Hacker News new | ask | show | jobs
by iscoelho 91 days ago
Microsoft has never been good at security, and that is why their centralization to cloud is absolutely terrifying.

I'm reminded of Storm-0558 [1] where a stolen signing key was able to forge authentication tokens for any MSA / Azure AD / Government AD user. They downplayed the severity. Just imagine if that level of access was used to pull a Stryker on a nation-wide scale. That is an economic disaster waiting to happen.

[1] https://www.microsoft.com/en-us/security/blog/2023/07/14/ana...
2 comments
Rygian 91 days ago
I'll do you one better: stealing the signing key was not even necessary.

https://www.bleepingcomputer.com/news/security/microsoft-ent...

link
iscoelho 91 days ago
I knew there was another incident that I was forgetting, insanity... I don't understand how Microsoft keeps getting away with this and everyone just forgets.
link
hulitu 85 days ago
Microsoft has a very good PR department: they invest a lot in lobby/corruption, they pay for articles in big media companies. And Microsoft is too big to fail.
link
someguyiguess 91 days ago
When people's income depends on them forgetting... they tend to become amnesiacs.
link
natas 91 days ago
because time to market is more important than security (at microsoft)
link
notepad0x90 91 days ago
Oh please, that could happen at any company. Humans screw up.
link
iscoelho 91 days ago
But it doesn't. Full authentication bypass exploits are extremely rare and unheard of among tech giants. Maybe account takeover/recovery, sure, but full bypass? It just never happens.

Microsoft goes beyond that: they've managed to have a critical vulnerability in almost every authentication product they have ever created. It's exceptional.

link
notepad0x90 90 days ago
> But it doesn't.

That we know of.

> It's exceptional.

I agree, but I look at it as a question of cost. would it make sense for Russia to spend on resources to compromise GCP or AWS? Microsoft's EntraID/AzureAD itself is an exceptional product in that organization's dependency on it, especially US government orgs, is exceptional.

If APTs target AWS, they will compromise it, period. Of course the caveat is time, skill and money which can all be acquired at cost.

link
hunterpayne 90 days ago
"If APTs target AWS, they will compromise it"

Not all compromises are the same. They might get into some logging API in AWS. With Azure, the get the master keys. Both are compromises; they aren't the same. Either you have never used Azure, know nothing about security, or you work in MS marketing.

link
Rygian 90 days ago
Any company where this happens is being mismanaged.

The whole point of having companies is to overcome limitations of humans acting individually.

link