back to article Microsoft bigwig says the Feds catching Chinese spies in Exchange Online is the cloud working as intended

Lawmakers on Thursday grilled Microsoft president Brad Smith about the Windows giant's businesses dealing in China — and the super-corp's repeated security failings — at a time when Beijing-backed spies are accused of breaking into Microsoft-hosted email accounts of American government officials. A US House committee hearing …

  1. elDog

    These attack vectors have been known and warned about for years.

    Microsoft values capturing customers far more than caring about security.

    https://www.propublica.org/article/microsoft-solarwinds-golden-saml-data-breach-russian-hackers

    They are now just the typical company saying "Your security is our top priority" while actively (and I mean actively) not trying to secure your data.

    The US and any other country should be ashamed of themselves for falling for these sales spiels. I'm sure there are lots of multi-$$$ kickbacks involved.

    1. RedGreen925

      Re: These attack vectors have been known and warned about for years.

      "I'm sure there are lots of multi-$$$ kickbacks involved."

      Now now the preferred term in campaign contributions, it solved the anti-trust case rather nicely and has been going swimmingly ever since. I used to be shocked at how cheap it is to buy government influence but not anymore.

  2. Anonymous Coward
    Anonymous Coward

    Microsoft leaked the key data. Microsoft set it up so that a single leaked key compromised a stupendous number of accounts, including sensitive US government accounts. Wow. The arrogance.

    1. CowHorseFrog Silver badge

      You would think that this is an admission of a crime with jail time.

      1. ecofeco Silver badge

        That's just crazy commie talk! Jail time for the titans of corrupt capitalism? CRAZY TALK!

        1. Excused Boots Silver badge

          "That's just crazy commie talk! Jail time for the titans of corrupt capitalism? CRAZY TALK!”

          Oh no come on, yes that’s CRAZY TALK, so how about they find a lowly Sysadmin or an intern who, alas didn’t keep offline copies of the instructions they were given or warning they sent to higher-ups, and blame them!

          THEY can go to jail, justice is seen to be done. Big thumbs up for the US judicial system.

          Rinse and repeat.....

    2. FIA Silver badge

      Microsoft leaked the key data.

      No, they didn't.

      It was stolen by an intruder into their network.

      Microsoft had the key unencrypted in memory and it was then saved to a crash dump when something crashed. Someone got into their network and found that file.

      Microsoft set it up so that a single leaked key compromised a stupendous number of accounts, including sensitive US government accounts. Wow. The arrogance.

      That's not arrogance, that's stupidity and incompetence.

      1. Anonymous Coward
        Anonymous Coward

        Do the math

        In this case, arrogance = stupidity = incompetence- a vicious circle.

  3. This post has been deleted by its author

  4. Pascal Monett Silver badge

    MTG does not decode

    Her job is to spout bullshit, and she is remarkably adept at doing that.

    1. Vincent van Gopher

      Re: MTG does not decode

      I've upvoted you Pascal, tho is Marge the Bounty Hunter really adept at bullshit? Perhaps the down votes are from people that don't think she's adept at bullshitting. She is definitely batshit crazy with her conspiracy theories and may walk back some of the madder ones when she realizes they are totally crazy.

      1. Ali Dodd

        Re: MTG does not decode

        Walk back? no that's not the Maga playbook that MTG worships, she'll just double down.

        1. Vincent van Gopher

          Re: MTG does not decode

          I did see her say that some of the QAnon conspiracy things she'd see on the internet were wrong - https://www.snopes.com/fact-check/marjorie-taylor-greene-qanon-internet-quote/

          So even she had to admit a some of the things she'd read and ran with were batshit. Absolutely no excuse for it if she had any sort of intelligence - which she obviously doesn't.

      2. sitta_europea Silver badge

        Re: MTG does not decode

        "... [MTG] ... is definitely batshit crazy ..."

        After reading a little about Mrs. Greene I conclude that you're right, but also that the voters must be just as crazy to vote for her.

        I'm now of the opinion that before anyone can vote, they ought to pass an examination.

        1. Michael Wojcik Silver badge

          Re: MTG does not decode

          To be fair, I suspect many, perhaps most, of those who voted for MTG don't care whether she's rational. They care that she's a loudmouthed asshole who annoys their political opponents. That's what such voters are looking for. As far as they're concerned, the House is a schoolyard and they want to have the most bullies.

          1. TheNoob

            Re: MTG does not decode

            No, just no. Moscow marge has an agenda, probably set for her by her alledgedly putin-aligned capaign guy. I forget whether it was campaign advisor or manager but something at influence level.

