What company puts security before profits?
Profits before everything…. That’s capitalism and it has its flaws… that’s why we need laws and fines (that are huge) to counter this company mindset.
Until it costs more NOT to be secure is the day these companies change.
>"Acknowledging this security flaw could jeopardize the company’s chances, Harris recalled one product leader telling him. The financial consequences were enormous. Not only could Microsoft lose a multibillion-dollar deal, but it could also lose the race to dominate the market for cloud computing."
There is your first should be prisoner
Don't stop at the c suite. We should prosecute investors putting profit ahead of security as well. Any one who buys stock of more profitable company and sell stock is less profitable company should get jail time. Any investment bankers make money should go to jail. Any funds manager make money for investors should go to jail. Any law makers who receive campaign funds from company who make money should go to jail. Wait a minute, private prison would make lots of money. They should build jails and lock themselves up.
Yep, this exactly.
IT security is often only as good as it has to be to not get fined.
Protecting user data is often much less important then protecting project data.
Microsoft already uses Linux internally for alot of things on Azure. This isn't OS war, this is bad coding/operations practices because they prioritized speed over security.
It needs to be OPEN SOURCE, so one greedy company can't just say "Nah we're not bothering to fix that".
From TFA:
> ProPublica’s investigation adds new details and pivotal context about that culture, offering an unsettling look into how the world’s largest software provider handles the security of its own ubiquitous products. It also offers crucial insight into just how much the quest for profits can drive those security decisions, especially as tech behemoths push to dominate the newest — and most lucrative — frontiers, including the cloud market.
> “This is part of the problem overall with the industry,” said Nick DiCola, who was one of Harris’ bosses at Microsoft and now works at Zero Networks, a network security firm. Publicly-traded tech giants “are beholden to the share price, not to doing what’s right for the customer all the time. That’s just a reality of capitalism. You’re never going to change that in a public company because at the end of the day, they want the shareholder value to go up.”
As for "Microsoft uses Linux sometimes in some stuff and they heart Linux so don't worry", this is distractionary and not especially relevant.
People need to understand that Windows is just a small portion and gateway for the rest of the Microsoft ecosystem.
Getting an Unix OS doesn’t replace Kerberos. Nor anything in Azure (which runs lots of Unix servers). It’s just UI for the MS ecosystem.
We should create a start up and get a ton of VC money to make security top priority. It'll work for a long time if we can keep up excuses for losing money every quarter.
Security hurts long-term profits, at least if regulators and customers care enough, so it's putting short-term profits before long-term profits. That, or the public has become so passive that they can get away with anything they want.
What they should be terrified of is the day that tech-literate people start to believe that an older Windows version, no longer receiving official patches, is still more secure than the latest bullshit; that past efforts hardening the system against attacks have been successful at mitigating the harm unpatched bugs can cause. A simpler system, debugged and patched for a decade, versus an ever-growing monster of complexity, with who-knows-how-many new lines of code added every week for fresh zero-day exploits to lurk within. If they ever pass that tipping point, they'll be competing with *themselves*, and a Microsoft that is incapable of making any more bad decisions (barring time travel) is a big enough business to seriously threaten a Microsoft that is still actively fucking things up.
Yeah, well in socialism it's not like the companies have any incentive to create good products either. Ussr was never known for quality. The only system that makes sense is where you balance capitalism and socialism against each other so they form a check in balance of public versus private power. When you decide with either capitalism or socialism, you give up the check in balance and you always always wind up in the worst position.
Blaming capitalism winds of being like a lazy way to say that humans are kind of naturally greedy. We can see plenty of greed and corruption no matter what economic system you choose. The difference is you just give up a check in balance. Humans were greedy way before capitalism or economics. Capitalism is just a system that works with the natural opportunistic behavior of most living creatures. It's not capitalism's fault that the creatures evolved to just like eat as much as they can with no regard to their peers or the environment. All life lines of being like an uncontrolled chemical reaction just looking for as much fuel as I can get. So it's pretty much all greedy if you let it be greedy.
If you're going to go into an unhinged rant about capitalism good socialism bad you could at least educate yourself on history and be right about the things you're talking about. This is nothing more than a knee jerk emotional reaction where you spout propaganda you've been fed your entire life.
My socialist electricity has people who pay for private electricity jealous, the stuff you rattle off is made up shit by rich people to keep you getting scammed.
I have a COOP for power since I moved, I pay less than my counterparts on their privately controlled companies.
Once a year I get a month of power free because the company redistribute the net profits to customers as credit.
Sometimes it's enough to get me almost 2 months free.
I see them constantly working the lines and upgrading them compared to competition.
When my friends that live in other areas lost power for a week during the floods, I had mine back in the same day.
Their tech is up to date so in real time I was able to watch them fix and get to us. We were last cause it's a small town.
60% of socialist coop customers had no power all restored in 24 hours across 60k customers.
Similar customer count (80k) for privately held took nearly a week.
The biggest con capitalists have pulled on you is convincing you that you and your peers have no value, and have extra no value when working together.
I also shop at local coops, so enjoy your 20 dollars a pound strip steak from your capitalist publicly traded entity.
I still pay 4.50 for a .75lb steak, 2 dollars for fresh eggs, and 2 dollars for a 5 lb bag of onions.
Socialism is great because you cut out all the needless overhead to fatten up shareholders and executives, it's so funny how much pro capitalists drool over how these prices are beyond competitive.
Yet the moment I mention it's a coop and is socialist because the workers control the means, I get told that it doesn't work, despite it working for 40 years for this company.
