Microsoft Chose Profit Over Security and Left US Government Vulnerable To Russian Hack, Whistleblower Says 64
A former Microsoft employee claims the tech giant dismissed his repeated warnings about a security flaw that was later exploited in the SolarWinds hack, prioritizing business interests over customer safety. Andrew Harris, who worked on Microsoft's cloud security team, says he discovered the weakness in 2016 but was told fixing it could jeopardize a multibillion-dollar government contract and the company's competitive edge, ProPublica reported Thursday.
The flaw, in a Microsoft product called Active Directory Federation Services, allowed hackers to bypass security measures and access sensitive cloud data. Russian hackers exploited the vulnerability in the 2020 SolarWinds attack, breaching several U.S. agencies. Microsoft continues to deny wrongdoing, insisting customer protection is its top priority. The revelations come at a time when Microsoft is facing increasing scrutiny over its security practices and seeks to expand its government business.
The flaw, in a Microsoft product called Active Directory Federation Services, allowed hackers to bypass security measures and access sensitive cloud data. Russian hackers exploited the vulnerability in the 2020 SolarWinds attack, breaching several U.S. agencies. Microsoft continues to deny wrongdoing, insisting customer protection is its top priority. The revelations come at a time when Microsoft is facing increasing scrutiny over its security practices and seeks to expand its government business.
Re: (Score:3)
get out from the rock you have been living under for the past 30 years...
Whistleblowers, aren’t new.
But whistleblowers dying in multiple quantities in as many months? Yeah, you’re gonna have to dig a lot farther than 30 years back to find that kind of shit happening AND being basically ignored.
And that isn’t merely surprising. It’s downright fucked.
Re: (Score:2)
It's not about the whistleblowers. It's about microsoft.
They used to have a rock solid user experience and very poor handling of data outside happy paths.
Now the user experience blows, the software is downright fragile, but they hold security conferences or something.
When I got my CISSP and ISC2 would get all preachy about professional ethics I would often think to myself that by their definitions working at or using microsoft software edges awful close to a violation by their standards.
Code of Ethics Cano
Re: (Score:1)
I know it'll never happen but man... I can make some strong arguments for decertifying anyone who seriously suggests using MS for anything.
While I do not agree MS stuff has ever been solid, I can fully agree to this sentiment.
Re: If this is a surprise to anyone... (Score:2)
"Granted keeping the start menu past 2000 is cancer that has spread everywhere"
The start menu is the best thing that Microsoft has done possibly ever. That's why everyone copied it
Re: (Score:2)
I do not have a "start menu" in my fvwm2 desktop setup and I do not plan on adding one. Why would I? I am pretty sure that fvwm2 could do it though.
Re: If this is a surprise to anyone... (Score:2)
It certainly could.
I am running XFCE instead, it acts more like the NeXT dock by default, which is how I use it.
Re: (Score:2)
Congrats on your minority status. Too bad DEI initiatives don't cover niche software use as you could get a job with just how special your OS and window manager choices are!
Re: If this is a surprise to anyone... (Score:1)
Re: (Score:2)
Congratulation on being an asshole.
My point, which you completely missed, is that in a sane system, you can make the choice about "start menu" or not yourself and that is, incidentally, on a per-user basis, not on a per-machine basis.
Re: (Score:2)
There do exist use-cases for which MS is the appropriate software. That I would not agree to their EULA doesn't change that.
Re: (Score:1)
1. On my gaming computer
2. On my mom's laptop - I also paid for Best Buy tech support and prepaid some hours of not shitty support through a local b2b provider in her area, I'm told she's their sole non business support customer. Call best buy and if they fail call this guy, if he fails don't call me. lol.
Re: (Score:1)
Appropriate? When you have to keep Windows-only applications running that won't run well under WINE. Or similar cases of vendor lock-in.
But if you start from scratch building an IT environment, I would strongly try to avoid MS.
But what is Symantec's excuse? (Score:2)
What? It sounds like you [geekmux] actually read the story before feeding the FP sock puppet? Where else could the dead whistleblower stuff have come from? Boeing isn't flying around here?
However this is a weird case where I sort of find myself in agreement with the AC [after you got me to look at it]? Maybe I, too, should keep my head down? When you're talking about big amounts of money, accidents do tend to happen to people who get in the way... Even slightly in the way.
