I'm in cyber threat intelligence, not someone known or anything, but I've got a decent bit of experience in both building exploits and mitigating them through controls before starting to write about them. I actually created this account to comment on this, after lurking here forever.<p>It's possible to have both things be true at once. XZ shows that the FOSS ecosystem is uniquely vulnerable and the Storm-0558 and Midnight Blizzard attacks show that cloud security and proprietary software "security through obscurity" is still as flawed as it has always been.<p>That said, I find significant deficiencies in yesterday's report. The panel of stakeholders that were consulted includes all of Microsoft's cloud competitors, a threat intelligence firm owned by one, and Palo Alto Networks - which has had significant breaches of its own. I don't like how Microsoft has enterprise environments by the short hairs on the Windows environment and leverages that to push its SaaS offerings (especially in security). I think it's ridiculous that the technical indicators for the initial compromise were paywalled behind logs that the US government had to pressure them to make open for everyone. That said, their threat landscape is not at all similar to PAN and Google Cloud's. The entire federal government works on Microsoft's stack, especially for Office and Windows. State-sponsored hackers will dedicate more resources to compromising Microsoft than any of their peers. AWS has GovCloud, which is the next closest thing that an adversary may want, but the intelligence value of getting the Secratary of ___'s email vs. an S3 bucket or an EC2 instance isn't comparable.<p>It's clear from their blog posts and press releases that they themselves have no idea what caused the loss of the MSA key. The lack of logging to confirm their preferred theory is bad. Throwing it out as if they had evidence of it and then posting a silent update to their blog post last month admitting they had no clue is worse. The flaw in their IAM that allowed a key from 2016 to sign enterprise tokens is an oversight that a company with the trust Microsoft has shouldn't allow.<p>The CSRB could have made a great report on the above and let the facts speak for themselves. Instead, the pointed jabs at MSFT - especially during the Findings section where they spend several pages showing Microsoft's failings and then follow with how their cloud platforms happen to do so much better - risk the effort landing as a smear campaign.