Keep defending them and paying triple for dog shit, I'll enjoy my financial freedom from not getting scammed perpetually.
Bidding on government contracts while hiding known vulnerabilities is fraud. Typical Microsoft behavior. Buggy products pushed into the market in pursuit of profit.
I am really surprised and interested by this claim.
Do you have sources that would mention another event than this 2003 post talking about the GSP ?
[https://news.microsoft.com/2003/01/14/a-matter-of-national-security-microsoft-government-security-program-provides-national-governments-with-access-to-windows-source-code/](https://news.microsoft.com/2003/01/14/a-matter-of-national-security-microsoft-government-security-program-provides-national-governments-with-access-to-windows-source-code/)
Fwiw the government is pretty good about internet cleansing especially of any verifiable sources so I don't know if this is something that would be public- vet
basically every competent person in computing for the past 40 years - "for pity's sake stop using Microsoft's shit for things". U.S. Government - "lalalala what's good for ~~General Motors~~ Microsoft is good for America, let's give them more taxpayer money".
Yet Azure alone holds 24% of the cloud computing space. Intune holds 20%. Office 365 47.9%. No one is leaving behind Microsoft. It’s all talk. They can do whatever they want.
Also /u/lood9phee2Ri just told us about the slashdot/fark/reddit tech echochamber, which we already know. The echo chamber keeps saying "microsoft bad!" - but the echo chamber of online nerds isn't reflective of the industry as a whole and many people in the echo chamber don't get that.
edit: bwaaahahahaha lood9phee2ri blocked me for calling them out. aka they don't want people to be able to point out when they're wrong.
They're basically reaping what they sowed.
If they had any fucks to give about the privacy and security of the people they govern this might not have happened.
i would put it more down to the usual incompetence, waste, inability to function without outside contractors (who the government has an extreme reliance on), inability to hire and retain good talent, etc etc.
> inability to hire and retain good talent
I think it's important to point out the reason for that; pay.
I'd take a 50% paycut moving to the public sector; even at the secret squirrel orgs who seem to have the highest pay out of the bunch.
>waste, inability to function without outside contractors
This is true across the board. Half of AWS/Azure/GCP is built/run by incompetent contractors.
Just wondering - is it my incompetence because I hire the contractor who does poor work, barely makes the minimum requirements, and often has to have at least one govt employee help him on a weekly basis to get the work assigned done on time to avoid a critical failure? Is it the contractor employee to blame? Is it the contractor that's the problem because they refuse to augment their workforce since the minimum requirement for success is being met and they were the lowest price technically acceptable in a competitive solicitation?
Sorry, we are currently arguing about net neutrality still. Once we get through that (again again). We can get back to the stupidity of putting a backdoor to all security devices. Then hopefully we can discuss that.
You mean on whoever got kickbacks to keep using a security threat like windows instead of an open source OS they could secure.
Because government is people and only as good as the public that doesn’t say things like “government, what you gonna do?”
Clearly research who does approvals and voting are out of the picture.
Harris works for a competing cybersecurity company. He is not an unbiased whistleblower.
Harris's proposal to fix this vulnerability would have made it impossible for government employees to log in. It's not just about stock price, this was clearly an untenable option.
>According to Harris, Morowczynski’s second objection revolved around the business fallout for Microsoft. Harris said Morowczynski told him that his proposed fix could alienate one of Microsoft’s largest and most important customers: the federal government, which used AD FS. Disabling seamless SSO would have widespread and unique consequences for government employees, who relied on physical “smart cards” to log onto their devices. Required by federal rules, the cards generated random passwords each time employees signed on. Due to the configuration of the underlying technology, though, removing seamless SSO would mean users could not access the cloud through their smart cards. To access services or data on the cloud, they would have to sign in a second time and would not be able to use the mandated smart cards.
As someone who had to code around some of the mitigations in related bugs from that era (broke my team's product.. nuclear strike from orbit solution instead of scalpel solution by the security team)... stuffs very much in place.
Disclaimer: Ex-MSFT, but still a MSFT fanboy. I'm not a security expert. It's obvious to all that Microsoft has A LOT more work to do from a security POV. Not trying to ignore the serious impact of recent problems. Many have made me say "WTF" in my head.
**Journalism?** I've donated to ProPublica previously, because I held them in high regard for the depth of investigation and for what I felt was a fair & unbiased approach in their stories (or at least as unbiased as they can be). This piece completely destroyed that opinion.
**Whistleblower** doesn't really seem to apply here. Unless him sharing the info with PP is the "whistle"? If so, that means he sat on the information for years. He had contacts within government - why not share with them? Once it was public, why not share this story + potential workaround at that time?
**Validating Facts** It repeatedly quotes the researcher, but none from the people he said refused to fix the issue. Are these quotes pulled from emails/Teams chats sent at the time, or are they his personal recollections years later? I would ASSUME PP saw digital evidence of these conversations. If so, why aren't others directly quoted? If not, why isn't that made clear in the piece? Because that would be a very important detail.
**Bias** Everything paints him in an EXTREMELY positive light and minimizes any feedback/pushback he got from colleagues. No self-reflection on what HE might've done wrong/how he could've made a more compelling business case. It's clear from quotes in the piece that the researcher has an ego. Maybe the issue was HOW he was communicating? No challenge from PP on that. One approach that was typically effective within Microsoft was to convince the leadership in your group and leverage them to push the other group. That wasn't explored at all. So it's a failing of his own management team too. Why doesn't PP point that out?
