Microsoft bigwig says the Feds catching Chinese spies in Exchange Online is the cloud working as intended Lawmakers on Thursday grilled Microsoft president Brad Smith about the Windows giant's businesses dealing in China — and the super-corp's repeated security failings — at a time when Beijing-backed spies are accused of breaking into Microsoft-hosted email accounts of American government officials. A US House committee hearing …
Microsoft values capturing customers far more than caring about security.
https://www.propublica.org/article/microsoft-solarwinds-golden-saml-data-breach-russian-hackers
They are now just the typical company saying "Your security is our top priority" while actively (and I mean actively) not trying to secure your data.
The US and any other country should be ashamed of themselves for falling for these sales spiels. I'm sure there are lots of multi-$$$ kickbacks involved.
"I'm sure there are lots of multi-$$$ kickbacks involved."
Now now the preferred term in campaign contributions, it solved the anti-trust case rather nicely and has been going swimmingly ever since. I used to be shocked at how cheap it is to buy government influence but not anymore.
"That's just crazy commie talk! Jail time for the titans of corrupt capitalism? CRAZY TALK!”
Oh no come on, yes that’s CRAZY TALK, so how about they find a lowly Sysadmin or an intern who, alas didn’t keep offline copies of the instructions they were given or warning they sent to higher-ups, and blame them!
THEY can go to jail, justice is seen to be done. Big thumbs up for the US judicial system.
Rinse and repeat.....
Microsoft leaked the key data.
No, they didn't.
It was stolen by an intruder into their network.
Microsoft had the key unencrypted in memory and it was then saved to a crash dump when something crashed. Someone got into their network and found that file.
Microsoft set it up so that a single leaked key compromised a stupendous number of accounts, including sensitive US government accounts. Wow. The arrogance.
That's not arrogance, that's stupidity and incompetence.
This post has been deleted by its author
I've upvoted you Pascal, tho is Marge the Bounty Hunter really adept at bullshit? Perhaps the down votes are from people that don't think she's adept at bullshitting. She is definitely batshit crazy with her conspiracy theories and may walk back some of the madder ones when she realizes they are totally crazy.
I did see her say that some of the QAnon conspiracy things she'd see on the internet were wrong - https://www.snopes.com/fact-check/marjorie-taylor-greene-qanon-internet-quote/
So even she had to admit a some of the things she'd read and ran with were batshit. Absolutely no excuse for it if she had any sort of intelligence - which she obviously doesn't.
"... [MTG] ... is definitely batshit crazy ..."
After reading a little about Mrs. Greene I conclude that you're right, but also that the voters must be just as crazy to vote for her.
I'm now of the opinion that before anyone can vote, they ought to pass an examination.
To be fair, I suspect many, perhaps most, of those who voted for MTG don't care whether she's rational. They care that she's a loudmouthed asshole who annoys their political opponents. That's what such voters are looking for. As far as they're concerned, the House is a schoolyard and they want to have the most bullies.
No, just no. Moscow marge has an agenda, probably set for her by her alledgedly putin-aligned capaign guy. I forget whether it was campaign advisor or manager but something at influence level.
The plot is derail governments and to step up the action since we started defending ukraine. The number of government leaders affected, exposed, attacked and I suspect even Abe was a victim (exposed to yakuza by kremlin agents) shows just how complacent and innocent we are in comparison to what is being waged around us.
In terms of security I hope we're stepping up and beginning to take our jobs seriously. In fact whatever we're doing we need to wake up imho.
There's an element of truth in what Microsoft say: It's not for them to say whether person A logging into Office 365 with valid credentials is allowed to see the data: That's your job as the tenancy. administrator.
The problem with that line is in this case, the ne'er-do-wells bypassed the normal authentication methods to gain access to Office 365 so MS are most definitely on the hook here.