            The plot is derail governments and to step up the action since we started defending ukraine. The number of government leaders affected, exposed, attacked and I suspect even Abe was a victim (exposed to yakuza by kremlin agents) shows just how complacent and innocent we are in comparison to what is being waged around us.

            In terms of security I hope we're stepping up and beginning to take our jobs seriously. In fact whatever we're doing we need to wake up imho.

        2. Anonymous Coward
          Anonymous Coward

          Re: MTG does not decode

          A number of voters see MTG as the goofy hillbilly panelist member of a game show. They, unfortunately, feel her pain and dearth of integrity.

    2. Andrew Williams

      Re: MTG does not decode

      I call your MTG and raise you with "The Squad."

  5. A Non e-mouse Silver badge

    There's an element of truth in what Microsoft say: It's not for them to say whether person A logging into Office 365 with valid credentials is allowed to see the data: That's your job as the tenancy. administrator.

    The problem with that line is in this case, the ne'er-do-wells bypassed the normal authentication methods to gain access to Office 365 so MS are most definitely on the hook here.

    1. David Newall

      Did they really bypass the normal authentication systems? TFA said they had the key (which they found in Microsoft's crash dump.)

    2. Roland6 Silver badge

      There is another element of truth in what MS are saying, however, if MS really want the cloud to work in the way they are implying then they can facilitate this by making all their software Open Source…

      GPL3 should suffice…

  6. Alistair Wall

    "big customer of government" implies Microsoft is paying and government is supplying. Not saying it doesn't work like this, of course.

    1. Strahd Ivarius Silver badge
      Facepalm

      MS is paying, but not the government, the lawmakers...

    2. TheNoob

      We forget that windows coding used to be conducted on a distributed basis. The incentive for the nodes to be secure plus identifying all those potential breach points is going to be a nightmare. What's worse imho is that adversaries may have had access to the same blueprints from historic high profile in/exfiltrations so initial mitigations will have to start at that level I'd say.

  7. Doctor Syntax Silver badge

    Quite frankly, we're still not sure what Jedi-mind trick Smith thought he was pulling with that statement.

    Why the surprise? Surely you read your own articles as much as I do and even as a non-Microsoft user I've read enough to realise that this is the Microsoft approach to QA. He just let it slip out.

    The sequence was probably something like this:

    1: Testin/QA miss the occasional corner case that slips out into the wild.

    2. Users find the bug with sufficient publicity the Microsoft notice it.

    3. Microsoft decides that users are more effective at catching bugs than Testing/QA

    4. Microsoft realises that users are actually paying them rather then being paid

    5. Microsoft acts accordingly

    1. Anonymous Coward
      Anonymous Coward

      The Boeing in the cloud

      MS in this case is channeling Boeing.

  8. Dostoevsky Bronze badge
    FAIL

    Jedi Mind Trick

    Microsoft's bigwigs are smoking copium. It was a "mind trip," not a "mind trick."

    Oh, and MTG needs to shut up. She's a BBA, not a PhD. I'd like to avoid further embarrassment of our government, if possible... Oh, wait...

  9. Stevie

    Bah!

    MTG is on the committee?

    On a committee to evaluate a technical issue?

    JFC.

    1. veti Silver badge

      Re: Bah!

      No, she's on a committee to grandstand, suck up oxygen and divert attention from any serious topic that might come up.

      That's basically the whole of her job. Doesn't really matter which committee, I imagine this one was favoured because it doesn't normally get enough publicity.

      1. jake Silver badge

        Re: Bah!

        "No, she's on a mission to grandstand, suck up oxygen and divert attention from any serious topic that might come up because that's all she knows."

        FTFY

        I almost feel sorry for her constituents, who in theory put her into Congress to enact legislation that will help them, the little people. But then I remember she's in a solid Red district, and the idiots will likely vote her back into office. She will not change, and the idiots will get what they deserve ... no real representative in Congress.

  10. Charles Bu

    Forget it, it's only 1.5%

    "Smith told lawmakers that Microsoft's business in China represents about 1.5 percent of his company's revenue..."

    ...and 98.5% of cyber security breaches.

  11. Ryan D
    Joke

    I was expecting the upsell

    Seriously MS, missing the opportunity to upsell a client?

    Member: "what are we paying you for?!"

    Smith: "Hosted email services."

    Member: "So why aren't they being managed?!!!"

    Smith:" I guarantee they are indeed managed. Your people can login and receive send email just fine."

    Member: "WTF!?"

    Smith: "Now, let me tell you about Defender for Outlook online and what it could have done for you in this case..."

    1. Mahhn

      Re: I was expecting the upsell

      yep, takes defender to monitor the pathetic old Kerber roasting and pass the hash of their 40+ year old authentication that has so many holes it requires special monitoring and even then, pfft exploit after exploit just walk right up. There is no Innovation at MS, just rehash and add more to menus. It's still running the same lame code with CMD and CSV as its foundation.

