[iforgotpassword]

> But what about all of the innocent people who would be harmed by such a callous approach?

They should then think again about their choice of using teams. Why should Microsoft rake in money from a shabby product while volunteers have to fix their shit?

Assigning a ridiculously low score to significantly lower the bounty as a billion dollar company is disgusting.

[mwcampbell]

> They should then think again about their choice of using teams.

Try saying that to a student who is using Teams on a school-issued laptop, by no choice of their own.

I'm not in any way defending how Microsoft handled this. Frankly, I'm ashamed of my former employer (though I worked in a completely different division). But your outrage toward the company should not extend to its unwitting users.

[ethanwillis]

There wouldn't be very many unwitting users if their software had a serious reputation for being a serious security risk.

[edoceo]

Bullshit. Currently there are millions of children who are obligated to use Teams for their publicly funded education.

And thinking these huge metrics get changed by selling black hat exploits to what? Teach Microsoft a lesson? While harming an already vulnerable population (not just children are obligated to use Teams). As if the long term goal of educating "unwitting" users is advanced at all by blackhat behaviour.

[jokethrowaway]

Let's dump public education!

Deschooling is done on discord

[kjs3]

Microsoft has had a serious reputation for being a serious security risk for the 30 or so years I've been in IT. It's one of the oldest jokes in the industry. People and the world in general clearly do not work the way you apparently think they do.

[krageon]

Zoom still has a ton of users, and every single thing they make or do is a serious security risk (or has been in the past, evidencing a distinct lack of secure development culture).

[torgard]

Windows XP is still seen in the wild.

[corty]

Problems need to hit the users, otherwise the market is uninformed and cannot work.

[namdnay]

There are lots of vulnerabilities in most door locks, does that mean we should go around stealing things because Chubb have made money selling insecure locks?

[justinclift]

A wormable, widely deployed, Chubb lock would be interesting.

Let's see how Ring goes over the next few years... ;)

[untog]

> They should then think again about their choice of using teams.

What percentage of Teams users do you think have a choice in their use of Teams?

[the8472]

If it's on their work machines then it primarily endangers their employer's data, much less their own.

[Al-Khwarizmi]

Funny thing to say when we're in the middle of a global pandemic, and more people are working from home than ever.

I work at an university and I've been forced to install that crap on my home computer because I need to teach from home. And so do all the professors in around half the universities I know in my country.

[Skgqie1]

Interesting, I'm surprised that they don't have to provide you with the tools needed to do your job!

In Australia, the emp is generally responsible for providing any necessary tools or equipment needed to do the job (contractors are another matter though)

[Al-Khwarizmi]

In normal circumstances they do provide the tools needed for the job, as they should. But this was a sudden state of emergency triggered by a pandemic, there were no funds, reactions weren't fast enough... so basically, they didn't.

Anyway, those of us who have research projects (as is my case) typically do have computers provided by the university at home, because research has strange schedules and working from home has always been a need (meeting with colleagues in different timezones, waiting for experiments to complete at night, rushing for deadlines, etc.).

But... it's not really practical to make room for two different desktop computers for my own use in an already spaced-starved flat, or to work in a laptop for many hours when I could do so in a desktop. So in practice, my home computer and my work computer are one and the same. And it's like that here for most, if not all, people I know.

We are a Latin country and also tend to live in small flats, maybe in other places it's different. I can imagine that if I had one of those American McMansions, it would make sense to have a home office with a sober, black work computer, a good camera setup and a green screen, and then a gaming room with a flashy gaming computer and huge speakers (near the billiards and darts room, probably :)). But that's not really how things work about here. Here, separation of home and work computers at home is almost exclusive of jobs with high security restrictions. Most people in normal jobs just don't do it because it's not practical.

[airstrike]

And then when the company loses business from the disruption, do you think employees walk away scot-free?

[the8472]

I consider that inherent risk. Not getting a raise because the company made business decisions that turned out suboptimal (such as gaining short-term profits by not investing IT security) is a risk that any employee faces. If you want a more stable environment you go for a more risk-averse employer, perhaps even public sector jobs.

[airstrike]

That's a silly proposition. If my field of expertise is inherently private, I don't have that choice. Also I can't solve for every variable when searching for jobs. I choose among the ones I get an offer for, and obviously their IT decisions aren't top of my list (nor do I know what those are prior to hitting the desk)

[FridgeSeal]

Ruining companies that can't (or won't) get their act together (whether it's security, finance or any other critical and undervalued area) is a short-term pain that fixes the issue. Refusing to fix simply prolong the problem - at some point you have to say "enough is enough" and tear the bandaid off, if you don't, and you don't do so with severe enough consequences then businesses will simply conveniently ignore what they're being asked to do.

Necessity is the mother of invention, I have no doubt that the opportunities created by blowing away poorly-behaved incumbents will cause a healthy collections of startups who will be operating within the required framework.

[the8472]

You may not see yourself as having a choice but that wasn't really my point. What I was getting at is that being an employee in general comes with a diffuse risk of many factors that can result in not getting a raise or the company even going bankrupt. Many of them are outside your direct responsibility or influence and yet you take up the whole risk package when joining that company. The company getting ransomwared is just one more factor. It's not special. Well, one issue with it is that it requires criminal activity so it's dragging us down to a worse equilibrium where more resources have to be spent on countermeasures. But arguably that cat is out of the bag, so the next best thing that we can do is to make security best practices easy. And microsoft wasn't doing its part here.

[m1sta_]

Punishing innocent people is not the answer.

[corty]

They are not innocent. They made very poor life choices, picking microsoft software. Why should the world reward their poor choices?