We forget that windows coding used to be conducted on a distributed basis. The incentive for the nodes to be secure plus identifying all those potential breach points is going to be a nightmare. What's worse imho is that adversaries may have had access to the same blueprints from historic high profile in/exfiltrations so initial mitigations will have to start at that level I'd say.
Quite frankly, we're still not sure what Jedi-mind trick Smith thought he was pulling with that statement.
Why the surprise? Surely you read your own articles as much as I do and even as a non-Microsoft user I've read enough to realise that this is the Microsoft approach to QA. He just let it slip out.
The sequence was probably something like this:
1: Testin/QA miss the occasional corner case that slips out into the wild.
2. Users find the bug with sufficient publicity the Microsoft notice it.
3. Microsoft decides that users are more effective at catching bugs than Testing/QA
4. Microsoft realises that users are actually paying them rather then being paid
5. Microsoft acts accordingly
"No, she's on a mission to grandstand, suck up oxygen and divert attention from any serious topic that might come up because that's all she knows."
FTFY
I almost feel sorry for her constituents, who in theory put her into Congress to enact legislation that will help them, the little people. But then I remember she's in a solid Red district, and the idiots will likely vote her back into office. She will not change, and the idiots will get what they deserve ... no real representative in Congress.
Seriously MS, missing the opportunity to upsell a client?
Member: "what are we paying you for?!"
Smith: "Hosted email services."
Member: "So why aren't they being managed?!!!"
Smith:" I guarantee they are indeed managed. Your people can login and receive send email just fine."
Member: "WTF!?"
Smith: "Now, let me tell you about Defender for Outlook online and what it could have done for you in this case..."
yep, takes defender to monitor the pathetic old Kerber roasting and pass the hash of their 40+ year old authentication that has so many holes it requires special monitoring and even then, pfft exploit after exploit just walk right up. There is no Innovation at MS, just rehash and add more to menus. It's still running the same lame code with CMD and CSV as its foundation.
CISA coordinated with Facebook, Google, youtube, Apple and others in order to squelch any anti-Covid messages of ordinary NATO citizens.
https://judiciary.house.gov/media/press-releases/new-report-reveals-cisa-tried-cover-censorship-practices
https://eu.usatoday.com/story/money/2023/10/03/fifth-circuit-cisa-ruling-biden-first-amendment/71051110007/
https://www.theregister.com/2023/10/04/cisa_barred_from_coordinating_with/
It was essentially a CIA-NSA-ARMY operation designed to facilitate illegal censorship. They seconded their operatives into CISA, so they could avoid legal trouble.
This backfired big time, as people simply used TELEGRAM, provided by Mr Durov "out of Dubai" (believe this at your own cost).
Yes, that's true. Free speech provided by Russia because CIA censors the h3ll out of American services.
Well, this is the war the US is fighting right now. Probably the most serious existential threat to the USA since 1861. And so far, the country is not winning.
But it is still fighting, and that's something. Too many countries seem to have simply given up, or actively embraced misinformation.
There is a very special part of hell reserved for politicians who purposely sell out their country for their own gain. It's on the ninth circle, the home of traitors. If I were religious, I'd take comfort from thinking that the punishment of the likes of Johnson, Putin and Netanyahu will be far worse than that of mere murderers like Xi or thieves like Trump.
So you've got the Biden Administration's CISA working with the providers to squash anti-Covid messages which resulted from a Trump era DoD initiative to create anti-Covid sentiment. Here's one indication of what's going on....
https://www.military.com/daily-news/2024/06/14/pentagon-stands-secret-anti-vaccination-disinformation-campaign-philippines-after-reuters-report.html
(Note that if you dig a bit deeper you'll find that the rabbit hole goes rather deeper than the material in this article. This material is from the DoD itself. Go figure!)
... it is not Microsoft's job to literally catch spies in their hosted email systems.
But, it is their job to keep their systems reasonably secure and well-monitored such that (1) successful intrusions won't likely occur, (2) unsuccessful intrusions are logged and appropriately reported, (3) successful intrusions are likely detected, and (4) successful intrusions are appropriately reported.
