Scathing Federal Report Rips Microsoft For Shoddy Security (apnews.com) 81
quonset shares a report: In a scathing indictment of Microsoft corporate security and transparency, a Biden administration-appointed review board issued a report Tuesday saying "a cascade of errors" by the tech giant let state-backed Chinese cyber operators break into email accounts of senior U.S. officials including Commerce Secretary Gina Raimondo.
The Cyber Safety Review Board, created in 2021 by executive order, describes shoddy cybersecurity practices, a lax corporate culture and a lack of sincerity about the company's knowledge of the targeted breach, which affected multiple U.S. agencies that deal with China. It concluded that "Microsoft's security culture was inadequate and requires an overhaul" given the company's ubiquity and critical role in the global technology ecosystem. Microsoft products "underpin essential services that support national security, the foundations of our economy, and public health and safety."
The panel said the intrusion, discovered in June by the State Department and dating to May "was preventable and should never have occurred," blaming its success on "a cascade of avoidable errors." What's more, the board said, Microsoft still doesn't know how the hackers got in. [...] It said Microsoft's CEO and board should institute "rapid cultural change" including publicly sharing "a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products."
The Cyber Safety Review Board, created in 2021 by executive order, describes shoddy cybersecurity practices, a lax corporate culture and a lack of sincerity about the company's knowledge of the targeted breach, which affected multiple U.S. agencies that deal with China. It concluded that "Microsoft's security culture was inadequate and requires an overhaul" given the company's ubiquity and critical role in the global technology ecosystem. Microsoft products "underpin essential services that support national security, the foundations of our economy, and public health and safety."
The panel said the intrusion, discovered in June by the State Department and dating to May "was preventable and should never have occurred," blaming its success on "a cascade of avoidable errors." What's more, the board said, Microsoft still doesn't know how the hackers got in. [...] It said Microsoft's CEO and board should institute "rapid cultural change" including publicly sharing "a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products."
Re: (Score:2)
This.
POISONNUT needs these to auto-hack configs from network devices per the snowden leaks.
Re: Bad MSFT security, blame the US govt (Score:2)
Historically, the NSA has a duel mandate. Secure the nation, and hack other nations. These are at cross purposes to one another. They make assessments based on impact.
If you don't think we should keep zero days private, then you just want Russia and China to run the Internet and steal everyone's bank account details. Because if we have no retaliatory strikes, there's nothing to stop advanced nations from running their entire economy on Internet fraud. North Korea is already experimenting with such things.
Re: Bad MSFT security, blame the US govt (Score:3)
And you're the type of anarchist who will be the first against the wall when shit hits the fan. You can't protect yourself.
It's Microsoft (Score:5, Insightful)
All products have some security issues, but Microsoft beats them all.
And don't think that a mere presidential order is going to get them to change their culture. Well, maybe if the US marines were to invade Redmond...
Re: (Score:1)
Well, maybe if the US marines were to invade Redmond...
How would they make anything better. They would shoot all the people and equipment that was in the building, but the most the algorithm that has been running Microsoft for the last 20 years would survive.
You can't shoot math.
The marines would try tho.
Microsoft is the largest cybersecurity vendor (Score:5, Interesting)
Meanwhile, Microsoft is the world's largest cybersecurity vendor.
Microsoft currently earns $20B / year in cybersecurity revenue, more than any other standalone security company.
Ironically, they also build the products that people are paying them to secure.
Re:Microsoft is the largest cybersecurity vendor (Score:5, Interesting)
Meanwhile, Microsoft is the world's largest cybersecurity vendor.
Microsoft currently earns $20B / year in cybersecurity revenue, more than any other standalone security company.
Ironically, they also build the products that people are paying them to secure.
Exactly - it's quite the plan. Produce less than secure software, then require the purchasers to spend more money to "secure" it. But always another security hole to patch, and invoices to be produced.
Re: (Score:3)
Yeah, but why do the buyers keep buying this crap? What will it take for someone to wise up and change to something more manageable and more secure?
Re: Microsoft is the largest cybersecurity vendor (Score:2)
It's just inertia. Too many others use it to just ignore it.
Re: (Score:2)
It's just inertia. Too many others use it to just ignore it.
It's a bit like how VHS was the standard consumer videotape format. Also was pretty much the worst quality.
