[insanitybit]

I mean, yes, obviously, you have malware on a box you rotate that box. They had keys and they rotated the keys. But the implication here is that the attacker could have done anything and therefor they have to destroy everything, which is unreasonable.

[xorcist]

Rotating keys are far from enough. If your keys are compromised, you need to revoke everything. Then you need to assess what the impact is and wipe anything the compromised keys had access to during the period.

This is not theoretical. When the openssl fiasco hit, I worked in a place under financial regulation. Not even the defense sector, which is under much stricter rules. We had to go through all logs to ascertain customer data was intact, and since leaking private keys did not leave a trace in the logs we then wiped clean all systems these keys secured.

This was a massive undertaking to coordinate and minimize downtime for customers but it was deemed necessary to comply with security regulations. To hear that a big juggernaut such as Microsoft doesn't even do this without facing much consequences is mind boggling. I can not understand how that would ever pass an audit.

[insanitybit]

Revoke everything? Everything?

I have literally done incident response I am well aware of what the investigation process is like.

[xorcist]

Everything a potentially compromised key has signed, yes. What are we discussing here? This is standard procedure by every compliance processes I have ever had the misfortune to work with, but for quite good reasons. Hope alone won't pass an audit.

[insanitybit]

OK but "everything" and "everything the key may have signed" are obviously so insanely different.

[TheHappyOddish]

> I mean, yes, obviously, you have malware on a box you rotate that box.

"The box" in this case is their entire org.