Comment by iscoelho
7 hours ago
Microsoft has never been good at security, and that is why their centralization to cloud is absolutely terrifying.
I'm reminded of Storm-0558 [1] where a stolen signing key was able to forge authentication tokens for any MSA / Azure AD / Government AD user. They downplayed the severity. Just imagine if that level of access was used to pull a Stryker on a nation-wide scale. That is an economic disaster waiting to happen.
[1] https://www.microsoft.com/en-us/security/blog/2023/07/14/ana...
I'll do you one better: stealing the signing key was not even necessary.
https://www.bleepingcomputer.com/news/security/microsoft-ent...
I knew there was another incident that I was forgetting, insanity... I don't understand how Microsoft keeps getting away with this and everyone just forgets.
When people's income depends on them forgetting... they tend to become amnesiacs.
because time to market is more important than security (at microsoft)
Oh please, that could happen at any company. Humans screw up.
But it doesn't. Full authentication bypass exploits are extremely rare and unheard of among tech giants. Maybe account takeover/recovery, sure, but full bypass? It just never happens.
Microsoft goes beyond that: they've managed to have a critical vulnerability in almost every authentication product they have ever created. It's exceptional.
> But it doesn't.
That we know of.
> It's exceptional.
I agree, but I look at it as a question of cost. would it make sense for Russia to spend on resources to compromise GCP or AWS? Microsoft's EntraID/AzureAD itself is an exceptional product in that organization's dependency on it, especially US government orgs, is exceptional.
If APTs target AWS, they will compromise it, period. Of course the caveat is time, skill and money which can all be acquired at cost.