part to the leadership of SatNad) they've regressed badly. This time it's not the CEO writing the memo, it's an outside agency, because the exec team are no longer interested in actually critiquing their own firm. It's sad to reflect that in some ways Bill Gates was by far the best leader Microsoft ever had.
But pretending that nothing ever changed at Microsoft is historically naive, and, worse, implicitly endorses the idea that nothing can ever change. It's cynical passivity, and it's one of the great failings of the software industry, an excuse not to try to make anything better.
Ah, no they aren't. They might be protected by contract, or by size of legal team, or most likely of all, the total absence of cojones on the customer side.
The gummint should take a leaf out of El Musko's book, and assert that they were negligent and failed to deliver the contracted service, and refuse to pay. Make MS fight it out in court, and take the publicity and reputational damage if they want to do so.
The underlying problem is supine customers, who are too lazy and fearful to enforce competitive performance, and who think that they actually save money by being all in on one supplier/sw/tech instead of having a plan B ready for a warm start.
I don't know how many times I heard "We have no choice" "They have us over a barrel" etc etc over the years from people who were too lazy to make a change and ride it to make sure it worked.
Cyberinsecurity: the cost of monopoly
• Without change, Microsoftʹs history predicts its future.
• We must take conscious steps to counter the security threat of Microsoft’s monopoly dominance of computing.
• Unless Microsoftʹs applications and interfaces are available on non-Microsoft platforms it will be impossible to defeat user lock-in.
• Governments by their own example must ensure that nothing they deem important is dependent on a monoculture of IT platforms; the further up the tree you get the more this dictum must be observed.
• Competition policy is tangled with security policy from this point on.
This post has been deleted by its author
This post has been deleted by its author
This post has been deleted by its author
From the CSRB report (page 6) "Cloud service providers (CSPs) do not always register and publicly disclose common vulnerabilities and exposures (CVEs) in their cloud infrastructure when mitigating those vulnerabilities does not require customer action.82 This lack of disclosure, which is counter to accepted norms for cybersecurity more generally, makes it difficult for CSP customers to understand the risks posed by their reliance on potentially vulnerable cloud infrastructure."
'Customer flying blind' seems to be becoming the universal vendor approach as systems get ever more complex and thus more vulnerable.
When the early Microsoft products were being released worldwide there was a discussion in the background that Microsoft had been given a number of NSA workers, creating access. But this was America just acting normally and quietly back then, so there's absolutely no evidence that the NSA has ever done any hacking, just quite a lot of discussions that the NSA created hacking back in the old days.
Nowadays so many countries are complaining about hacking but since no countries ever start to work to make hacking impossible, I suspect that the ability to perform hacking is normal virtually everywhere. And we're told that the latest update to everything will prevent hacking ... but then there's another update later that we're told will prevent hacking but that will get updated again in a while ... so it only prevented a "hack" ... not hacking.
Reading this, and after last weekends XZ problem in Linux, I think everyone needs to take step back, and pause. Before we introduce "new shiny things" in the code (any code), security needs to come first and last. Most of the "features" spouted are generally not really wanted. There is always some nefarious miscreant looking for a way to exploit a system.
Watching a video on the XZ problem, that was sadly a product of the open source community. Again, I enjoy open source and the movement is great and so is the community. But with this package, apparently the developer was just burnt out. Loads of people were apparently using the package but, as always, it was a thankless task that I believe he never made money from it. You can always have a donate button up, everyone will say how great your app is but never get any money for it. So he got exploited by an arse that took over his package but using guilt trips and exploiting the guys mental health.
The Open Source community (which I love) is based on fundamentally Communist ideals - everyone works for the good of everyone, and if literally everyone did that then there would be little need for money and everybody would be happy.
But then it only takes someone to come along and say "Ooo, free stuff, people working for free, I can exploit that to my own end." to disrupt the whole ideal. Basically this is why there are so few good open-source Android/iOS apps for example, because the Android/iOS systems are so heavily monetised that as soon as anyone releases a good open source app, someone is immediately coming along to clone it and release it as their own paid and/or data-slurping app.
