- cross-posted to:
- technology@lemmy.world
- cross-posted to:
- technology@lemmy.world
The aftermath to the recent Microsoft Azure hack by suspected PRC actors.
What is the solution to this? Make sure cloud services are open source so they can be independently vetted? If government and corporate entities chose to use open source solutions, most are presented “as is” with no warranty.
Funny how on the consumer side, they keep pushing TPMs and other intrusive technologies under the guise of security, and they can’t even keep their shit together on the business end long enough for people to actually believe them.
Edit: Typo
It really is ridiculous at this point. Just a few weeks back they renamed one of their products on the backend (for no good reason) and broke a ton of stuff with no recourse besides “fix it yourself”. Pile on the endless updates and constant vulnerabilities and I don’t see how anyone can willingly choose to build new projects on it. They can’t even ship a usable replacement to win32!
On second thought though, pretty much every recent super-scalable cloud enterprise project of note is not Windows-centric anymore. Docker? Redis? Grafana? Kubes? The list goes on.
Security theater. Like always.
I gotta stand up for my boy TPM. I manage a lot of Windows systems, and TPM does a lot of heavy lifting. I’m an open source advocate, but I recognize that without TPM, most users wouldn’t bother with encrypting their device.
And since Microsoft has strongly integrated it in their stack, it significantly reduces the need for regular signins and user focused security. Of course, this does require you to invest in their stack. There’s little to no support for machine level authentication for Linux. But in business, it really does make a practical and useful difference in security.
Oh yeah. Of course old tpm (1.2) that was the only key to the Castle isn’t great in the hand of someone with some know how and alligator clips since it communicated in clear text at the bus level so key extraction was possible. But for most folks security model, who cares. If it was a risk the business handled it with a pass phrase and tpm.
Apple does security prettt well and integrated too. Especially for most that don’t care.
Recently I was doing some Azure integration work, with OAuth, Teams and Outlook. At one point I noticed that logging in with a MS account causes my browser to do ~10 redirects between different services while downloading over 30 MB of Javascript and thought “Huh, this looks like decades of technical debt. Either MS devs are waaay smarter than me or this is a pile of garbage”. I guess both could be true.
They have no choice but to be smarter than us on account of the pile of garbage they’ve been given.
Or they simply hope, that the pile of garbage is smarter than the attackers.
I’ve done some contracts there and yeah, while they are incredibly smart, there’s so much bloated corpo overhead that they are restricted by red tape. I’m not surprised a simple login takes 30 redirects at all.
All their services are like that! Redirects for days. It’s an absolute gong show believe me. It’s way worse than the public knows.
deleted by creator
Vendor lock-in. Accessibility to many tools for “non-technical” users. Groupthink. Bundles and anti-interoperability (see vendor lock-in). Fright of open source. Non-technical executives who trust the wrong people. That’s just off the top of my head.
Money and the fact that C-suite still has no f*%! clue about technology. They can tweet now. yay.
“This incident demonstrates the evolving challenges of cybersecurity in the face of sophisticated attacks. We continue to work directly with government agencies on this issue, and maintain our commitment to continue sharing information at Microsoft Threat Intelligence blog."
Translation: Fixing bugs cost way to much more money than just leaving them in, so in order to save the profits, we just wait them out. If the shit hits the fan, we can still start looking into the issue and maybe get some PR coverage to distract the public.
But we still happily support government agencies to exploit the barndoor-sized holes in our software for whatever nefarious reasons they have because they pay us for that.
This is the best summary I could come up with:
Responding to Wyden’s letter last week, Microsoft brushed off the criticisms, saying: “This incident demonstrates the evolving challenges of cybersecurity in the face of sophisticated attacks.
Tenable is discussing the issue in only general terms to prevent malicious hackers from learning how to actively exploit it in the wild.
It is for this reason that we are withholding all technical details.” While Yoran’s post and Tenable’s disclosure avoid the word vulnerability, the email said the term is accurate.
The post came on the same day that security firm Sygnia disclosed a set of what it called “vectors” that could be leveraged following a successful breach of an Azure AD Connect account.
“The default configuration exposes clients to the described vectors only if privileged access was gained to the AD Connect server,” Ilia Rabinovich, director of adversarial tactics at Sygnia, wrote in an email.
I’m a bot and I’m open source!