However in the rest of the worst o
Re: But what is Symantec's excuse? (Score:1)
Re: If this is a surprise to anyone... (Score:2)
Microsoft will... (Score:2, Insightful)
Microsoft will dismiss this as the ravings of a disgruntled, former employee who did not get his stock grant or bonus...and then pay lobbyists millions to grease the politicians to overlook this while the United States government wonders if Microsoft sucks or blows like a cheap ventilator in Redmond. Have you tried Windows 11 yet?
JoshK.
Re: (Score:3)
Microsoft will dismiss this as the ravings of a disgruntled, former employee who did not get his stock grant or bonus...
Putting aside the general apathy of the public when it comes to dying whistleblowers, I don't believe for one second anyone is struggling to believe the claims of Greed over Security.
Including Microsoft themselves.
Microsoft can try and bullshit their way out of it, but they probably won’t even bother with a retort. They pay to play anyway they want.
Re: (Score:1)
And their profits are stellar. Why would they even care to make good products?
Re: (Score:2)
Yes, their profits are astronomical. And your point is well-taken...
There is a quote in the book "The Big Blues: The Unmaking of IBM" by Paul Carroll https://www.goodreads.com/book... [goodreads.com]
where a senior vice-president told a staff scientist: "Son, if you give me a bag of shit, and I find I can sell it at a profit, I'm going to ask you for two more."
From IBM in the 1970s to Microsoft in the 2020s...progress...
JoshK.
Re: (Score:2)
Thanks. Great quote!
Re: (Score:2)
You're welcome, and not my quote but apt, if funny in a melancholy way.
JoshK.
Re: (Score:2)
Quite, and good point. :)
This gives new meaning to the Latin "silentium est aureum" for "silence is golden." A response costs money...and more explanations, bull-flop, clarifications.
Or perhaps: “Non gratus anus rodentum” from the tunnel rats in Vietnam.
JoshK.
Re: (Score:2)
Other internal employees, including managers, report that the culture at Microsoft is to get new products out fast, so that they're first into customers hands. This supercedes issues of waiting for technology to mature, or having proper security. We've known this all along though, we don't need internal reports to confirm it. Microsoft routinely tries to standardize too early, and has always been well know as a security failure.
Re: (Score:2)
This sounds like what author Robert X. Cringley wrote in "Accidental Empires" in 1996...
"Microsoft, with its screaming and willingness to occasionally ship shlock code"
https://books.google.com/books... [google.com]
It seems shlock has become uber-shlock.
JoshK.
Simple punishment (Score:5, Insightful)
Make Microsoft pay a penalty such that it would have been cheaper if they had done the right thing and fixed the security flaw in the first place. I suspect that more than just the USA government have suffered because of this.
I am reminded of the song in The Mikado [wikipedia.org] (a popular comic opera) which in the refrain has the words let the punishment fit the crime [gsarchive.net].
You can't really do stuff like that (Score:2)
Re: (Score:2)
There is no financial penalty high enough for compromising national security.
Re: (Score:1)
They pre-pay with lobbying. NIST standards were actually adjusted just to accommodate their shitware.
Re: (Score:3)
Indeed. There is no penalty at all if you do it as an IT company. You may even get to keep all current business and get more future business. Just make sure most people think you are too big to fail and your stuff cannot be replaced. Done. After that, you can deliver the most half-assed crap and still make money like crazy.
Re: (Score:2)
And I've got a litte list--they'd none of them be missed!
Re: (Score:2)
That assumes penalties will help. MS has done this crap for so long that they may not even be able to fix things anymore, at least not fast. Sure, if they feature-freeze win10 now and then fix everything wrong with it for the next 10 years and scrap Win11, they may have a halfway secure OS after that. But do you see that happening? I do not.
Re: (Score:2)
The security flaws are unfixable, given the mix-and-match nature of MICROS~1 Windows. App code mixed with kernel code mixed with msOffice code mixed with Edge code. Purely to prevent other people cloning the API. Which is ironical, considering Microsoft's fortune was built on a cloned BIOS.
Re: (Score:2)
Make Microsoft pay a penalty such that it would have been cheaper if they had done the right thing and fixed the security flaw in the first place.
lol. do you honestly think morals and principles mean anything with fortunes that large? Absolutely everyone who could do anything would rather share in the fortune than actually do anything.
Nice fantasy world though. :)
Of course (Score:4, Interesting)
The best solution against this ? Look at the European GDPR law : make it more costly for a company to NOT report breaches.
Re: (Score:2)
Re: (Score:2)
The only actual news here is that people other than tech geeks have realized that Microsoft is a big screw up. I hope it severely damages their profits, they might wake and take notice.
