TBH the issues that I've seen with Azure are pretty shocking. Like "I don't believe anyone did a basic pentest against that system even once" levels of shocking. That's insane for a company the size of Microsoft.<p>These vulns are <i>cross tenancy</i> violations, which, again, is insane. That's as bad as it gets for the cloud.<p>> This incident demonstrates the evolving challenges of cybersecurity in the face of sophisticated attacks.<p>The insane thing is that some of these vulns are as easy to discover as just running nmap. I'm sort of shocked that people haven't run into them accidentally. Hardly sophisticated.<p>I'm not trusting Azure with shit.
Honestly I don't understand how any company can rely on Microsoft for security, and how they can get away with blaming their customers so often.<p>You can literally kerberoast Azure AD by default, and that's a known to be used in the wild attack vector since 2014. In a cloud service. Today.<p>Spammers literally rent Azure VMs because they know that the IP range of azure is not processed by Outlooks/Exchanges email filters.<p>So often researchers did the right thing and disclosed everything correctly just to get Microsoft to say "oh yeah here is another RCE, but we don't give a damn. Oh, and there is no patch either."<p>It's just so ridiculous.<p>There's even unfixed RCEs of VBA from the Office 2013 days which still work, because the mentality of never touch a running software creeped into how Office is built (which is: have a literal copy of all outdated Office versions for the sake of compatibility).<p>And then people wonder why "Hackers" always say that Microsoft is insecure and why ISO27001 is now a google dork to find easy to hack victims.
Hasn't microsoft been villainized for poor security since windows first launched?<p>I think this is because of their business model, which is to respond quickly to the market with features, not stability, security or polish.<p>That said, their intrusive data collection is a nightmare.
Amit Yoran, right again. He was once head of computer security for Homeland Security, and become unpopular for pointing out that Microsoft was the problem.
Honestly, no one really cares...people will just continue to consume their products as usual.<p>So long as Microsoft has something interesting to offer consumers and business, security will be the last thing people care about.<p>Microsoft has had absolutely terrible security since I've had a computer and it's been heavily criticized the whole time. None of this has stopped their meteoric rise to extreme profitability.
Something that bothers me a bit more about this, I feel like I have not really heard about many of these issues while thinking that I have been doing a decent job of staying on top of things like this by paying attention to hacker news. Does Azure things just not filter up as much as I would expect or did I just happen to miss them?<p>It isn't like Azure is just ignored in the industry, time and time again I see it billed as the "non amazon aws" for companies that don't want to support AWS due to Amazon.<p>I feel like I hear more about GCloud issues than I do Azure issues which is concerning given how little GCloud is used even compared to Azure.
> The senator went on to pin blame on Microsoft for the recent mass breach of the Departments of State and Commerce and the other Azure customers. Specific failings, Wyden said, included Microsoft having “a single skeleton key that, when inevitably stolen, could be used to forge access to different customers’ private communications.”<p>> "Microsoft’s engineers should never have deployed systems that violated such basic cybersecurity principles"<p>I hope someone quotes this line back when they inevitably introduce a 'we want a backdoor to encryption' legislation.