Re: (Score:2)
Yeah, but why do the buyers keep buying this crap? What will it take for someone to wise up and change to something more manageable and more secure?
You can't if you have any sort of people involved in the decision making process that are popularity contest style thinkers. "But everybody else does it" is pretty much the only reason they need. It was a sad day when our all Linux network was converted to Windows, but also the day I gave up on having any control on the network itself.
If the cure is risking not being one of the crowd? Nobody wants the cure.
Re: (Score:2)
> But always another security hole to patch...
And there always will be. You imply that Microsoft is intentionally leaving security flaws in their software and extorting people for additional security.
Software development does not work like that.
Computer security does not work like that either.
A good piece of computer security rests in poking you until you update your own software to fix known issues. And most institutions do need that poking.
Re: (Score:2)
> But always another security hole to patch...
And there always will be. You imply that Microsoft is intentionally leaving security flaws in their software and extorting people for additional security.
Software development does not work like that.
Are you done with the assumptions of what I "imply"? The software is not very good. It just isn't. People who only use the Office suite are loving it, I suppose, but outside of that narrow use case, it is not very good. It does a good job of breaking on updates, especially for some aspects like audio, and it breaks during the update process even before installation of the updates that you have almost no control over - I've had Enterprise do a BOHICA update on me at the most inopportune moments.
So is it
Re: (Score:2)
Exactly - it's quite the plan.
I think that's stretching things a bit. I really doubt that anyone proposed "Let's make insecure software so we can sell services to secure it!".
Rather, they made insecure software because they didn't care enough about security to do it properly, then someone noticed that this had created an exploitable business opportunity.
Re: (Score:2)
Exactly - it's quite the plan.
I think that's stretching things a bit. I really doubt that anyone proposed "Let's make insecure software so we can sell services to secure it!".
Rather, they made insecure software because they didn't care enough about security to do it properly, then someone noticed that this had created an exploitable business opportunity.
I agree with you - perhaps I shouldn't have used the word "plan". They didn't plan anything, but they surely made a lot of money off their incompetence. All it took was the inertia, and the suits believing that most popular = Best.
Re: (Score:2)
Re: Microsoft is the largest cybersecurity vendor (Score:2)
Re: (Score:2)
Nobody ever got fired for buying a Microsoft product. Quiet part out loud: Because it's so crap that you get crazy billable hours for it.
And it is a real job security thing as well. I like to note that the last place I worked for had an entire division that tried to keep the Windows machines running. I wasn't even an IT guy, but I got roped into supporting the Macs. There weren't as many Macs of course. but there were many more computers per support person for the Macs. And I wasn't busy supporting them, they didn't need it.
I was pretty good at pissing off the people who claimed that Macs were so expensive when I asked if the millions we
Re: Microsoft is the largest cybersecurity vendor (Score:2)
Re: (Score:2)
Yep. And Microsoft is unfixable. I mean, after 50 years in the business, they cannot even get OS updates right. How can you expect them to get something far more complex than IT security right. The simple fact is that either we let shoddy practices continue or MS needs to die, no alternative.
Re: (Score:2)
> they cannot even get OS updates right.
Which OS update did they fumble? ... as opposed to not patching something that they couldn't validate before the monthly Patch Day release? (Or alternately the Emergency Patch Release window?)
While I have my own complaints about their OS updates, it's because they've used them for pushing features as well as security, and some of those features were user-hostile. (Windows Genuine Advantage, anyone?)
Re: (Score:2)
> they cannot even get OS updates right.
Which OS update did they fumble? ... as opposed to not patching something that they couldn't validate before the monthly Patch Day release? (Or alternately the Emergency Patch Release window?)
While I have my own complaints about their OS updates, it's because they've used them for pushing features as well as security, and some of those features were user-hostile. (Windows Genuine Advantage, anyone?)
As a person who uses a lot of audio, Just about every update causes problems. The audio quits working in the middle of downloading the updates. Pretty strange.
It would do weird things like rename all the audio drivers (like 30 of them) to a different name - it took the first one it finds, and names all the others the same, and appends a number on them. So the software stops working, and you have to go in and manually rename the drivers, then set up the software again.
It nuked a number of my systems when
Re: (Score:2)
Had I points for it, I would upvote you.