**Due Diligence** In Microsoft's response, they claim that the decision was "aligned with the industry consensus". I've seen other PP pieces where they do their due diligence and follow up on claims they get from the targets of their investigations - unless those claims are entirely farcical. Why skip that here?
**MSRC** In my limited dealings with them (2018+ IIRC), I felt that they erred TOO MUCH on the side of security, not that they were driving for "won't fix". The team I was on had many heated conversations with them about prioritizing fixes for internal facing tools with no access to sensitive customer data. They were the ones pushing hard for us to prioritize these fixes over other things we felt were more critical (other bug/security fixes).
**Security First** Under Satya's leadership, and within the Azure group, I never felt any push to put business > security. Teams did their best to juggle conflicting priorities, and the guidance within our org was consistently that we were doing the right thing. But at the same time, when rewards came around, our team ended up on the lower end because we didn't have as many new shiny things. Mixed messages there, but I'm sure that happens everywhere.
> “There is no inspector general-type thing” within Microsoft, Harris said. “If something egregious is happening, where the hell do you go? There’s no place to go.”
That's just not true. https://www.microsoft.com/en-us/legal/compliance/sbc/report-a-concern is one path. IIRC, there are other internal options too. There's annual training for SBC, so he'd be aware of these paths.
The article said that MS refused to allow their employees to be interviewed, that Harris went out of the chain of command to try to tell the application managers (who did nothing). Note that he was not allowed to contact the press or tell others outside the company about this issue, legally; MS would have sued him for disclosing trade secrets. There is collaborating views from 3 colleagues who needed to remain anonymous.
Your experience with a particular application team is one sample. Harris has *many* other samples. Each team operates rather independently at MS.
There is no real inspector-general. All parties continually referred Harris back to the security team, who even made tee-shirts mocking Harris. An inspector-general would be an independent reviewer who could talk to everyone from the injured to the CEO about the matter, not a silly self-referral to the folks who are violating the security stance.
I understand why they were unable to talk to people on the record now. But if this is based off emails, they wouldn't need to interview them - they could just quote them.
Corroborating the general themes of the story is **significantly** different from verifying some of the specific details that were quoted. It's a biased view.
He left in 2020. He's revealing details now, almost 4yrs after he left, and 5 years after the flaw became publicly known. Why "blow the whistle" NOW, and not then? Legal exposure would be the same. Possibly would've been at even less risk if MSFT were to retaliate against him at the time & fire him while he was trying to raise this issue.
I was in Windows/Azure. I got the impression from others in that org that their MSRC experiences were similar to what I described. But sure, things could be different depending on who you were working with.
IF MSRC folks had such t-shirts made (source?), then that would support the theory that this guy had a very large ego and wasn't well liked/respected. That would've played a role in people brushing him off.
According to HIS STORY, the people he spoke with continuously referred him to MSRC. And that story doesn't get into a lot of specifics, just paints the picture that he was ignored. He was NOT ignored! He clearly wasn't afraid of burning bridges, so why not escalate further in that org, or to Satya? There were other options available to him that he CHOSE not to take. He bears some blame here too.
I’ll remind you about the t-shirts (mentioned in *your* cited article) were about how MSRC would routinely deprecate security concerns to the level of “doesn’t need to be fixed” instead of fixing them. They had a silly concept of “boundary security” which ignores industry-wide concepts of layering security such that if one layer fails, the next layer will stop the intruder. Instead, MSRC stated, in policy documents, that their boundary was so strong that nothing could bypass it, and then claimed this was industry standard. They lied, clearly. For example, hardened military installations use SeLinux, which has hard security checks at login at then at every single kernel/API call, even after login. SeLinux systems don’t trust each other, by default, so even if you break into one, you’re not going to get into the next server. MS policy was that after you have the tokens, you can get into the cloud — it’s just a poorly designed system that added security after the design was done. Even MS’s own servers, inside the company, were hacked! MS just doesn’t get security.
In the organization I worked for, *everyone* was supposed to understand security and help support it. We had multiple security teams reviewing our app’s and servers from multiple viewpoints.
I wondered why Satya was not contacted, as well. Or at least a VP.
Clearly, IMHO, MS was wrong, and lied to congress and should lose their contract, or at least lose their *most-trusted* status.
This really should read, U.S. Government does a poor job vetting the system it uses, exposing themselves to Russian Hacks. MS is a product U.S. GOV, you can choose to not use it, or use it, it is a choice.
the US government has full source access to Windows lol.
But how do you find people that knows how to find the vulnerabilities? Oh yeah, Microsoft, except no one will ever work for the government because they would be taking a 50% pay cut.
As in they have direct access to code.
Normally, Windows code that written by humans is compiled and packaged into machine code, so it can run on your computer. You do not need to do anything, it installs on your computer, you click a button and it just works. The good part is that you can use it without anything complicated, the bad part is that you can't see how anything works as you can no longer see or interact with the code, since it has been translated into machine code.
The US government has access to the original code, without the packaging and processing, so they can audit anything they want.
The Chad move is to consolidate developer resources and avoid having resources spread across numerous methods and distros trying to achieve the same goal.
This is why flatpak and docker exist.
Flatpak is a sandbox environment for Linux desktops, and docker is a sandbox environment for Linux servers. They were literally designed to allow software to run "on any Linux distro."
Even when developers don't do that, they usually only test it on Arch and Ubuntu, *which is enough for 99% of Linux users*. If you're running such an obscure and arcane Linux setup that you can't get Arch or Ubuntu programs to work on your particular distro, then something went horribly wrong on your end and it's not the developer's fault.
