Microsoft breach allowed Russian spies to steal emails from US government The US government's Cybersecurity and Infrastructure Security Agency (CISA) warns that Russian spies who gained access to Microsoft's email system were able to steal sensitive data, including authentication details and that immediate remedial action is required by affected agencies. In an Emergency Directive dated April 2 but …
This post has been deleted by its author
While this in no way excuses Microsoft for what was a series of really quite shameful blunders, no one who understands security should "expect [anything] to be SECURE". Security is not an absolute; there is no such thing as a "secure system" in an absolute sense. Security is relative and represents the degree to which a system resists each of the attacks available under a given threat model.
And it's not possible to have a universal threat model, even with complete information, which you never have.
Any time you think "X is secure", you're already in error.
“The US Cybersecurity and Infrastructure Security Agency (CISA) warns that Russian spies .. were able to steal sensitive data”
Very careless of the FBS, allowing the hack to be traced back to an I.P address registered to Yauzskaya St /s
Was it wise running federal agencies on the one centralized email system. As when one gets compromised, they all get compromised.
Was it wise running federal agencies on the one centralized email system. As when one gets compromised, they all get compromised.
But MS is all about sharing. Federate, share your work easily. Throw everything into the cloud. Trust in MS!
Affected federal agencies must comb through mails, reset API keys and passwords
Oops. I've reset the API keys and am now mailing the new ones to all users. Hopefully proper government still has cryptocustodians who get to fly around the world hand-delivering stuff that can't be trusted to be sent electronically. Or if it is, it's with multiple layers of encryption.
Both good points.
Microsoft is "all about sharing" because it improves vendor lock-in. Users have a choice between low-friction sharing of information, between users and between applications, or assembling their own portfolio of preferred applications and imposing fine-grained control on access to information. The former choice inculcates laziness, carelessness, and complex and undocumented ad hoc workflows, so it's what users will gravitate toward. Then it becomes difficult to get them out of it.
The "application suite" concept was a trap, as was the IDE and other forms of software integration. Many have noted this over the years, of course.
Why would they need a plugin, much less a custom-developed one? Even Outlook/Exchange support S/MIME, and there are inexpensive commercial plugins if you'd rather have PHP.
The Feds don't use encrypted email for the same reason the vast majority of other organizations don't: It's a bit of a hassle, for IT and for users, and any extra work is too much extra work.
It's not clear how much of a mitigation email encryption would have been in the case of this breach, as we keep hearing that Cozy Bear had more access than originally claimed. They had access to Microsoft source code and various internal systems, so it's possible they could have mounted a supply-chain attack that gave them email contents before sending or after being decrypted by the recipient.
This post has been deleted by its author
I have been asking since 1995 is, "Why are they still using Microsoft anything ?"
Why is any pro democracy go vermins still using anything which is sold by Microsoft ?
Oh, UK go vemins has signed a new contract with Cosy Bear to try to get our data back outta da Microsoft cloud........
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