A reply which is informative, relevant to the post it is replying to, and non-confrontational. I appreciate replies such as this.
Hail, friend, and thank you.
Re: (Score:2)
Had I points for it, I would upvote you.
A reply which is informative, relevant to the post it is replying to, and non-confrontational. I appreciate replies such as this.
Hail, friend, and thank you.
Thank you! And even after I gave those experiences I just found that some software for a Software defined radio that requires a .dll file - a standard thing in Windows - the .dll file has been deprecated in windows 10 and 11. The .dll is required to calibrate the Si570 chip in the radio.
I might have to dig up a Windows 7 computer, in the meantime, I'm experimenting with a python software to see if I can get it to work.
Re: (Score:2)
No, but it might cause Trump to release a statement that he knows more about computer security than anyone else in history, and that Microsoft's security is the best of the best, or at least it was the best until Biden took over and ruined it with his Marxist politics. And MICROSOFT DID NOTHING WRONG! Biden's review board is just another leftist WITCH HUNT! It's terrible what they're doing! ELECTION INTERFERENCE and this is why Linux and MacOS have such poor ratings.
BSD is dying.
Good point.
My 0.02 (Score:5, Insightful)
Re: (Score:2)
Ah, yes, because somehow the guv'min is clearly much better and competent than... than... well, anything, really. In any area of your choosing. /sarcasm^2
Re: (Score:2)
Ah, yes, because somehow the guv'min is clearly much better and competent than... than... well, anything, really. In any area of your choosing. /sarcasm^2
Trust me, I've got no great love for government operations, either. To put an even greater point of concern with this plan, there's an extremely valid concern about the federal government publishing all of its source code; security-through-obscurity isn't an ironclad plan by any means, but telling the entire world what source code is being run the sort of thing that has the potential for consequences, since vulnerabilities would be published for adversaries to see. This is especially problematic if security
Re: (Score:2)
And yet we have this current situation where government emails systems were infiltrated due to a private company's incompetence. Then we have the entire Boeing fiasco. Shall we talk about all those explosions at refiners which occur every single year? Perhaps we should talk about private company which killed almost all life in a 60-mile stretch of river [iowacapitaldispatch.com].
Besides, as we've repeatedly
Re: (Score:2)
The alternative being... nationalize everything and become a much larger North Korea?
Re: (Score:1)
Bugger off, you ignorant slut.
I worked for the government for 10 years - at the NIH. Around '16 or so, they went from internally managed email to *fairy dust* M$ managed. Let's start with they were supposed to migrate about 80 people on a Sunday? Monday? night, makes sure it was right, then manage another 800+ people. No one apparently was watching, because M$ migrated EVERYONE, and in spite of protestations that everything was fine, I was helping people in another division a week later, because it was *fuc
Re: (Score:2)
Ah, yes, a botched 900 people e-mail transition from 8 years ago is clearly a prime example of "corporate bad, government good".
Re: (Score:1)
Could you setup an LDAP environment to replace AD? Sure.
Hahahahaha. Has strong opinions about how to do security... blathers about LDAP... that's some professional level comedy right there! Are you here all week? Should I tip my waitron?
Re: My 0.02 (Score:2)
"FOSS software, support, etc. wasn't were the Fed needed it to be to move forward with it."
Neither was Windows, but they did it anyway.
Re: My 0.02 (Score:2)
Like Clinton did?
Part of the value proposition for central control over these things is to avoid questionable practices like using a personal email server that isn't following government archival laws. Much easier to enforce at the vendor layer.
Security and cost are check boxes, but it's control that sells it.
Re: (Score:2)
If Microsoft is really as important to the government as the government says it is, then nationalize it.
Frankly... (Score:5, Interesting)
There's probably very few companies that would stand up to this sort of scrutiny by this audience. Probably none of the companies folks have heard of.
The companies that would be respected by this sort of report generally go out of business in the face of a competitor that is able to deliver more capability at more reasonable pricing.
Re: (Score:2)
+1 insightful.
Re: (Score:3)
There's probably very few companies that would stand up to this sort of scrutiny by this audience. Probably none of the companies folks have heard of.
I'll bet Google would.
