438
Microsoft Chose Profit Over Security and Left U.S. Government Vulnerable to Russian Hack, Whistleblower Says | ProPublica Investigation (www.propublica.org)
submitted 1 month ago by [email protected] to c/[email protected]
23 comments fedilink hide all child comments

Former employee says software giant dismissed his warnings about a critical flaw because it feared losing government business. Russian hackers later used the weakness to breach the National Nuclear Security Administration, among others.

The federal government was preparing to make a massive investment in cloud computing, and Microsoft wanted the business. Acknowledging this security flaw could jeopardize the company’s chances, Harris recalled one product leader telling him. The financial consequences were enormous. Not only could Microsoft lose a multibillion-dollar deal, but it could also lose the race to dominate the market for cloud computing.

Harris said he pleaded with the company for several years to address the flaw in the product, a ProPublica investigation has found. But at every turn, Microsoft dismissed his warnings

his fears became reality. U.S. officials confirmed reports that a state-sponsored team of Russian hackers had carried out SolarWinds, one of the largest cyberattacks in U.S. history. They used the flaw Harris had identified to vacuum up sensitive data from a number of federal agencies, including, ProPublica has learned, the National Nuclear Security Administration, which maintains the United States’ nuclear weapons stockpile, and the National Institutes of Health, which at the time was engaged in COVID-19 research and vaccine distribution. The Russians also used the weakness to compromise dozens of email accounts in the Treasury Department, including those of its highest-ranking officials. One federal official described the breach as “an espionage campaign designed for long-term intelligence collection.”

Harris’ account, told here for the first time and supported by interviews with former colleagues and associates as well as social media posts, upends the prevailing public understanding of the SolarWinds hack.

the board’s report identified a “corporate culture that deprioritized both enterprise security investments and rigorous risk management.”

ProPublica’s investigation adds new details and pivotal context about that culture, offering an unsettling look into how the world’s largest software provider handles the security of its own ubiquitous products. It also offers crucial insight into just how much the quest for profits can drive those security decisions, especially as tech behemoths push to dominate the newest — and most lucrative — frontiers, including the cloud market.

top 23 comments
sorted by: hot top controversial new old
[-] otp 90 points 1 month ago

[X] chose profit over security [without regard for consequences]

The American way

[-] [email protected] 43 points 1 month ago

American corporations: stopped reading after profit

[-] [email protected] 4 points 1 month ago

Publicly traded corps just saw the letter "p", assumed profit, and announced a 5 year plan to discover the rest of that sentence. Their shareholders are still upset it took them a whole letter before they had a plan...

[-] [email protected] 42 points 1 month ago

My company banned CCleaner from our computers because they got hacked once and didn't know about it. Microsoft is guilty of the same negligence with an added twist of corruption and greed! Think they'll ban all Microsoft software too?

[-] [email protected] 9 points 1 month ago

.........but why CCleaner? Are they unsafe now?

[-] [email protected] 36 points 1 month ago* (last edited 1 month ago)

They've been unsafe for years now, since they got bought out by some Chinese company known for shenanigans

[-] fartsparkles 23 points 1 month ago

BleachBit is a great alternative and it’s open sourced under GPLv3.

[-] [email protected] 1 points 1 month ago

Or just use the windows tool.

[-] [email protected] 3 points 1 month ago

wasnt it avg?

[-] [email protected] 19 points 1 month ago

Not just any vulnerability, the vulnerability that led to the Solarwinds hack.

[-] [email protected] 17 points 1 month ago

Oof, that was painful to read as someone in cybersecurity. I respect ProPublica, but they have no idea what they're talking about.

The Solarwinds hack was caused by Solarwinds being absolutely god awful at cybersecurity. The password to their update server was "solarwinds123", which we know because they accidentally published it in a public Github repo. The company is a complete and utter clown show.

As for Golden SAML, almost nobody in cybersecurity would consider it a vulnerability. It's just a fundamental part of how asymmetric cryptography works. HTTPS suffers from the same issue. If your private key gets stolen and used to forge signatures, the problem is you not properly protecting it, not the technology requiring you to keep it secret.

A more valid complaint is that Microsoft has been neglecting their on-prem software in favor of Azure. There are tons of security features that they've added to Azure that will probably never make their way to ADFS or Exchange.

[-] [email protected] 5 points 1 month ago

I read the article as criticism of the lack of defense in depth, where compromise of a specific server gives access to keys that give near-untraceable access to all servers. Yes, Solarwinds fucked up by putting their keys in a place where someone could access it, but Golden SAML is the technique that makes a breach worse.

[-] [email protected] 0 points 1 month ago

It's mostly the responsibility of the client to build defense in depth. If is a straight shot from your Solarwinds server to your ADFS server, where the SAML signing keys are stored, that's your fault, not Solarwinds or Microsoft. Well, I would still blame Solarwinds, because they were encouraging horribly insecure practices, like doing "agentless" monitoring using a highly privileged account.

In this case, yes, not letting a SAML assertion signed by the ADFS server authenticate to Azure reduces defense in depth. But if you're at the point where your authentication servers have been compromised, you're already so turbo-fucked that it's very unlikely a wall like that would stop an attacker for long.

[-] [email protected] 4 points 1 month ago

I'm not going to pretend to be an expert on this (I worked in cybersecurity in 2000's but was only entry level, and changed careers before cloud/mobile made things way more complicated), but the general point still seems true: security requires conscious design that discourages poor configuration by client IT, and makes bad practices unviable by not only end users, but also the sysadmins who manage the actual IT resources. Then, things should be limited in impact.

In other words, the manufacturer doesn't get to wash their whole hands of this thing if their design makes it easy for clients to screw up. In this case, it does sound like these systems were deployed by clients that didn't have a solid understanding of the relationships between on-prem AD and ADFS and didn't know how to configure them securely, that's also a significant documentation/education issue that Microsoft owns some responsibility for.

(Plus in the case of the Solarwinds hack, there were a few other Microsoft vulnerabilities exploited to get to the point where the hackers could traverse the system looking for keys/certificates.)

So I don't think this particular dude was warning about a non-vulnerability, and it sounds like the "security boundary" response he met with internally is similar to how you're responding to this report.

[-] [email protected] 16 points 1 month ago

Looks like the probably biggest customer has issues with Microsoft. This might help all the smaller victims, too.

[-] [email protected] 8 points 1 month ago

A study I just made up says this surprises no one.

[-] [email protected] 6 points 1 month ago

Well I just made up a study that says everybody was surprised that no one was surprised. Guess we'll just have to start our own competing news outlets. Where we spew our own version of opposite ends of the political opinion bullshit, state it as fact, and neither one is held liable or accountable for our "reporting".

[-] [email protected] 8 points 1 month ago

Based and capitalpilled

[-] [email protected] 4 points 1 month ago

Holy fucking shit

[-] BakedGoods 3 points 1 month ago

No shit. They're a for profit organisation. Security is the least of their concerns. If you put your shit in "the cloud", you just put it on the internet, and it will be accessible over the internet. Not to sound like a cranky old fuck but I am; IT nowadays is a fucking joke. You can absolutely do shit the right way, but almost nobody does.

[-] [email protected] 1 points 1 month ago

As far as I'm concerned this is a case of a snake eating its own tail. The government could have regulated these bitches, but it likes the free speech it gets from them. Fuck them both and eat shit.

[-] [email protected] 1 points 1 month ago

Worst part is the government won't learn from this and will continue to use the proprietary operating system.

this post was submitted on 13 Jun 2024
438 points (98.9% liked)

Technology

55960 readers
3078 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]