This is in regards to the SUNBURST malware delivered via SolarWinds' Orion platform. I like the Qualys blog for a detailed technical analysis: <a href="https://blog.qualys.com/vulnerabilities-threat-research/2021/01/04/technical-deep-dive-into-solarwinds-breach" rel="nofollow">https://blog.qualys.com/vulnerabilities-threat-research/2021...</a>
> The report triggered a House Homeland Security Committee hearing with Microsoft president Smith last month. Smith said the company was making security its top priority.<p>I've heard that one a few times from Microsoft over the years.
> But for reasons that experts say remain unclear, that never happened.<p>It's very clear why. Don't think for a second this is accidental, it's way, way to high profile for that.<p>It's damage control. Microsoft feels it's better for them to take the blame for not investing rather than exposing their awful or even sinister practices.<p>This is why "Adverse inference" is a thing in court. If you destroy or refuse produce evidence that the judge knows you have, the judge can rule based on what he thinks is in that evidence. That certainly won't be in your favour.
If only this ad-hoc government board had done its job, China and Russia, two globally projecting military powers with double digit billion dollar CNE budgets, would never have been able to exploit software vulnerabilities in readily-available off-the-shelf commercial software.
It's no surprise Microsoft and Boeing get special treatment and never face scrutiny for their foul-ups that get people killed and harm America's security because PR and profits come first.
Security is an afterthought even for the White house. The more layers of management and bureaucracy you had to a decision chain, the less likely it will turn into action.
Speaking of sweeping things under the rug, it's really interesting how quickly this fell off the first page of HN. There wasn't even time for the comments to turn emo before <i>poof</i>...gone. Been noticing a lot of this lately. Pointless and useless stories with almost no comments will linger on the first page for half a day or more, but stories that matter are getting moderated away before they even elicit two digits of comments.
>Smith said the company was making security its top priority.<p>This is an outright lie and everyone knows it<p>Microsoft's actual top priority is growing market cap. More specifically, grow profitability relative to competitors in the sector, aka Apple, Meta etc...<p>If an increase in "security" (whatever that means) had a linear or directly positively correlated/causal relationship with profitability then they might actually do it<p>However we all know that security does not increase profitability - it's a cost center from the corporate CFO perspective because literally nobody is tracking "how many contracts did we lose because we didn't actually implement the best security"<p>The reality is that almost all IT security is theater because the foundational architecture and design of access control, IDAM, network monitoring and alerting, data collection, data segregation etc... all have easily exploitable holes and you only need to break one to bust the whole thing usually. MSFT builds in these holes often intentionally for NATSEC customers, so "security" is just a political ruse<p>That's why they play these games because almost nobody believes in IT security that also allows for functional and helpful tools - and if they were honest then everyone would be horrified.<p>At least I've never met anyone (outside of spooks) that takes it as seriously as ACTUALLY the top priority - because that would mean you have to design your stack for it.
The obvious reason not to do the probe is because they were ordered by someone else they hold more dear not to do that, or it was expedient to protect someone they hold more dear -- any arrests yet?<p>The UK's Russia dossier seemed to get buried by the then PM Alexander Boris de Pfeffle Johnson. Does USA have Putin collaborators in high places too?