Google's security architecture and processes are head and shoulders above anyone I've seen, and I spent a decade doing security consulting with organizations of all sorts, including banks and even military orgs, before joining Google and getting an inside look at Google's approach. When I first joined Google I was in the payments team, and our annual PCI [wikipedia.org] compliance audits were hilarious. They consisted of a few days of Google engineers explaining to the PCI auditors why the PCI requi
Re: (Score:2)
...it would both give people a lot more confidence in how Google handles their data, and provide a blueprint to improve IT security everywhere.
See, here's the thing: I completely believe you. I absolutely believe that Google's data handling is quite possibly the best in the industry. I believe your statement that PCI Compliance (which is too onerous for a whole lot of main street businesses if you ask them) is too insecure for Google's IT folks. I believe that the models they implement are literally state of the art and that more companies should follow those practices.
And, in a depressing irony, it makes me trust Google even less.
Why? Because ho
Re: (Score:2)
Google may have the most secure datacenters in the world, but that data is being used *somewhere*, for *something*, with no transparency or oversight...and it's the not-knowing that makes the security of their datacenters irrelevant.
Okay... but assuming all else stayed the same would you feel better or worse about the situation if you knew that Google's data centers were regularly breached? Don't expect that the hackers who break in would publish the data; that's very unlikely.
As for the rest, I understand and agree. I'm probably less worried about it than you are -- even though I care a lot about privacy -- because I have insight into how the data is used. Not that I see it myself, but if Google were using the data for purposes othe
Fire 'em (Score:2)
Fire them for using Microsoft.
Microsoft... (Score:1)
Since when? (Score:2)
re: Microsoft has security? (Score:1)
Accidentally. When a hacker gets close to the pay-dirt, they get BSOD'd.
Microsoft just saved us from the XY backdoor (Score:5, Interesting)
A Microsoft researcher pretty much single-handedly just saved the world from the XY backdoor. https://arstechnica.com/securi... [arstechnica.com] . Considering this was an open-source project poised to be included as part of Linux and it was found by Microsoft (albeit through luck), I think that's huge.
Microsoft also creates probably the only good and reliable antivirus software. And Microsoft has been very active in promoting the use of Rust, including contributing towards Linux. Microsoft is also a key contributor towards an effort to detect child porn.
I would argue that Microsoft's days of being a security laughing-stock are mostly over. Ever since they released a firewall as part of a Windows XP service pack, I think Microsoft has taken security extremely seriously.
Re: (Score:2)
The Board finds that this intrusion was preventable and should never have occurred. The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations. The Board reaches this conclusion based on
1. the cascade of Microsoft’s avoidable errors that allowed this intrusion to
Re: (Score:3)
Ever since they released a firewall as part of a Windows XP service pack, I think Microsoft has taken security extremely seriously.
That's because you're ignoring everything else about Windows. Arguments which depend on deep ignorance are not compelling.
Re: (Score:3)
Re: (Score:2)
Dude, look at the new Teams and the new Outlook app and tell me that any single person at Microsoft has any idea what they're doing. They do not.
What specifically is bad about the security of those new apps?
Re: (Score:2)
I would disagree.
Microsoft's relationship to security seems to be as it has always been "yes if it pays the bills."
The XP/Server 2k3 firewall feature add is an example of something they did because it was an easy band-aide and that really all it was a band-aide on the out and out nightmare (with blaster and sql slammer etc) that their flagship Identity and resource Management solution (Active Directory) and companion technologies were proving to be; at a time when something like Netware or Lotus offerings m
Re: Microsoft just saved us from the XY backdoor (Score:2)
"The XP/Server 2k3 firewall feature add is an example of something they did because it was an easy band-aide"
Not to mention that 2k had IP filtering, so Windows already had a firewall, it just wasn't a featureful one. They only added more features to filtering, they didn't suddenly introduce a firewall.
Re: (Score:2)
at a time when something like Netware or Lotus offerings might have yet won the business-office-techstack-wars.
Oh please...
The XP SP2 / Windows Firewall came out in 2005. Nobody was using Netware at that point; Novell never even put out a formally-for-XP iteration of their Netware client for Windows; firms still using Netware just installed the Windows 2000 version...which was just fine, because Netware had priced themselves out of their own market in comparison to Windows Server's everything-in-a-box solution, especially SBS server that was almost impossible for Netware to compete with.
Lotus Domino was undoubtedly
Re: (Score:2)
Ever since they released a firewall as part of a Windows XP service pack, I think Microsoft has taken security extremely seriously.