Why businesses continue to trust Microsoft I’ll never quite understand. The number of breaches Microsoft has had overall the last 5 years is amazing. Compare that to what I believe is the ZERO breaches Google has had in the same time frame. Not that Google is to be trusted, but if anything of magnitude would have happened there it would have certainly leaked by now.
Cloud at this point is very hard to ignore. Internal IT team sizes shrinking, it’s becoming harder running all of those business needs internally. Businesses will learn the hard way when they continue to put their trust in the cloud, especially Microsoft’s. Some facets of IT are just too much work to bother with keep hosting internally. Exchange is a steaming pile of garbage. I managed it for years, so I can see why people cloud their email. Which I’m all for, because email is just a bitch to run in general. But use Gmail or something else. It’s a night and day difference. I’m dreading the day my company decides that Microsoft is the better deal just because Office needs updating. Instead of keeping the status quo, spend the money training employees on alternatives and run as far as you can from Microsoft’s hold.
Microsoft makes a lot of good products but keeping them secure is an after thought.
Compare that to what I believe is the ZERO breaches Google has had in the same time frame.
From earlier this month: Google Cloud Build bug lets hackers launch supply chain attacks
A critical design flaw in the Google Cloud Build service discovered by cloud security firm Orca Security can let attackers escalate privileges, providing them with almost nearly-full and unauthorized access to Google Artifact Registry code repositories.
Dubbed Bad.Build, this flaw could enable the threat actors to impersonate the service account for the Google Cloud Build managed continuous integration and delivery (CI/CD) service to run API calls against the artifact registry and take control over application images.
As to why don’t you hear about more GCP flaws? I refer you to this uncomfortable truth: https://twitter.com/QuinnyPig/status/1173394437298196480
“What does AWS have that GCP doesn’t?”
“A meaningful customer base?”I forgot about the build bug. Ghost token I was unaware of. Ok so two? And ghost token required users to have had a allowed the malicious app in question.
Meaningful customers is an opinion. I can list a bunch.
That was one tweet in a tweet thread from a… guy who is a bit of a character and does stuff with AWS. He pokes a fair bit of fun at Amazon and others in the cloud.
The thread reader rollup of it is https://threadreaderapp.com/thread/1173367909369802752.html which is an amusing read by itself.
My favorite is still:
“Why use AWS instead of IBM Cloud?”
“IBM has a cloud?!”
“I’m as puzzled as you, I’m just reading off the notecard here.”The best part of that is when you find out that IBM’s on prem cloud is called “IBM Cloud Private”.
https://www.ibm.com/docs/en/cloud-private/3.1.1?topic=started-cloud-private-overview
And then, when the sales teams talk about it, IBM Cloud Private is too long to say again and again… so they start calling it by its abbreviations… not IBMCP but rather ICP… and you start picturing the sales team wearing clown makeup. And when they talk about Machine Learning you share Using AI to Find Where Clowns End and Juggalos Begin with the devops guy sitting next to you and get some muffled chuckles.
Not that those events have ever happened… or would be admitted to.
Why businesses continue to trust Microsoft I’ll never quite understand.
Technological debt and an easy path to hybrid environments.
I’m in favour of that regulation solely due to how much it would piss off Apple.
Beyond that, anyone who engages these services gets what they fucking deserve. Governments should be required to only use open-source software and host their own servers, everyone else is free to make stupid decisions.
Governments should be required to only use open-source software and host their own servers
As a citizen, I appreciate this sentiment. As a government employee, it’s misguided at best.
Governments compete with the private sector for skilled IT labor, but the take-home compensation for government jobs often doesn’t compare to private, and even retirement contributions and other benefits aren’t much better, leaving fewer and less skilled applicants to government jobs, since they don’t want to take a pay cut. This leads to a situation where employees that are hired to government don’t have the basic skills to maintain servers or host their own systems. Open source is seen as a naughty word, because if the person maintaining an open-source system leaves, finding a qualified replacement will be near impossible. Often times, contractors run complex platforms because the internal talent just isn’t present within the government’s staff. This leaves governments to rely on the most common tooling, which is unfortunately Microsoft/Adobe/Oracle/SAP dominated, in order to have hope of finding candidates capable of maintaining existing systems and expanding new features/tools. The public doesn’t have any desire to increase taxes in order to pay for a more skilled public sector workforce, so we’re stuck in this Microsoft and crappy closed source dominated environment. It really sucks to live with on a daily basis, because I know there’s so much great OSS out there, but the people surrounding me are completely incapable of getting it running and keeping it running.