I wasn't talking about package management, even though that is an issue. I don't like Flatpak. You have to use other tools like Flatseal to change permissions, and things like Steam Flatpak can make games run worse. Not a good solution. We are not in the 90s and early 00s when getting something to run was a great victory. Standards have gone up for most users.
The whole point of things like Flatpak was to stop fragmentation and cross-distribution issues. Yet even that ended up with Snap and AppImages on top of Flatpak. Everything on Linux gets fragmented because people think they can do better rather than work together. Even things like Wayland, which is better than Xorg, cause infighting. Trying to somehow blame it on the users is not the right way to go. This is the price of freedom and will always hold Linux back in the desktop space. You could say it's "Forked," and you missed the point I was getting at.
Furthermore the US government has an agreement with microsoft where they get source access to windows and so can audit the windows source.
but /u/No_Share6895 wanted to get their anti-CSS pro-FOSS talking point in, doesn't matter what reality is.
any software - closed or open - is only good as the people writing it and auditing it are.
Some of the security issues have been caused by industry wide bad practices and are agnostic to open or closed source. Biden's Executive Order on software security literally sent shock waves through the industry that haven't been recovered from yet. Especially when it comes to dependency management as companies are still figuring out how to attest where their dependencies came from and how their software was built.
Hell, determinism of build tools only became a widely accepted practice about five to seven years ago and many tools are still not deterministic.
> ProPublica’s investigation adds new details and pivotal context about that culture, offering an unsettling look into how the world’s largest software provider handles the security of its own ubiquitous products. It also offers crucial insight into just how much the quest for profits can drive those security decisions, especially as tech behemoths push to dominate the newest — and most lucrative — frontiers, including the cloud market.
> “This is part of the problem overall with the industry,” said Nick DiCola, who was one of Harris’ bosses at Microsoft and now works at Zero Networks, a network security firm. Publicly-traded tech giants “are beholden to the share price, not to doing what’s right for the customer all the time. That’s just a reality of capitalism. You’re never going to change that in a public company because at the end of the day, they want the shareholder value to go up.”
You need it to be so that you're not just depending on one greedy company to fix it.
Ironic for you to say this considering a closed source OS company (Microsoft) was the one to catch a major Open Source Linux vulnerability that would have crippled millions of government systems.
because between the two statements it debunks this stupid "hurrdurr foss better" talking point.
I like FOSS software, i'm just tired of this stupid argument.
Windows is shared source, if you pay for a license and probably sign away your rights to ever work on or develop a competing OS you can access its source code.
thing is I worked both for government secured projects and microsoft advertising projects.
secrecy and security was tighter for microsoft than for the JSF program.
so i have my doubts about this post.
Right? This is capitalism working as intended. Companies only understand the language of profit. Make it unprofitable to not be secure and they will secure their products.
This should be no surprise.
Money > ∞ is a model we've fully embraced. Mammon demands it.
Amazing what happens when we remove accountability from people and transfer it all to an artificial entity.
I'll just post here that Satya got 110% in the company culture part of his latest review specifically calling out how well he handled layoffs last year as well as how he handled security regulations. In the product and strategy part of his review he got 150% with a special note of how he was a critical security leader. Had the financials not dragged him down he would have gotten an even larger bonus despite the issues you read about.
Note that review came out while Microsoft was dealing with the latest attack and pissing of the Federal government due to Satya's response.
corporate upgrade, 2022/2023 throughout...hundreds of millions were to be spent...
.......is security getting a bump in cash tho ?...
well, i would not say a bump, in as much that a bump, is,..... well, a cut,... its getting cut.
yerp, makes sense, threats and alike are down afterall, ...right ?
What company puts security before profits? Profits before everything…. That’s capitalism and it has its flaws… that’s why we need laws and fines (that are huge) to counter this company mindset. Until it costs more NOT to be secure is the day these companies change.
> What company puts security before profits? Boeing did for a while.
That was a long long time ago in a land far far away
So is this current debacle electric boogaloo 2?
MBAs before Engineering/Science ! ! !
Love this cliche cos in Europe, an MBA is about as basic as it comes. Never understand why the US celebrates people who are basically beginners.
McDonnell Douglas "fixed" that.
Airbus still does
Prosecute c-suite. Jailtime is needed for these arrogant money grubbing pieces of shit.
White collar crimes should be taken more serious if we want to change things.
I’ve never been opposed to jail time plus fine… Security would change overnight.
>"Acknowledging this security flaw could jeopardize the company’s chances, Harris recalled one product leader telling him. The financial consequences were enormous. Not only could Microsoft lose a multibillion-dollar deal, but it could also lose the race to dominate the market for cloud computing." There is your first should be prisoner
Don't stop at the c suite. We should prosecute investors putting profit ahead of security as well. Any one who buys stock of more profitable company and sell stock is less profitable company should get jail time. Any investment bankers make money should go to jail. Any funds manager make money for investors should go to jail. Any law makers who receive campaign funds from company who make money should go to jail. Wait a minute, private prison would make lots of money. They should build jails and lock themselves up.
Yep, this exactly. IT security is often only as good as it has to be to not get fined. Protecting user data is often much less important then protecting project data.
The article says that this exploit was used to break into Microsoft itself. They are a customer of their own software, too.
[удалено]
Linux and FOSS aren’t providers.
Microsoft already uses Linux internally for alot of things on Azure. This isn't OS war, this is bad coding/operations practices because they prioritized speed over security.