Having services running by default but inaccessible due to a firewall is pretty braindead, much more sensible to not have listening services running at all unless the user explicitly enables them.
Re: (Score:2)
A Microsoft researcher pretty much single-handedly just saved the world from the XY backdoor. https://arstechnica.com/securi [arstechnica.com]...
Let's see what the actual headline of the link is: What we know about the xz Utils backdoor that almost infected the world
So you got the name wrong. It happens.
I would argue that Microsoft's days of being a security laughing-stock are mostly over. Ever since they released a firewall as part of a Windows XP service pack, I think Microsoft has taken security extremely seriously.
I recall those days very clearly. I have also noticed all actions since then. Your argument is hollow and empty. Microsoft does not care about Security, merely the perception of Security. In other words, you have been hoodwinked.
You know what would be cool? (Score:3)
Re: (Score:2)
Yep, also stopping the use of toy-level products for critical tasks is always a good idea.
Re: You know what would be cool? (Score:2)
You'd prefer national security issues to be caused by dozens of different vendors and agencies?
Re: (Score:2)
It would help if Microsoft didn't hand over Windows source code to China... During anti-trust, MS wouldn't even hand it over to the US legal system... I wonder if the US Gov still lacks access (outside maybe the NSA?)
Re: (Score:2)
Maybe they should just choose Apple products, you know, to avoid the Microsoft monopoly.
Big mistake (Score:2)
If you're the freaking US government... Why not build your own rather than rely on Microsoft? National security, right?
Choose a Linux distro to fork and hire an entire company's worth of geeks to maintain it and the applications you require. Publish it as USGSecure Linux, and hide all sorts of spy stuff in it so anyone of interest using it is vulnerable to your three-letter-agencies.
Re: (Score:2)
LoB
Re: Big mistake (Score:2)
For the same reason corporate America doesn't use Linux: all it takes is one Windows fanboy near the top to derail the entire project. And in this case "fanboy" includes politicians lobbied by Microsoft, as well as Congress members serving the greater community of Redmond.
Re: (Score:2)
I assume you're talking about desktop software.
Linux is kinda the server king these days.
Re: Big mistake (Score:2)
Yes.
These people have the power to detail these projects specifically because there is an "obvious" choice. For the U.S. government, the "obvious" choice is the biggest American software vendor who has been providing similar services to the government for more than a generation. It's easy for someone near the top to start picking apart the non-"obvious" choice, while it's nearly impossible to sell the institution on throwing out what they already use.
So, in corporate America, there's no ingrained institutio
Re: (Score:2)
Deliberate insecurity.
Microsoft was found by the USDoJ to be in violation of basically every kind of antitrust law [wikipedia.org].
Bush's AG Ashcroft declared that it was not in our country's best interests [justice.gov] to prosecute them.
Immediately thereafter Gates put his Microsoft fortune into his foundation to avoid taxation [washington.edu]. He has direct it to invest in ways that have enriched him personally and he is now worth more than he was when he founded it.
At the same time, the next version of Windows and updates to the existing version ma
Re: (Score:2)
As a current MSFT and former Apple employee (commercial rather than technical), I can only say that the corporate culture (comms, training, internal discussions) frequently, regularly, extensively and intensively emphasises the importance of security (and privacy). I joined via an acquisition and the extent of the remediation for my acquired company’s products to be brought up to MSFT security standards has been a huge challenge. My sense is that it’s just a very large attack surface across all the different suites. Who knows, maybe I’m kidding myself and it’s actually really shonky. But it doesn’t *feel* that way from the inside.
This I believe, not the 'throw them under the bus' default stance of government investigators.
Re: (Score:2)
There's an important difference between being serious about security, and making a big security theatre song and dance.
The latter is far more visible, but is often not very effective.
3 decades too late (Score:2)
Where the flying [BLEEP] were you 3 decades ago, when their Rube Goldberg OS (Windows) was being drawn up?
Using MS crap for anything important ... (Score:2)
... needs to result in an automatic finding of gross negligence. Otherwise nothing will change.
Email is insecure by default! (Score:2)
People will tell me about DMARC, DKIM, SPF, and all the other patchwork that attempts to secure email, but the issue isn't just who sent it, or where it came from. Outside a secure and protected envi