Is Microsoft “Grossly Irresponsible” for Not Fixing Bugs

In light of the most recent Chinese attack on Azure, several people are speaking out.

Amit Yoran, chairman of security firm Tenable, former president of RSA and former Homeland Security National Cyber Security Division director, says this in a LinkedIn post:

Cloud providers have long espoused the shared responsibility model. That model is irretrievably broken if your cloud vendor doesn’t notify you of issues as they arise and apply fixes openly. 

What you hear from Microsoft is “just trust us,” but what you get back is very little transparency and a culture of toxic obfuscation. How can a CISO, board of directors or executive team believe that Microsoft will do the right thing given the fact patterns and current behaviors? Microsoft’s track record puts us all at risk. And it’s even worse than we thought.

Senator Ron Wyden, one of the few technically competent people in the US Capitol Building (both House and Senate) said that negligent cybersecurity practices enabled hackers backed by the Chinese government to steal hundreds of thousands of emails from cloud customers, including the US Departments of State and Commerce.

In fairness to Microsoft, the US government’s cybersecurity practices are, well, not exactly the best.

Microsoft has yet to explain exactly how the Chinese got the super powerful encryption key that granted them access to a variety of Microsoft’s cloud services.

Such is the nature of the cloud. Don’t for a minute think that any other cloud service is any better. They are all houses of cards. Microsoft is just the most high profile one. Right now.

The average number of daily Microsoft Teams users is 145 million as of 2021. While Google has 2 billion monthly active users, it doesn’t release the number of paid users, which is estimated at 6 million. Why go after 6 million when you can go after 150 million?

Tenable says it notified Microsoft of the underlying problem that enabled the Chinese attack in March and Microsoft reported that they fixed it four months later. As is sometimes the case, Tenable says that Microsoft’s fix was incomplete. Microsoft says they will fix the rest of the problem near the end of September. Think about how many tries it took Microsoft to fix the “print spooler” bug – assuming it is actually fixed now.

Microsoft (and others) have a lot of challenges in keep their code secure.

While all cloud providers have a lot of lipstick to place on their piggie software – meaning that they put shiny user interfaces on old software, the underlying software was often not designed to work in a shared cloud environment.

Also, with hundreds of millions of lines of code, developed by developers who are retired or dead, over decades, making changes is often very similar to defusing a bomb. One wrong move and things go boom and the result is worse than before.

Finally, unlike some vendors, Microsoft almost never breaks backward compatibility. Unlike many cloud providers who believe in “move fast and break things” (in fact that is the subject of a book about Facebook, Google and Amazon), Microsoft works incredibly had NOT to break existing software, even if that means doing some amazing contortions.

Still, all of this unwanted attention currently being placed on Microsoft applies to all cloud providers. Transparency is a noble goal until it affects stock price. Then it is only a concept. Hopefully this attention will move the needle a little bit in the right direction.

Credit: Ars Technica

by