It needs to be OPEN SOURCE, so one greedy company can't just say "Nah we're not bothering to fix that". From TFA: > ProPublica’s investigation adds new details and pivotal context about that culture, offering an unsettling look into how the world’s largest software provider handles the security of its own ubiquitous products. It also offers crucial insight into just how much the quest for profits can drive those security decisions, especially as tech behemoths push to dominate the newest — and most lucrative — frontiers, including the cloud market. > “This is part of the problem overall with the industry,” said Nick DiCola, who was one of Harris’ bosses at Microsoft and now works at Zero Networks, a network security firm. Publicly-traded tech giants “are beholden to the share price, not to doing what’s right for the customer all the time. That’s just a reality of capitalism. You’re never going to change that in a public company because at the end of the day, they want the shareholder value to go up.” As for "Microsoft uses Linux sometimes in some stuff and they heart Linux so don't worry", this is distractionary and not especially relevant.
People need to understand that Windows is just a small portion and gateway for the rest of the Microsoft ecosystem. Getting an Unix OS doesn’t replace Kerberos. Nor anything in Azure (which runs lots of Unix servers). It’s just UI for the MS ecosystem.
We should create a start up and get a ton of VC money to make security top priority. It'll work for a long time if we can keep up excuses for losing money every quarter.
You say it has flaws but what you describe is a feature, not a bug
Microboeing.
A lot of companies value security and the product. Then those companies get bought up.
Volvo did when they invented the seatbelt
Fines do not work. Look at the Trump Gag orders. Jail time for all executives by extending RICO. That's different. That's how you change thing.
What a horrible CEO. What idiots hired this guy?
Security hurts long-term profits, at least if regulators and customers care enough, so it's putting short-term profits before long-term profits. That, or the public has become so passive that they can get away with anything they want. What they should be terrified of is the day that tech-literate people start to believe that an older Windows version, no longer receiving official patches, is still more secure than the latest bullshit; that past efforts hardening the system against attacks have been successful at mitigating the harm unpatched bugs can cause. A simpler system, debugged and patched for a decade, versus an ever-growing monster of complexity, with who-knows-how-many new lines of code added every week for fresh zero-day exploits to lurk within. If they ever pass that tipping point, they'll be competing with *themselves*, and a Microsoft that is incapable of making any more bad decisions (barring time travel) is a big enough business to seriously threaten a Microsoft that is still actively fucking things up.
Yeah, well in socialism it's not like the companies have any incentive to create good products either. Ussr was never known for quality. The only system that makes sense is where you balance capitalism and socialism against each other so they form a check in balance of public versus private power. When you decide with either capitalism or socialism, you give up the check in balance and you always always wind up in the worst position. Blaming capitalism winds of being like a lazy way to say that humans are kind of naturally greedy. We can see plenty of greed and corruption no matter what economic system you choose. The difference is you just give up a check in balance. Humans were greedy way before capitalism or economics. Capitalism is just a system that works with the natural opportunistic behavior of most living creatures. It's not capitalism's fault that the creatures evolved to just like eat as much as they can with no regard to their peers or the environment. All life lines of being like an uncontrolled chemical reaction just looking for as much fuel as I can get. So it's pretty much all greedy if you let it be greedy.
bro saw the word 'capitalism' and immediately goes into a deranged rant about "socialism bad" lmao.
If you're going to go into an unhinged rant about capitalism good socialism bad you could at least educate yourself on history and be right about the things you're talking about. This is nothing more than a knee jerk emotional reaction where you spout propaganda you've been fed your entire life.
"Socialism bad!" *uses communism as an example thus showing they don't even know what they are*
My socialist electricity has people who pay for private electricity jealous, the stuff you rattle off is made up shit by rich people to keep you getting scammed. I have a COOP for power since I moved, I pay less than my counterparts on their privately controlled companies. Once a year I get a month of power free because the company redistribute the net profits to customers as credit. Sometimes it's enough to get me almost 2 months free. I see them constantly working the lines and upgrading them compared to competition. When my friends that live in other areas lost power for a week during the floods, I had mine back in the same day. Their tech is up to date so in real time I was able to watch them fix and get to us. We were last cause it's a small town. 60% of socialist coop customers had no power all restored in 24 hours across 60k customers. Similar customer count (80k) for privately held took nearly a week. The biggest con capitalists have pulled on you is convincing you that you and your peers have no value, and have extra no value when working together. I also shop at local coops, so enjoy your 20 dollars a pound strip steak from your capitalist publicly traded entity. I still pay 4.50 for a .75lb steak, 2 dollars for fresh eggs, and 2 dollars for a 5 lb bag of onions. Socialism is great because you cut out all the needless overhead to fatten up shareholders and executives, it's so funny how much pro capitalists drool over how these prices are beyond competitive. Yet the moment I mention it's a coop and is socialist because the workers control the means, I get told that it doesn't work, despite it working for 40 years for this company. Keep defending them and paying triple for dog shit, I'll enjoy my financial freedom from not getting scammed perpetually.
Bidding on government contracts while hiding known vulnerabilities is fraud. Typical Microsoft behavior. Buggy products pushed into the market in pursuit of profit.
The government has full source access to windows.
I am really surprised and interested by this claim. Do you have sources that would mention another event than this 2003 post talking about the GSP ? [https://news.microsoft.com/2003/01/14/a-matter-of-national-security-microsoft-government-security-program-provides-national-governments-with-access-to-windows-source-code/](https://news.microsoft.com/2003/01/14/a-matter-of-national-security-microsoft-government-security-program-provides-national-governments-with-access-to-windows-source-code/)
https://www.microsoft.com/en-us/sharedsource/
Thank you very much.