Microsoft is the mother of all open-source exploiters, buying GitHub and using it to build a code-plagiarising bullshit machine, stealing every commit and comment any open source dev has ever made, and using them to both put future programmers out of work and simultaneously pollute the entire ecosystem with autogenerated shite, because managers who want a quick buck would rather use autogenerated shite full of security holes but which "seems to work", than pay actual engineers to do stuff properly.
But a secondary effect of that is that the entire open source community is demoralised, anything we contribute is going to be appropriated by some dickheads who want to make money and then blame us when it all goes wrong..
Frankly I hope that when WWIII kicks off, the ultra-wideband fibres will all be chopped and we all have to go back to 56k dialup speeds. Messageboards like The Register will work perfectly fine, but "social" media, data-slurping, AI, ransomware etc would become that much harder again...
So they keep saying. Bullshit.
Anyway.
"That state of affairs, the report notes, suggests Microsoft has forgotten the lessons imparted by its founding CEO Bill Gates in his 2002 companywide memo on Trustworthy Computing. In that memo he told developers "When we face a choice between adding features and resolving security issues, we need to choose security. If we discover a risk that a feature could compromise someone's privacy, that problem gets solved first.""
Yep. And now SatNav is involved its all gone out the window. More reason I dislike Office 365 because we deploy it, everyone uses Outlook and you do the odd training guide, then a week or so later they fucking move everything because of "new features" that no one fucking asked for. We want to go back to the good old days of installing an ISO and that's it. It stays the same for years until WE decide we want the "new features". It would be fine with Office 365 if they gave you the option to turn off all the new features when a patch is pushed, but they don't. Such as clicking on links in Outlook to find they now open in Edge with the e-mail to the right? What the fuck? When did that happen. So now I have to change it on every machine I build to not open in Edge until I can find the time to look to see if there is a group policy.
About "other providers are better" who's that then? Google are notorious with their shitty sessions tokens. You'll sign in and then close the browser. Someone has stolen your session host and signs in from across the country 5mins later. Google doesn't ask you to sign in to make sure you are you, considering you've just travelled 100s of miles in 5mins, no it just lets you in with the stolen session.
Then we have GAM (which, granted, may have changed). When I had to manager GSuite as it was then, we had to use GAM for Google drive management as there is no other GUI tool. When you create your GAM token for your admin account you stick all in a folder on your laptop and you're good to go, managing to Google Drive from the commandline. Giving people permissions to other docs when someone is off sick etc. Along comes a rogue engineer who copies your GAM folder and that's it, you're fucked. That user can now use your GAM login to do all the admin with no password prompty or check.
0.) Stop using Outlook and Exchange. They cannot even secure it when they run it themselves.
1.) Linux Email Server, On Premise in a DMZ
2.) DeltaChat Messenger, doing GNUpg End2End encryption via 1.
https://delta.chat/de/
3.) Contract with actually competent Linux Administrators to perform any change and maintenance. The local LUG can give you leads for this. Hourly rates from 80 to 300 USD, depending on location. Less than you pay for a lawyer.
https://en.wikipedia.org/wiki/Linux_user_group
Oh sure, yeah, 'all you have to do is find actual, real competent people, change your entire email architecture and then hope the software you rely on is secure, has no zero days and hasn't been infiltrated by various state actors at a source code level.
Sounds really simple, don't know why nobody thought of it before you mentioned it.
across the cloud infrastructure and product suite until substantial security improvements have been made to preclude competition for resources;"
Like that's ever going to happen.
The head of what was Novell said something like "MS's goal is to turn over the user base every 22 months".
IOW force them to buy some new software/hardware/training every 22 months (or less).
How do you do that?
Simple. 1)Have an effective desktop monopoly due to divided competition (which you encourage by funding FUD lawsuits against them) 2)Force unnecessary changes on the UI 3)Constantly find more processing intensive tasks (that the user is unaware of or can't shut down) for the OS to run, forcing a hardware upgrade.
MS has no friends in the SW business, just companies it has a)Not destroyed as competition b)Not taken over (such as the original developers of Visual Basic).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
