The submission title is editorialized (easy karma bait), the tweet doesn't say anything like that, not even mentioning xz or the word trust. And also it's an entirely different type of security incident.<p>You can make the first sentence of the tweet fit the HN submission word limit<p>"CISA and review board torches Microsoft response about the 2023 compromise"
The CISA report is definitely worth a read and so is questioning Microsoft's security posture. Comparing the incident to the xz attack doesn't make a whole lot of sense though.
I'm in cyber threat intelligence, not someone known or anything, but I've got a decent bit of experience in both building exploits and mitigating them through controls before starting to write about them. I actually created this account to comment on this, after lurking here forever.<p>It's possible to have both things be true at once. XZ shows that the FOSS ecosystem is uniquely vulnerable and the Storm-0558 and Midnight Blizzard attacks show that cloud security and proprietary software "security through obscurity" is still as flawed as it has always been.<p>That said, I find significant deficiencies in yesterday's report. The panel of stakeholders that were consulted includes all of Microsoft's cloud competitors, a threat intelligence firm owned by one, and Palo Alto Networks - which has had significant breaches of its own. I don't like how Microsoft has enterprise environments by the short hairs on the Windows environment and leverages that to push its SaaS offerings (especially in security). I think it's ridiculous that the technical indicators for the initial compromise were paywalled behind logs that the US government had to pressure them to make open for everyone. That said, their threat landscape is not at all similar to PAN and Google Cloud's. The entire federal government works on Microsoft's stack, especially for Office and Windows. State-sponsored hackers will dedicate more resources to compromising Microsoft than any of their peers. AWS has GovCloud, which is the next closest thing that an adversary may want, but the intelligence value of getting the Secratary of ___'s email vs. an S3 bucket or an EC2 instance isn't comparable.<p>It's clear from their blog posts and press releases that they themselves have no idea what caused the loss of the MSA key. The lack of logging to confirm their preferred theory is bad. Throwing it out as if they had evidence of it and then posting a silent update to their blog post last month admitting they had no clue is worse. The flaw in their IAM that allowed a key from 2016 to sign enterprise tokens is an oversight that a company with the trust Microsoft has shouldn't allow.<p>The CSRB could have made a great report on the above and let the facts speak for themselves. Instead, the pointed jabs at MSFT - especially during the Findings section where they spend several pages showing Microsoft's failings and then follow with how their cloud platforms happen to do so much better - risk the effort landing as a smear campaign.
Either Stallman-esque principles will need to be implored for products in commerce with very heavy profit-killing taxes on non-compliance, or we'll need to start requiring PEs and liability bonds/insurance, etc.<p>Downvote me all you want, but take your pick: Either be Stallman-esque in openness of design and intent (but not distribution) at risk of heavy end-product sales tax, or your product must be signed off by a software PE in order for you to legally charge money in any way for it or its use (or even pester for donations). Trust me, fall on the Stallman sword, it's smaller.<p>See post history for a better write-up of what I mean by proprientary-tax and the national security threats of not being able to understand and replace all your firmwares.
Sure the response can be excoriating, but the US government isn't giving up on Microsoft shit.<p>The USG is Linux-hostile, with exceptions like the NSA doing SELinux, Gidra, and other toolchains.<p>Linux would be the absolute best, along with things like OpenOffice and other FLOSS tools. The difference is to take the money you pay to MS and redirect them to FLOSS devs.<p>But, that'll never happen.