Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Microsoft

Microsoft Chose Profit Over Security and Left US Government Vulnerable To Russian Hack, Whistleblower Says 65

A former Microsoft employee claims the tech giant dismissed his repeated warnings about a security flaw that was later exploited in the SolarWinds hack, prioritizing business interests over customer safety. Andrew Harris, who worked on Microsoft's cloud security team, says he discovered the weakness in 2016 but was told fixing it could jeopardize a multibillion-dollar government contract and the company's competitive edge, ProPublica reported Thursday.

The flaw, in a Microsoft product called Active Directory Federation Services, allowed hackers to bypass security measures and access sensitive cloud data. Russian hackers exploited the vulnerability in the 2020 SolarWinds attack, breaching several U.S. agencies. Microsoft continues to deny wrongdoing, insisting customer protection is its top priority. The revelations come at a time when Microsoft is facing increasing scrutiny over its security practices and seeks to expand its government business.
This discussion has been archived. No new comments can be posted.

Microsoft Chose Profit Over Security and Left US Government Vulnerable To Russian Hack, Whistleblower Says

Comments Filter:
  • Microsoft will... (Score:2, Insightful)

    by joshuark ( 6549270 )

    Microsoft will dismiss this as the ravings of a disgruntled, former employee who did not get his stock grant or bonus...and then pay lobbyists millions to grease the politicians to overlook this while the United States government wonders if Microsoft sucks or blows like a cheap ventilator in Redmond. Have you tried Windows 11 yet?

    JoshK.

    • Microsoft will dismiss this as the ravings of a disgruntled, former employee who did not get his stock grant or bonus...

      Putting aside the general apathy of the public when it comes to dying whistleblowers, I don't believe for one second anyone is struggling to believe the claims of Greed over Security.

      Including Microsoft themselves.

      Microsoft can try and bullshit their way out of it, but they probably won’t even bother with a retort. They pay to play anyway they want.

      • by gweihir ( 88907 )

        And their profits are stellar. Why would they even care to make good products?

        • Yes, their profits are astronomical. And your point is well-taken...

          There is a quote in the book "The Big Blues: The Unmaking of IBM" by Paul Carroll https://www.goodreads.com/book... [goodreads.com]
          where a senior vice-president told a staff scientist: "Son, if you give me a bag of shit, and I find I can sell it at a profit, I'm going to ask you for two more."

          From IBM in the 1970s to Microsoft in the 2020s...progress...

          JoshK.

      • Quite, and good point. :)

        This gives new meaning to the Latin "silentium est aureum" for "silence is golden." A response costs money...and more explanations, bull-flop, clarifications.

        Or perhaps: “Non gratus anus rodentum” from the tunnel rats in Vietnam.

        JoshK.

    • Other internal employees, including managers, report that the culture at Microsoft is to get new products out fast, so that they're first into customers hands. This supercedes issues of waiting for technology to mature, or having proper security. We've known this all along though, we don't need internal reports to confirm it. Microsoft routinely tries to standardize too early, and has always been well know as a security failure.

  • Simple punishment (Score:5, Insightful)

    by Alain Williams ( 2972 ) <addw@phcomp.co.uk> on Thursday June 13, 2024 @09:13AM (#64546277) Homepage

    Make Microsoft pay a penalty such that it would have been cheaper if they had done the right thing and fixed the security flaw in the first place. I suspect that more than just the USA government have suffered because of this.

    I am reminded of the song in The Mikado [wikipedia.org] (a popular comic opera) which in the refrain has the words let the punishment fit the crime [gsarchive.net].

    • when 40% of voters are distracted by culture war issues and moral panics. I'm hoping that the culture war nonsense dies with the bubble boomer generation. There's some indication that it might, leaving the corporations with one less trick in their bag (they've still got lots that work if you haven't been taught critical thinking & media literacy skills), we'll find out in about 6 years or so.
    • Comment removed based on user account deletion
      • They pre-pay with lobbying. NIST standards were actually adjusted just to accommodate their shitware.

      • by gweihir ( 88907 )

        Indeed. There is no penalty at all if you do it as an IT company. You may even get to keep all current business and get more future business. Just make sure most people think you are too big to fail and your stuff cannot be replaced. Done. After that, you can deliver the most half-assed crap and still make money like crazy.

    • And I've got a litte list--they'd none of them be missed!

    • by gweihir ( 88907 )

      That assumes penalties will help. MS has done this crap for so long that they may not even be able to fix things anymore, at least not fast. Sure, if they feature-freeze win10 now and then fix everything wrong with it for the next 10 years and scrap Win11, they may have a halfway secure OS after that. But do you see that happening? I do not.

    • > Make Microsoft pay a penalty such that it would have been cheaper if they had done the right thing and fixed the security flaw in the first place

      The security flaws are unfixable, given the mix-and-match nature of MICROS~1 Windows. App code mixed with kernel code mixed with msOffice code mixed with Edge code. Purely to prevent other people cloning the API. Which is ironical, considering Microsoft's fortune was built on a cloned BIOS.
    • Make Microsoft pay a penalty such that it would have been cheaper if they had done the right thing and fixed the security flaw in the first place.

      lol. do you honestly think morals and principles mean anything with fortunes that large? Absolutely everyone who could do anything would rather share in the fortune than actually do anything.

      Nice fantasy world though. :)

  • Of course (Score:4, Interesting)

    by Pascal Sartoretti ( 454385 ) on Thursday June 13, 2024 @09:18AM (#64546287)
    Of course Microsoft chose profit over security, like any for-profit corporation would (and should ?) do.

