.png)
4 months ago
19 BOOK THIS SPACE FOR AD
ARTICLE ADComments
Clive Robinson • July 8, 2024 2:48 PM
As the article notes,
1, “Microsoft had long known about — but refused to address — a flaw used in the hack.”
2, “The tech company’s failure to act reflected a corporate culture that prioritized profit over security and left the U.S. government vulnerable”
Not just the US Government but many US businesses and many other Governments and Businesses world wide.
Any one else have the feeling that it’s not just Microsoft but other Silicon Valley Corps and major software companies around the globe as well?
Any one else remember Oracle and how those who used their product were told investigating security faults with the code was in effect a criminal act?
It’s been argued in the past that Microsoft “made the model” by which software is produced and licensed back in the 1980’s and by the 1990’s it was a total disaster.
But the simple fact is all of the consumer and commercial software venders have to behave this way, because for various reasons a “Free Market” was allowed to become a “Race for the Bottom” without legislation or regulation ensuring “fit for market” that most other products have to abide by.
Now it would appear the software industry feels like it is now better than those large financial organisations that were,
“To large to fail”
Of the “Financial Crisis” a couple of decades back. The fall out of which we are still dealing with extraordinarily badly.
Which raises the question,
“How long in decades if evere is it going to take to sort the software industry out so that it meets the minimum of ‘Fit to Market’?”
It’s a question I’ve asked before a couple of times since this blog came into existence. And like others I’ve also pointed out some of the changes that need to be made, but here we are and nothing has changed…
Maxim Weinstein • July 8, 2024 4:11 PM
Seems like a hit piece to me. The work of the CSRB so far has been generally well regarded, and the board absolutely skewered Microsoft in its most recent report. The implication that the decision not to investigate SolarWinds was driven by corporate or political interests doesn’t seem to jibe with the reasons given later in the article (i.e., timing, relevance).
Ismar • July 9, 2024 5:19 AM
I stopped reading after this:
“ The board is not independent — it’s housed in the Department of Homeland Security. Rob Silvers, the board chair, is a Homeland Security undersecretary. Its vice chair is a top security executive at Google. The board does not have full-time staff, subpoena power or dedicated funding.”
Bob • July 10, 2024 4:46 PM
Almost feels like a foreseeable and inevitable consequence of an economy designed to chase quarterly profits at the expense of all else. We’ve already breached +1.5C over pre-industrial. We’re literally destroying our planet’s ability to harbor human life because money right now. Compared to our planet’s ability to harbor human life, infosec is at least a few notches lower in importance. So if we can’t do anything about climate change due to pursuit of quarterly profits, what chance is there for literally any other problem in the world?
ResearcherZero • July 11, 2024 2:04 AM
@Clive Robinson
A very long, long time. Golden tickets, forging attacks have been around a long, long time.
Said vulnerability could have been easily fixed but was not.
A company that refuses to fix security problems it has been asked to for decades should not be given government contracts. Other cloud providers were willing to address such matters.
…There are some other vulnerabilities that need attention as well.
Plez fix…
‘https://www.cisa.gov/resources-tools/resources/secure-design-alert-eliminating-os-command-injection-vulnerabilities
https://cwe.mitre.org/top25/archive/2023/2023_stubborn_weaknesses.html
~ Throw another shrimp on the barbie.
ResearcherZero • July 11, 2024 3:32 AM
APT40 makes use of proof-of-concepts for vulnerabilities in “widely used software”, including Log4j, Atlassian Confluence and Microsoft Exchange – “within hours or days of public release”.
Exfiltrated several hundred unique username and password pairs on the compromised appliance in April 2022, as well as a number of multi-factor authentication codes and technical artifacts related to remote access sessions.
“Exfiltrated data included privileged authentication credentials that enabled the group to log in, as well as network information that would allow an actor to regain unauthorised access if the original access vector was blocked.”
‘https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/apt40-advisory-prc-mss-tradecraft-in-action
Clive Robinson • July 11, 2024 12:33 PM
@ ResearcherZero,
Re : Swing the headsman’s axe.
“A company that refuses to fix security problems it has been asked to for decades should not be given government contracts.”
Whilst I agree, there are two problems,
1, I can not think of any Silicon Valley Corp that has not done the same at some point.
2, I can not think of any WASP Government that is not beyond being bribed by Silicon Valley Corps.
Have a look at the history of the “Big Four” accountancy firms and “Arthur Andersen” in particular,
https://en.m.wikipedia.org/wiki/Arthur_Andersen
Also how UK Prime Minister Margeret Thatcher once ruled that a certain major firm were banned from government contract work… Yet purchased their way back in not long after.
Subscribe to comments on this entry
Leave a comment
All comments are now being held for moderation. For details, see this blog post.
Sidebar photo of Bruce Schneier by Joe MacInnis.
Bengali (Bangladesh) · 
English (United States) ·