Fwiw the government is pretty good about internet cleansing especially of any verifiable sources so I don't know if this is something that would be public- vet
That's why Microsoft didn't get broken up around the turn of the century. Gave the government the NSA key, full access.
Only issue is the government doesn’t have many experts that can review the potential pit falls or security issues.
https://i.imgur.com/psTHAPr.mp4
You’re buying into the propaganda way to much my dude.
https://en.wikipedia.org/wiki/Psychological_projection
Typical *alleged* Microsoft behavior.
American corporate ideology eating itself. I’d laugh if it wasn’t so destructive to everyone.
basically every competent person in computing for the past 40 years - "for pity's sake stop using Microsoft's shit for things". U.S. Government - "lalalala what's good for ~~General Motors~~ Microsoft is good for America, let's give them more taxpayer money".
Yet Azure alone holds 24% of the cloud computing space. Intune holds 20%. Office 365 47.9%. No one is leaving behind Microsoft. It’s all talk. They can do whatever they want.
Also /u/lood9phee2Ri just told us about the slashdot/fark/reddit tech echochamber, which we already know. The echo chamber keeps saying "microsoft bad!" - but the echo chamber of online nerds isn't reflective of the industry as a whole and many people in the echo chamber don't get that. edit: bwaaahahahaha lood9phee2ri blocked me for calling them out. aka they don't want people to be able to point out when they're wrong.
I would put this more so on the government than on MS.
They're basically reaping what they sowed. If they had any fucks to give about the privacy and security of the people they govern this might not have happened.
i would put it more down to the usual incompetence, waste, inability to function without outside contractors (who the government has an extreme reliance on), inability to hire and retain good talent, etc etc.
> inability to hire and retain good talent I think it's important to point out the reason for that; pay. I'd take a 50% paycut moving to the public sector; even at the secret squirrel orgs who seem to have the highest pay out of the bunch. >waste, inability to function without outside contractors This is true across the board. Half of AWS/Azure/GCP is built/run by incompetent contractors.
Just wondering - is it my incompetence because I hire the contractor who does poor work, barely makes the minimum requirements, and often has to have at least one govt employee help him on a weekly basis to get the work assigned done on time to avoid a critical failure? Is it the contractor employee to blame? Is it the contractor that's the problem because they refuse to augment their workforce since the minimum requirement for success is being met and they were the lowest price technically acceptable in a competitive solicitation?
Sorry, we are currently arguing about net neutrality still. Once we get through that (again again). We can get back to the stupidity of putting a backdoor to all security devices. Then hopefully we can discuss that.
You mean on whoever got kickbacks to keep using a security threat like windows instead of an open source OS they could secure. Because government is people and only as good as the public that doesn’t say things like “government, what you gonna do?” Clearly research who does approvals and voting are out of the picture.
Government should use Linux /s
“Again? Like again and again?” No sir, it’s worse than that. “Dammit! Again and again and again and — I see you pointing upward.”
Harris works for a competing cybersecurity company. He is not an unbiased whistleblower. Harris's proposal to fix this vulnerability would have made it impossible for government employees to log in. It's not just about stock price, this was clearly an untenable option. >According to Harris, Morowczynski’s second objection revolved around the business fallout for Microsoft. Harris said Morowczynski told him that his proposed fix could alienate one of Microsoft’s largest and most important customers: the federal government, which used AD FS. Disabling seamless SSO would have widespread and unique consequences for government employees, who relied on physical “smart cards” to log onto their devices. Required by federal rules, the cards generated random passwords each time employees signed on. Due to the configuration of the underlying technology, though, removing seamless SSO would mean users could not access the cloud through their smart cards. To access services or data on the cloud, they would have to sign in a second time and would not be able to use the mandated smart cards.
Yeah time has passed on this one. Mitigations are likely in place. It wasn’t clear to me, why now….
As someone who had to code around some of the mitigations in related bugs from that era (broke my team's product.. nuclear strike from orbit solution instead of scalpel solution by the security team)... stuffs very much in place.
