Comment by gertrunde
7 hours ago
It's not very clear from the article, but I get the feeling from the context that the 'pile of shit' quote referenced the package of documentation about the service rather than the service itself.
(That seems to be the main complaint, that Microsoft never provided the clear information required to conduct the assessment properly).
> The tech giant’s “lack of proper detailed security documentation” left reviewers with a “lack of confidence in assessing the system’s overall security posture,” according to an internal government report reviewed by ProPublica. > > Or, as one member of the team put it: “The package is a pile of shit.”
Yes, it seems pretty clear from that quote that the reviewer said the security package was a `pile of shit`, and propublica went on to extend that to the cloud itself. Not that I want to comment on the merits of Azure's security, but that sounds pretty clickbaity from propublica to me. A more appropriate title would have been
> Federal Cyber Experts Thought Microsoft’s Cloud Security documentation Was “a Pile of Shit.”
MS was (and still is it seems) unable to produce the data flow diagrams that FedRAMP wanted, ones that other cloud providers had no problem with. If the documentation is in such dire state, then the system itself is likely to also be in a dire state. I.e. The documentation is a pile of shit, so the system is also a pile of shit.
Wait- so they basically threw up their hands? No documentation! Not evaluable? Thus clearly of value for somebody? Big stamp, job well done! NEXT?
Yes. US bureaucracy regularly gets told "You have to have <thing>" but because it's against a lot of people's ideology, they aren't allowed to build it internally or develop any sort of actual expertise for such a thing, so their only choice is to buy whatever is offered no matter how bad it is.
For example, our state government says "We will do X Y and Z which all require data science expertise, but we did not approve the $60k a year Data Science position, so instead we are forced to hire a Data Science contractor for $120k a year, and they can't really be fired, and they are terrible at their job"
And then people wonder why things suck all the time.
A lot of state's buy their Obamacare marketplace service from a company I am familiar with. That company is entirely incompetent. They cannot follow basic instructions. They cannot triage a bug at all. They do not read freaking tickets. They take weeks to respond to an issue. They cause bugs regularly in ways that imply they don't have functional source control. They continually fuck up basic feature requests. They change the service in ways that contravene the literal law. The law that was comprehensively explained to them by people I know.
But they can't be fired, because the state is legally compelled to provide this service, and is not really allowed to hire a few engineers to build it in house. They could go to a different software contractor, but all the options are just as bad because it's an entirely captured market.
Obama started a "Digital Services" group in the federal government to actually build systems internally and develop expertise to mitigate some of this, and they built stuff like tax filing solutions for free for Americans. So Trump killed it and hollowed out it's corpse for DOGE.
Emergency notifications are done the same way! Its communism to fucking build it, so let’s have a team of a few engineers make an API to control government infrastructure from incompetent contractors on AWS, offer no real means of testing, breaking changes, downtime… and folks wonder why Hawaii is told bombs are coming
That’s a perfectly valid reason to reject a security solution, and is one of my top complaints about Microsoft in this decade.
They fired all of their technical documenters, so their security critical systems, APIs, tools, and SDKs now have only auto-generated docs that are just the function names with spaces added between the words.
Like this:
Good luck figuring out what anything important to your own security does, how it works, and what the consequences of small configuration changes might be.