Many years ago in 2003(?) I interviewed for the role of Security Architect for the Office group (the guys who made Excel, Word, Power Point and (I think) Access.) My resume was reasonably good: I had spent the early 90s doing cryptography at Nortel, RSA (back when they were an engineering company) and Certicom. But I was a software engineer and in the late 90s doing Security Architecture for IBM and "several government agencies you might have heard of." I was REALLY ready to leave DHS at the time so was kind of motivated to bring what I learned about writing secure software to industry.<p>About this time there was a "security stand-down" going down at MSFT in part because several federal customers LITERALLY had to solicit an ACT OF CONGRESS in order to continue to use Win2K (or an early version of XP) with all it's known security flaws. Do not ask me about the version of Win2K in nuclear submarines. (Really. Don't ask me. That was someone else's project. I really don't know anything about it other than the rumors that were swirling around BlackHat.)<p>So here I am, coming in as some guy who's hip to secure software development and tools and how to convince devs to do the right thing re: security even though they're under a deadline. My third interview of the day was this guy who supposedly wrote Excel and was the "third highest ranking coder in all of MSFT" (not Simonyi, I would have recognized him.) And his first question was "So... how's your QA skills?" This isn't what I'm thinking I'm interviewing for, so I say "Pardon?" and he replies...<p>"This security thing is bullshit. Bill's going to eventually realize it's bullshit and in a couple months we'll go back to writing software the same way we used to. So I'm going to have to find a job for you and I'm thinking QA; that's the same thing as security."<p>I did not get that job.<p>I believe Michael Howard or Dave Leblanc got it. They went on to write a pretty decent book about secure product development and if you're a microsoft shop and have heard of the Secure Development Lifecycle, it's largely because of Michael and Dave.<p>(Don't worry, I was fine. I went on to work at Handspring and PalmSource and a bunch of enterprisey dev shops that were hip to the idea of developing secure code. And my life was probably filled with fewer headaches than anyone at MSFT.)<p>But... I remembered that interaction. Microsoft keeps saying "oh yeah! we're big on security!" And in many ways they are. MSVC (or DevStudio or .NET whizbang or whatever they call it now) have several very cool fuzzing and analysis tools. I've heard the Azure group is better about security than they were, though that's rather a low bar. I feel for them since they have a metric boat-load of legacy code and a development methodology that sort of guarantees failure.<p>They are also the strangest and most conceited group of developers I've met (with the possible exception of Amazon or Facebook or Netflix.) Come to think of it... what the heck is it about these FAANG companies? I bet I'm just meeting the duds. There have <i>GOT</i> to be decent developers in there somewhere.<p>They're all HUGE dev organizations and I appreciate how difficult it is to get that many developers pointing in the same direction at the same time. But at the end of the day, MSFT has a culture that really doesn't care about security. Or at least that's my take on it. I'm sure there are plenty of places in Redmond where people care about writing code that isn't buggy or vulnerable. But it's 20 years later and it still hasn't spread far enough.<p>So it goes.
<a href="https://traffic.megaphone.fm/RFEI6083180368.mp3?updated=1690839584" rel="nofollow noreferrer">https://traffic.megaphone.fm/RFEI6083180368.mp3?updated=1690...</a><p>Listening to the cybersecurity person interviewed here play down the significance, one is left to possibly believe cybersecurity folks rely on Microsoft to keep them employed.<p>According to this podcast, the only reason the government discovered this breach is because they were paying Microsoft for the "privilege" to see who was accessing their email. Most customers were not paying thus would never have discovered similar unwanted access.<p>If charging for this transparency is a "business model", as the podcast suggests, and there were only a relatively small number of "customers", it really makes one wonder. How much money were they making from this "business model".
Wonder how this headline and article jives with Azure achieving FedRAMP statuses, DoD IL5, and other security certifications?<p>If Azure is as bad as this article makes them sound, does that mean most major security certifications are also as pointless they <i>look</i> from the outside? Like the pointless ISO 9001 certification - which only states "we have a process; here's the process; we follow the process; we don't deviate from the process"?
Nice to see the legislators catching up to decades old news:<p><a href="https://www.pressenterprise.com/2015/06/10/cartoons-broken-windows-and-us-cybersecurity/" rel="nofollow noreferrer">https://www.pressenterprise.com/2015/06/10/cartoons-broken-w...</a>
How much of Azure infrastructure is managed by Windows? Are they using their own operating systems, hardware devices, drivers, firmware blobs and tools, or are they struggling like everyone else to glue all that FOSS together securely?
Good.<p>I can't talk about what I saw while working there, but let's just say that I have a nervous tic when someone tells we have a team for security so you need not worry, and when can you have it done by