This means not leaving a giant golden key labelled, "God-Level Access" lying around in the company parking lot, and having that parking lot well-fenced, with gate guards who will stop and question the driver of a white panel van with an "Acme Van Rentals" sticker on the windshield and a magnetic sign on the driver's door reading, "Thrustmaster Giant Caulk™" / "We deliver our Giant Caulk to anywhere you want." ... vs gate gaurds more-interested in playing Bubble Bobble, Candy Crush, or Call of Duty on their smartphones.
Oligarch bribing newspapers: https://www.berliner-zeitung.de/news/gates-stiftung-unterstuetzt-den-spiegel-mit-weiteren-29-millionen-dollar-li.194183
Oligarch buying goverment:
https://www.infosperber.ch/wirtschaft/konzerne/who-geraet-immer-mehr-in-abhaengigkeit-von-bill-gates-co/
https://www.welt.de/politik/deutschland/plus209247817/Umstrittene-Finanzierung-Das-Gates-Dilemma-der-WHO.html
Of course this is absolutely, never, ever related to his Pharma Investments !
No no no ... oligarchs only exist in other sorts of obviously corrupt states - not like ours of course.
The difference is that we have capitalism and free market entrepreneurs, who are definitely not opportunist oligarchs of course, because they only have our best interests at heart
Sorry Government... This isn't the Robocop future where stuff like this gets outsourced.
Microsoft can be responsible for teenagers trying to hack into stuff, and they have a duty to report crimes to the police. We have the FBI/CIA/NSA/MIB and a Justice System under the control of an elected Government for doing the big stuff. That includes morality censorship and detecting/investigating criminal gangs.
I highly doubt Microsoft invests the sort of money in the security protocols needed to counter nation-state attacks...
"I highly doubt Microsoft invests the sort of money in the security protocols needed to counter nation-state attacks...”
Maybe not - but if Microsoft are providing services to an institution (say the US government), which any idiot could reasonably expect to be the target of nation-state attacks, then maybe they should!
Or if they aren't prepared to do that, then fine, don't offer the service! One or the other, no?
Or is that a fault in the US government, basically outsourcing services to a supplier who simply can’t or won’t implement the required level of security? Who can tell?
"Or is that a fault in the US government"
Well, yes. And every other government on Earth that uses software from Redmond.
Have you read the fine print in the contract (ANY contract!) from Redmond? Every single one of them includes language which removes any fault from Microsoft if you choose to use their code. It is essentially YOUR fault for choosing to use it.
The next question is why on earth would any corporation's (or Government's!) lawyers allow the stuff in the door in the first place?
Bill 'em. If you performed security work that M$ should have been doing, send them a bill for every second by every agent used for this, and use the IRS to collect. Tell them that this will be policy going forward until M$ provides the security they promise before the sale.
Next up, tell them to make a choice - quit China completely due to the 2017 law, or lose all access to US government contracts.
Are any cloud services secure - ie. Evaluated against the Common Criteria.
Interestingly, this Wikipedia article would seem to imply Microsoft dropped EAL4 certification after Windows Server 2008:
https://en.wikipedia.org/wiki/Security-evaluated_operating_system
So we do have to ask why government departments needing Security evaluated operating systems are using Microsoft and (public) cloud…
"Next up, tell them to make a choice - quit China completely due to the 2017 law, or lose all access to US government contracts.”
Which is a fair enough ultimatum, but hypothetically, were Microsoft to say “you know what Uncle Sam, we’ll stay with our China contracts because they are more lucrative, so OK we’ll terminate and delete all of the US Government agency’s 365 accounts, we’ll vaporise all of the emails, OneDrive content etc. But we’ll give you a month, maybe two to migrate away before we do so.
Don’t make threats unless you are absolutely, really absolutely prepared to execute on them and accept and deal with the consequences!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