  12. fg_swe Silver badge

    CISA - Censorship America

    CISA coordinated with Facebook, Google, youtube, Apple and others in order to squelch any anti-Covid messages of ordinary NATO citizens.

    https://judiciary.house.gov/media/press-releases/new-report-reveals-cisa-tried-cover-censorship-practices

    https://eu.usatoday.com/story/money/2023/10/03/fifth-circuit-cisa-ruling-biden-first-amendment/71051110007/

    https://www.theregister.com/2023/10/04/cisa_barred_from_coordinating_with/

    It was essentially a CIA-NSA-ARMY operation designed to facilitate illegal censorship. They seconded their operatives into CISA, so they could avoid legal trouble.

    This backfired big time, as people simply used TELEGRAM, provided by Mr Durov "out of Dubai" (believe this at your own cost).

    Yes, that's true. Free speech provided by Russia because CIA censors the h3ll out of American services.

    1. veti Silver badge

      Re: CISA - Censorship America

      Well, this is the war the US is fighting right now. Probably the most serious existential threat to the USA since 1861. And so far, the country is not winning.

      But it is still fighting, and that's something. Too many countries seem to have simply given up, or actively embraced misinformation.

      There is a very special part of hell reserved for politicians who purposely sell out their country for their own gain. It's on the ninth circle, the home of traitors. If I were religious, I'd take comfort from thinking that the punishment of the likes of Johnson, Putin and Netanyahu will be far worse than that of mere murderers like Xi or thieves like Trump.

      1. jake Silver badge
        Pint

        Re: CISA - Censorship America

        I read that as "the ninth circuit" and had to do a double-take because that didn't sound like you ...

        Have a beer for the (unintended?) laugh :-)

      2. CowHorseFrog Silver badge

        Re: CISA - Censorship America

        And the enemy is corporate america, but nobody with balls is willing to admit they have a problem.

    2. martinusher Silver badge

      Re: CISA - Censorship America

      So you've got the Biden Administration's CISA working with the providers to squash anti-Covid messages which resulted from a Trump era DoD initiative to create anti-Covid sentiment. Here's one indication of what's going on....

      https://www.military.com/daily-news/2024/06/14/pentagon-stands-secret-anti-vaccination-disinformation-campaign-philippines-after-reuters-report.html

      (Note that if you dig a bit deeper you'll find that the rabbit hole goes rather deeper than the material in this article. This material is from the DoD itself. Go figure!)

  13. fg_swe Silver badge

    Secure Government Email

    Postfix

    GNUpg

    DeltaChat (also uses GNUog)

    But alas, no kickbacks possible !

  14. Sparkus

    So damned easy to "accept responsibility"

    when you know for a fact that there will be no accountability......

  15. CowHorseFrog Silver badge

    Yet another example of fake corporate leaders, pretending to be experts but are actually just bullshitters with fake credentials.

  16. Anonymous Coward
    Anonymous Coward

    MTG

    Are you actually expecting to get a coherent answer from MTG?

  17. Anonymous Coward
    Anonymous Coward

    No comments about

    MS stating that they are not following the laws of the countries they operate in?

    Nor about the US laws that inspired the Chinese ones about "forcing" companies to give the government their customer data?

    1. Anonymous Coward
      Anonymous Coward

      Re: No comments about

      Funny detail: MS were active contributors to the Cloud Act, which should give you some idea of how secure any of your data is - even without Chinese hacking (which, given that it's Microsoft, do not need to be spectacularly talented).

  18. An_Old_Dog Silver badge

    Literally Speaking ...

    ... it is not Microsoft's job to literally catch spies in their hosted email systems.

    But, it is their job to keep their systems reasonably secure and well-monitored such that (1) successful intrusions won't likely occur, (2) unsuccessful intrusions are logged and appropriately reported, (3) successful intrusions are likely detected, and (4) successful intrusions are appropriately reported.

    This means not leaving a giant golden key labelled, "God-Level Access" lying around in the company parking lot, and having that parking lot well-fenced, with gate guards who will stop and question the driver of a white panel van with an "Acme Van Rentals" sticker on the windshield and a magnetic sign on the driver's door reading, "Thrustmaster Giant Caulk™" / "We deliver our Giant Caulk to anywhere you want." ... vs gate gaurds more-interested in playing Bubble Bobble, Candy Crush, or Call of Duty on their smartphones.

