Microsoft Signing Key Stolen by Chinese

Wise person once said: &quot;Trust is the necessary precondition for betrayal.&quot;<p>Big organizations like Microsoft cannot be more secure than one individual&#x27;s systems; someone runs their servers and they wear pants and make mistakes, just like we do.<p>What the big shop <i>can</i> do is cover up their mistakes and confuse responsibility once they&#x27;re made. As well as providing an easy one stop shop for bad actors with things like GitHub (&quot;subvert the world&#x27;s infrastructure all at once!&quot;).

Its almost like centralizing software to mayor clouds is not such a good idea after all ;)<p>Governments should own their own datacenters and access should be highly regulated.<p>If you can spend billions on military projects that go nowhere, you should be able to spend a couple of million on people that create a networking structure for your that is based on RBAC, that is not owned by somebody else

Microsoft really needs to split like Google and Alphabet. Having the top leadership rush full on into AI and Low Code &#x2F; No Code solutions is counter to running a successful cloud business.

I don&#x27;t understand how they extracted the key from the HSM. How is this even possible - the vendor of the HSM should be named!

Previous discussions below. Scheier&#x27;s claim that this is related to SolarWinds is new AFAIK, but also seems like it&#x27;s entirely speculation?<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36740133">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36740133</a><p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36770235">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36770235</a><p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36823007">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36823007</a><p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36979532">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36979532</a><p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36731731">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36731731</a>

I don&#x27;t understand, is this a breach in MS Azure accounts or personal accounts or both? I mean, I use Authenticator to log in from my phone and I have disabled the password as a way to log in; am I also a potential victim of this attack?

Senator Wyden thinks that the Solarwinds breach could have provided valuable insight to prevent incidents like this one.<p>&quot; On May 12, 2021, President Biden issued Executive Order 14028, which among other things, created a Cyber Safety Review Board, whose first task would be to study the SolarWinds incident. That review never took place — the Board was subsequently directed by the Department of Homeland Security to study another hacking incident. I have repeatedly pushed CISA and DHS to direct the Board to study the SolarWinds incident, but have been rebuffed. Had that review taken place, it is quite likely that Microsoft’s poor data security practices around encryption keys would have come to light, and this most recent incident might have been averted. &quot;<p>[PDF] <a href="https:&#x2F;&#x2F;www.documentcloud.org&#x2F;documents&#x2F;23888590-wyden_letter_to_cisa-doj-ftc_re_2023_microsoft_breach" rel="nofollow noreferrer">https:&#x2F;&#x2F;www.documentcloud.org&#x2F;documents&#x2F;23888590-wyden_lette...</a>