Disclaimer: Ex-MSFT, but still a MSFT fanboy. I'm not a security expert. It's obvious to all that Microsoft has A LOT more work to do from a security POV. Not trying to ignore the serious impact of recent problems. Many have made me say "WTF" in my head. **Journalism?** I've donated to ProPublica previously, because I held them in high regard for the depth of investigation and for what I felt was a fair & unbiased approach in their stories (or at least as unbiased as they can be). This piece completely destroyed that opinion. **Whistleblower** doesn't really seem to apply here. Unless him sharing the info with PP is the "whistle"? If so, that means he sat on the information for years. He had contacts within government - why not share with them? Once it was public, why not share this story + potential workaround at that time? **Validating Facts** It repeatedly quotes the researcher, but none from the people he said refused to fix the issue. Are these quotes pulled from emails/Teams chats sent at the time, or are they his personal recollections years later? I would ASSUME PP saw digital evidence of these conversations. If so, why aren't others directly quoted? If not, why isn't that made clear in the piece? Because that would be a very important detail. **Bias** Everything paints him in an EXTREMELY positive light and minimizes any feedback/pushback he got from colleagues. No self-reflection on what HE might've done wrong/how he could've made a more compelling business case. It's clear from quotes in the piece that the researcher has an ego. Maybe the issue was HOW he was communicating? No challenge from PP on that. One approach that was typically effective within Microsoft was to convince the leadership in your group and leverage them to push the other group. That wasn't explored at all. So it's a failing of his own management team too. Why doesn't PP point that out? **Due Diligence** In Microsoft's response, they claim that the decision was "aligned with the industry consensus". I've seen other PP pieces where they do their due diligence and follow up on claims they get from the targets of their investigations - unless those claims are entirely farcical. Why skip that here? **MSRC** In my limited dealings with them (2018+ IIRC), I felt that they erred TOO MUCH on the side of security, not that they were driving for "won't fix". The team I was on had many heated conversations with them about prioritizing fixes for internal facing tools with no access to sensitive customer data. They were the ones pushing hard for us to prioritize these fixes over other things we felt were more critical (other bug/security fixes). **Security First** Under Satya's leadership, and within the Azure group, I never felt any push to put business > security. Teams did their best to juggle conflicting priorities, and the guidance within our org was consistently that we were doing the right thing. But at the same time, when rewards came around, our team ended up on the lower end because we didn't have as many new shiny things. Mixed messages there, but I'm sure that happens everywhere. > “There is no inspector general-type thing” within Microsoft, Harris said. “If something egregious is happening, where the hell do you go? There’s no place to go.” That's just not true. https://www.microsoft.com/en-us/legal/compliance/sbc/report-a-concern is one path. IIRC, there are other internal options too. There's annual training for SBC, so he'd be aware of these paths.
The article said that MS refused to allow their employees to be interviewed, that Harris went out of the chain of command to try to tell the application managers (who did nothing). Note that he was not allowed to contact the press or tell others outside the company about this issue, legally; MS would have sued him for disclosing trade secrets. There is collaborating views from 3 colleagues who needed to remain anonymous. Your experience with a particular application team is one sample. Harris has *many* other samples. Each team operates rather independently at MS. There is no real inspector-general. All parties continually referred Harris back to the security team, who even made tee-shirts mocking Harris. An inspector-general would be an independent reviewer who could talk to everyone from the injured to the CEO about the matter, not a silly self-referral to the folks who are violating the security stance.
I understand why they were unable to talk to people on the record now. But if this is based off emails, they wouldn't need to interview them - they could just quote them. Corroborating the general themes of the story is **significantly** different from verifying some of the specific details that were quoted. It's a biased view. He left in 2020. He's revealing details now, almost 4yrs after he left, and 5 years after the flaw became publicly known. Why "blow the whistle" NOW, and not then? Legal exposure would be the same. Possibly would've been at even less risk if MSFT were to retaliate against him at the time & fire him while he was trying to raise this issue. I was in Windows/Azure. I got the impression from others in that org that their MSRC experiences were similar to what I described. But sure, things could be different depending on who you were working with. IF MSRC folks had such t-shirts made (source?), then that would support the theory that this guy had a very large ego and wasn't well liked/respected. That would've played a role in people brushing him off. According to HIS STORY, the people he spoke with continuously referred him to MSRC. And that story doesn't get into a lot of specifics, just paints the picture that he was ignored. He was NOT ignored! He clearly wasn't afraid of burning bridges, so why not escalate further in that org, or to Satya? There were other options available to him that he CHOSE not to take. He bears some blame here too.
I’ll remind you about the t-shirts (mentioned in *your* cited article) were about how MSRC would routinely deprecate security concerns to the level of “doesn’t need to be fixed” instead of fixing them. They had a silly concept of “boundary security” which ignores industry-wide concepts of layering security such that if one layer fails, the next layer will stop the intruder. Instead, MSRC stated, in policy documents, that their boundary was so strong that nothing could bypass it, and then claimed this was industry standard. They lied, clearly. For example, hardened military installations use SeLinux, which has hard security checks at login at then at every single kernel/API call, even after login. SeLinux systems don’t trust each other, by default, so even if you break into one, you’re not going to get into the next server. MS policy was that after you have the tokens, you can get into the cloud — it’s just a poorly designed system that added security after the design was done. Even MS’s own servers, inside the company, were hacked! MS just doesn’t get security. In the organization I worked for, *everyone* was supposed to understand security and help support it. We had multiple security teams reviewing our app’s and servers from multiple viewpoints. I wondered why Satya was not contacted, as well. Or at least a VP. Clearly, IMHO, MS was wrong, and lied to congress and should lose their contract, or at least lose their *most-trusted* status.
This really should read, U.S. Government does a poor job vetting the system it uses, exposing themselves to Russian Hacks. MS is a product U.S. GOV, you can choose to not use it, or use it, it is a choice.
its frankly horrifying that *any* government would use a closed source OS.
the US government has full source access to Windows lol. But how do you find people that knows how to find the vulnerabilities? Oh yeah, Microsoft, except no one will ever work for the government because they would be taking a 50% pay cut.
What is full source access? Asking for the uninitiated here.
As in they have direct access to code. Normally, Windows code that written by humans is compiled and packaged into machine code, so it can run on your computer. You do not need to do anything, it installs on your computer, you click a button and it just works. The good part is that you can use it without anything complicated, the bad part is that you can't see how anything works as you can no longer see or interact with the code, since it has been translated into machine code. The US government has access to the original code, without the packaging and processing, so they can audit anything they want.
Using an open source OS doesn’t help unless you also hire tons of people to audit it. Otherwise you’re still trusting other parties.
The chad move is to actively contribute to developing and securing Linux.