That's the system (Score:1)
If it's unacceptable, you have to change the 'game' with legislation. And corporate fines have to have a set minimum of a multiple of estimated profits from breaking the law, and that multiple needs to be greater than 1.
I'd also suggest a law that makes it very, very criminal to attempt to bypass a law with private lobbying of politicians (for both the lobby-er and, if it works, the lobby-ee) or funding 'independent' think-tanks to provide reports that support your corporate needs over existing law. Lobb
Re: (Score:3)
screw fines.
Hard time in prison.
Think about what the Solarwinds "event" exposed the systems to... How much of the government was exposed to foreign agents.
Now, think about why nothing was done... "It might impeded growth is this new thing called computers/the internet" i.e. we make less money.
The enemy is now where we refuse to go... Using our fetish for commerce and money as a shield and weapon.
Re: (Score:3)
Also the laws need to specify that half the fines be paid by the CEO + BOD members, and no indemnity by either insurance or other corporate body allowed.
Jail time (Score:3, Interesting)
Re: (Score:3, Interesting)
Not necessarily. MS may not even be capable of creating secure products at this time. They may not have the experience or skills. They have never needed them before, after all. And the amount of technological debt may be so bad that fixing this may take a decade or longer and only if they are really serious and hire every competent IT security engineer on the planet that is willing to work for them.
Just look at Boeing. They already had committed criminally negligent homicide on mass scale two times, and kne
Re: (Score:2)
Of course, Microsoft has no experience with security. Everyone who's paid attention knows this. The problem is that Microsoft markets itself as being expert in security matters, and it sold its services to the US government under those pretenses.
Re: (Score:2)
Indeed. Hence the problem is also that too many "decision makers" did both not pay attention and did not care to ask actual experts. These people are part of the problem.
Iâ(TM)m shocked!! SHOCKED!! (Score:1)
As long as the profit is greater (Score:2)
than the risk, "defects" like this WILL continue.
In WWII execs got hard time in jail for this kind of crap (bad parts provided)
When we start sending them to prison, they'll start plugging these holes. Until then ASSUME the code is bad and insecure... The other side does.
Re: (Score:2)
Indeed. Nothing but harsh regulation or real liability will ever fix MS security. Of course, they have made insecure crap for so long now, they may not survive such a step because they simply do not know how to do it right.
How is this is news? (Score:2)
Microsoft chooses literally *everything* over security. It's one of the defining characteristics of the company. It's been bullet-ridden, half eaten, Swiss cheese ever since the days of DOS. And by the way, it takes two to tango. If you've bought into Microsoft, YOU have ALSO chosen something else over security. It may not be cost. But security, stability, and reliability were definitely at the bottom of your list. That does not excuse the lackadaisical attitude of the company towards security and it
Microsoft chooses profit over security (Score:2)
Film at elev... you know what, this is not news. Never mind.
Gee... (Score:2)
I'm really not that up on emoticons - what collection of ASCII characters indicates a 'shocked face'?
That said, I recognize the character strings that represent 'corrupt face'. Unfortunately, there are so many variants - Microsoft, Google, Facebook, HP, John Deere...
Re: (Score:3)
Ahh...the good old days....
Greed is Good, Greed is God, Profit Above All. (Score:2)
As an American company, Microsoft has performed a great service to our God, Greed. They have chose profits over security, and increased profits by ignoring important issues that could have a horrible effect on anyone using their systems. This has been deemed right and good by the power of the almighty profit! We shall now bow in the direction of Redmond and praise them! HALLA$$$$$$$YAH! HALLA$$$$$$$YAH! HALLA$$$$$$YAH!
Just business as usual at MS (Score:3)
I mean, there is a reason their stuff gets hacked all the time and, after 50 years in business, they still do not know how to do updates reliably. MS simply does not care about its customers. They screwed up time and again and did massive damage to their customers, but are the customers leaving? No. So they have correctly concluded that as long as not everything goes up in flames, they are fine. And look, they are. Profits like crazy despite selling crap and sometimes utter crap. Why would they improve anything?
"Do Security" (Score:2)
Business Ethics (Score:2)
Harsh reprocussions of continuing business (Score:2)
Which was it? (Score:2)
Was it a SolarWinds security flaw, a Microsoft Security flaw, both, or only in combination (the latter seems unlikely if it was related to MSFS.) Seems like a whole lot of balls were dropped, and maybe the sole responsibility which was placed at the time on SolarWinds maybe wasn't really even their fault? As in, maybe SW had a flaw, but it wouldn't have been a big deal if not for the MS flaw?
Hard to say.
Microsoft doesn't care, and proof is easy (Score:2)