    The best solution against this ? Look at the European GDPR law : make it more costly for a company to NOT report breaches.
    • How broadly does your rake harrow ? Would Boeing mis-assembly of aircraft and undocumented flying software be included in the harrow ?  How about "side-channel" weakness in CPUs? How broadly does the term "security" extend ? 
    • The only actual news here is that people other than tech geeks have realized that Microsoft is a big screw up. I hope it severely damages their profits, they might wake and take notice.

  • If it's unacceptable, you have to change the 'game' with legislation. And corporate fines have to have a set minimum of a multiple of estimated profits from breaking the law, and that multiple needs to be greater than 1.

    I'd also suggest a law that makes it very, very criminal to attempt to bypass a law with private lobbying of politicians (for both the lobby-er and, if it works, the lobby-ee) or funding 'independent' think-tanks to provide reports that support your corporate needs over existing law. Lobb

    • screw fines.
      Hard time in prison.
      Think about what the Solarwinds "event" exposed the systems to... How much of the government was exposed to foreign agents.
      Now, think about why nothing was done... "It might impeded growth is this new thing called computers/the internet" i.e. we make less money.

      The enemy is now where we refuse to go... Using our fetish for commerce and money as a shield and weapon.

    • by HiThere ( 15173 )

      Also the laws need to specify that half the fines be paid by the CEO + BOD members, and no indemnity by either insurance or other corporate body allowed.

  • Jail time (Score:3, Interesting)

    by bubblyceiling ( 7940768 ) on Thursday June 13, 2024 @09:31AM (#64546341)
    Start assigning criminal charges and things will change overnight
    • Re: (Score:3, Interesting)

      by gweihir ( 88907 )

      Not necessarily. MS may not even be capable of creating secure products at this time. They may not have the experience or skills. They have never needed them before, after all. And the amount of technological debt may be so bad that fixing this may take a decade or longer and only if they are really serious and hire every competent IT security engineer on the planet that is willing to work for them.

      Just look at Boeing. They already had committed criminally negligent homicide on mass scale two times, and kne

      • Of course, Microsoft has no experience with security. Everyone who's paid attention knows this. The problem is that Microsoft markets itself as being expert in security matters, and it sold its services to the US government under those pretenses.

        • by gweihir ( 88907 )

          Indeed. Hence the problem is also that too many "decision makers" did both not pay attention and did not care to ask actual experts. These people are part of the problem.

  • Well, not that shockedâ¦
  • than the risk, "defects" like this WILL continue.

    In WWII execs got hard time in jail for this kind of crap (bad parts provided)

    When we start sending them to prison, they'll start plugging these holes. Until then ASSUME the code is bad and insecure... The other side does.

    • by gweihir ( 88907 )

      Indeed. Nothing but harsh regulation or real liability will ever fix MS security. Of course, they have made insecure crap for so long now, they may not survive such a step because they simply do not know how to do it right.

  • Microsoft chooses literally *everything* over security. It's one of the defining characteristics of the company. It's been bullet-ridden, half eaten, Swiss cheese ever since the days of DOS. And by the way, it takes two to tango. If you've bought into Microsoft, YOU have ALSO chosen something else over security. It may not be cost. But security, stability, and reliability were definitely at the bottom of your list. That does not excuse the lackadaisical attitude of the company towards security and it

  • Film at elev... you know what, this is not news. Never mind.

  • I'm really not that up on emoticons - what collection of ASCII characters indicates a 'shocked face'?

    That said, I recognize the character strings that represent 'corrupt face'. Unfortunately, there are so many variants - Microsoft, Google, Facebook, HP, John Deere...

    • I miss the Bill Gates "Borg Face" icon that used to appear on MS related Slashdot article....

      Ahh...the good old days....

  • As an American company, Microsoft has performed a great service to our God, Greed. They have chose profits over security, and increased profits by ignoring important issues that could have a horrible effect on anyone using their systems. This has been deemed right and good by the power of the almighty profit! We shall now bow in the direction of Redmond and praise them! HALLA$$$$$$$YAH! HALLA$$$$$$$YAH! HALLA$$$$$$YAH!

  • by gweihir ( 88907 ) on Thursday June 13, 2024 @11:06AM (#64546675)

    I mean, there is a reason their stuff gets hacked all the time and, after 50 years in business, they still do not know how to do updates reliably. MS simply does not care about its customers. They screwed up time and again and did massive damage to their customers, but are the customers leaving? No. So they have correctly concluded that as long as not everything goes up in flames, they are fine. And look, they are. Profits like crazy despite selling crap and sometimes utter crap. Why would they improve anything?

  • I think the ignorance of saying the words "Do Security" says all it needs to say
  • an oxymoron for sure. I mean, as I understand it the fiduciary duty of the officers of a corporation are to make money for the shareholders, hence if we make $10,000,000 from a decision, but that decision is in fact illegal, so we (the company) are fined $100,000, then we do the illegal thing!
  • Glad to see all the fallout Microsoft is receiving over this, wait. What? They didn't do anything and just continued on? -- That will show them
  • Was it a SolarWinds security flaw, a Microsoft Security flaw, both, or only in combination (the latter seems unlikely if it was related to MSFS.) Seems like a whole lot of balls were dropped, and maybe the sole responsibility which was placed at the time on SolarWinds maybe wasn't really even their fault? As in, maybe SW had a flaw, but it wouldn't have been a big deal if not for the MS flaw?

    Hard to say.

  • If you're currently using products from Microsoft, and doing so at a point you have support available, demand they start using PGP in their email stack, and watch them run away. If Microsoft cares about security and privacy, they should be thrilled you're asking, and excited to start using secure email. I can tell you first hand, they won't do this, and they'll find any excuse they can reach for, as to why.

Life is a whim of several billion cells to be you for a while.

Working...