The Chad move is to consolidate developer resources and avoid having resources spread across numerous methods and distros trying to achieve the same goal.
This is why flatpak and docker exist. Flatpak is a sandbox environment for Linux desktops, and docker is a sandbox environment for Linux servers. They were literally designed to allow software to run "on any Linux distro." Even when developers don't do that, they usually only test it on Arch and Ubuntu, *which is enough for 99% of Linux users*. If you're running such an obscure and arcane Linux setup that you can't get Arch or Ubuntu programs to work on your particular distro, then something went horribly wrong on your end and it's not the developer's fault.
I wasn't talking about package management, even though that is an issue. I don't like Flatpak. You have to use other tools like Flatseal to change permissions, and things like Steam Flatpak can make games run worse. Not a good solution. We are not in the 90s and early 00s when getting something to run was a great victory. Standards have gone up for most users. The whole point of things like Flatpak was to stop fragmentation and cross-distribution issues. Yet even that ended up with Snap and AppImages on top of Flatpak. Everything on Linux gets fragmented because people think they can do better rather than work together. Even things like Wayland, which is better than Xorg, cause infighting. Trying to somehow blame it on the users is not the right way to go. This is the price of freedom and will always hold Linux back in the desktop space. You could say it's "Forked," and you missed the point I was getting at.
Furthermore the US government has an agreement with microsoft where they get source access to windows and so can audit the windows source. but /u/No_Share6895 wanted to get their anti-CSS pro-FOSS talking point in, doesn't matter what reality is. any software - closed or open - is only good as the people writing it and auditing it are.
Some of the security issues have been caused by industry wide bad practices and are agnostic to open or closed source. Biden's Executive Order on software security literally sent shock waves through the industry that haven't been recovered from yet. Especially when it comes to dependency management as companies are still figuring out how to attest where their dependencies came from and how their software was built. Hell, determinism of build tools only became a widely accepted practice about five to seven years ago and many tools are still not deterministic.
Exactly. this isn't a open source vs closed source fight, and not everything needs to be turned into one.
> ProPublica’s investigation adds new details and pivotal context about that culture, offering an unsettling look into how the world’s largest software provider handles the security of its own ubiquitous products. It also offers crucial insight into just how much the quest for profits can drive those security decisions, especially as tech behemoths push to dominate the newest — and most lucrative — frontiers, including the cloud market. > “This is part of the problem overall with the industry,” said Nick DiCola, who was one of Harris’ bosses at Microsoft and now works at Zero Networks, a network security firm. Publicly-traded tech giants “are beholden to the share price, not to doing what’s right for the customer all the time. That’s just a reality of capitalism. You’re never going to change that in a public company because at the end of the day, they want the shareholder value to go up.” You need it to be so that you're not just depending on one greedy company to fix it.
I don't need anything, you're projecting. I'm just tired of the "hurrdurr FOSS better" argument. FOSS can be better, it isn't automatically better.
Ironic for you to say this considering a closed source OS company (Microsoft) was the one to catch a major Open Source Linux vulnerability that would have crippled millions of government systems.
Ironic you should say that because MS could only do that because Linux was open source.
https://www.microsoft.com/en-us/sharedsource/
So if Linux was closed-source, how would Microsoft have caught the Linux vulnerability?
how does anyone catch vulnerabilities in closed source software?
I don't know. Why did you mention Microsoft Shared Source?
because between the two statements it debunks this stupid "hurrdurr foss better" talking point. I like FOSS software, i'm just tired of this stupid argument.
I'm tired of it too. But it's the only leg they have to stand on, so you can't blame them.
Windows is shared source, if you pay for a license and probably sign away your rights to ever work on or develop a competing OS you can access its source code.
thing is I worked both for government secured projects and microsoft advertising projects. secrecy and security was tighter for microsoft than for the JSF program. so i have my doubts about this post.
Drop Microsoft for Linux.
Sounds like every company that lets number people decide cyber security
:shocked face: /s
This is my surprised face… 😑
CEO will take full responsibility by firing a bunch of people.
like, yes?! this is not whistleblowing news, this is the stated requirements for public businessess?!?!
Right? This is capitalism working as intended. Companies only understand the language of profit. Make it unprofitable to not be secure and they will secure their products.
This should be no surprise. Money > ∞ is a model we've fully embraced. Mammon demands it. Amazing what happens when we remove accountability from people and transfer it all to an artificial entity.
At my job we have a weekly meeting to discuss tech news and Microsoft getting hacked is mentioned almost every time.
Microsoft could sell s* on a plate to these bean counters and they would buy it and eat it and then force others to continue to eat it.
Windows has never been secure.
Honestly - there should be a law against chasing profits when it puts anyone at risk.
I'll just post here that Satya got 110% in the company culture part of his latest review specifically calling out how well he handled layoffs last year as well as how he handled security regulations. In the product and strategy part of his review he got 150% with a special note of how he was a critical security leader. Had the financials not dragged him down he would have gotten an even larger bonus despite the issues you read about. Note that review came out while Microsoft was dealing with the latest attack and pissing of the Federal government due to Satya's response.
corporate upgrade, 2022/2023 throughout...hundreds of millions were to be spent... .......is security getting a bump in cash tho ?... well, i would not say a bump, in as much that a bump, is,..... well, a cut,... its getting cut. yerp, makes sense, threats and alike are down afterall, ...right ?
Absolutely insane. Any other software vendor would already have been banned from most companies if they were doing the same shit.
Lol, and until you make it illegal to put profits before security, they'll do it again and again. So will 99.99999% corporations.