  19. fg_swe Silver badge

    Oligarchy Disinformation Operations And Malgovernance

    Oligarch bribing newspapers: https://www.berliner-zeitung.de/news/gates-stiftung-unterstuetzt-den-spiegel-mit-weiteren-29-millionen-dollar-li.194183

    Oligarch buying goverment:

    https://www.infosperber.ch/wirtschaft/konzerne/who-geraet-immer-mehr-in-abhaengigkeit-von-bill-gates-co/

    https://www.welt.de/politik/deutschland/plus209247817/Umstrittene-Finanzierung-Das-Gates-Dilemma-der-WHO.html

    Of course this is absolutely, never, ever related to his Pharma Investments !

    1. Anonymous Coward
      Anonymous Coward

      Re: Oligarchy Disinformation Operations And Malgovernance

      No no no ... oligarchs only exist in other sorts of obviously corrupt states - not like ours of course.

      The difference is that we have capitalism and free market entrepreneurs, who are definitely not opportunist oligarchs of course, because they only have our best interests at heart

  20. ecofeco Silver badge
    Mushroom

    WHOCOULDKNOWED?

    The world is run by failsons and we are doomed.

  21. Anonymous Coward
    Anonymous Coward

    Microsoft is NOT responsible for cyber-warfare and policing.

    Sorry Government... This isn't the Robocop future where stuff like this gets outsourced.

    Microsoft can be responsible for teenagers trying to hack into stuff, and they have a duty to report crimes to the police. We have the FBI/CIA/NSA/MIB and a Justice System under the control of an elected Government for doing the big stuff. That includes morality censorship and detecting/investigating criminal gangs.

    I highly doubt Microsoft invests the sort of money in the security protocols needed to counter nation-state attacks...

    1. Excused Boots Silver badge

      Re: Microsoft is NOT responsible for cyber-warfare and policing.

      "I highly doubt Microsoft invests the sort of money in the security protocols needed to counter nation-state attacks...”

      Maybe not - but if Microsoft are providing services to an institution (say the US government), which any idiot could reasonably expect to be the target of nation-state attacks, then maybe they should!

      Or if they aren't prepared to do that, then fine, don't offer the service! One or the other, no?

      Or is that a fault in the US government, basically outsourcing services to a supplier who simply can’t or won’t implement the required level of security? Who can tell?

      1. jake Silver badge

        Re: Microsoft is NOT responsible for cyber-warfare and policing.

        "Or is that a fault in the US government"

        Well, yes. And every other government on Earth that uses software from Redmond.

        Have you read the fine print in the contract (ANY contract!) from Redmond? Every single one of them includes language which removes any fault from Microsoft if you choose to use their code. It is essentially YOUR fault for choosing to use it.

        The next question is why on earth would any corporation's (or Government's!) lawyers allow the stuff in the door in the first place?

      2. veti Silver badge

        Re: Microsoft is NOT responsible for cyber-warfare and policing.

        I have no inside knowledge, but I'd be prepared to bet that Microsoft provides the security features that its contract with the government specifies.

        If the govt has belatedly realised those are inadequate, that's on them.

  22. M.V. Lipvig Silver badge

    I have a simple solution for Congress

    Bill 'em. If you performed security work that M$ should have been doing, send them a bill for every second by every agent used for this, and use the IRS to collect. Tell them that this will be policy going forward until M$ provides the security they promise before the sale.

    Next up, tell them to make a choice - quit China completely due to the 2017 law, or lose all access to US government contracts.

    1. Roland6 Silver badge

      Re: I have a simple solution for Congress

      Are any cloud services secure - ie. Evaluated against the Common Criteria.

      Interestingly, this Wikipedia article would seem to imply Microsoft dropped EAL4 certification after Windows Server 2008:

      https://en.wikipedia.org/wiki/Security-evaluated_operating_system

      So we do have to ask why government departments needing Security evaluated operating systems are using Microsoft and (public) cloud…

    2. Excused Boots Silver badge

      Re: I have a simple solution for Congress

      "Next up, tell them to make a choice - quit China completely due to the 2017 law, or lose all access to US government contracts.”

      Which is a fair enough ultimatum, but hypothetically, were Microsoft to say “you know what Uncle Sam, we’ll stay with our China contracts because they are more lucrative, so OK we’ll terminate and delete all of the US Government agency’s 365 accounts, we’ll vaporise all of the emails, OneDrive content etc. But we’ll give you a month, maybe two to migrate away before we do so.

      Don’t make threats unless you are absolutely, really absolutely prepared to execute on them and accept and deal with the consequences!

  23. Ian Mason

    You trusted the email accounts of high value targets to Microsoft's Exchange Online? There's your mistake, all the rest is a consequence of that decision.

    1. jake Silver badge

      "You trusted high value targets with email? There's your mistake, all the rest is a consequence of that decision."

      FTFY

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like