[HN Gopher] SolarWinds hackers were able to access Microsoft sou...
___________________________________________________________________
SolarWinds hackers were able to access Microsoft source code
Author : accountinhn
Score : 342 points
Date : 2020-12-31 18:24 UTC (4 hours ago)
(HTM) web link (msrc-blog.microsoft.com)
(TXT) w3m dump (msrc-blog.microsoft.com)
| pmlnr wrote:
| It's simple: open source Microsoft, then this is not an attack
| vector any more ;)
| cogman10 wrote:
| I wonder if incidents like this will push MS towards open
| sourcing windows.
|
| IDK what their revenue looks like, but I'm guessing that selling
| the OS isn't as front and center as it used to be (from the way
| they are changing in terms of supporting things like linux).
|
| Even if they keep a pretty tight license around the source,
| releasing it to the public would earn a lot of good will while
| potentially finding and fixing security problems.
| ksec wrote:
| >I wonder if incidents like this will push MS towards open
| sourcing windows.
|
| What I am thinking as well. Unimaginable if it was 10 years
| ago, but modern Microsoft seems to be taking a different
| approach. And Apple desperately need some competition to keep
| Tim Cook honest.
| sterlind wrote:
| (I work for MS but not on Windows.)
|
| I don't think Windows will be open-sourced precisely because
| it's not as important as it used to be. It'd be a ton of work
| to root out vendor code incompatible with OSS licensing, remove
| internal dependencies etc. That's not worth it unless we have
| big plans for Windows to stay relevant, which I have no
| knowledge of but suspect that we don't.
|
| Probably we'll see the most relevant pieces be opened up, like
| the driver model awhile back.
| rightbyte wrote:
| They can open source it and still keep the copyright. I mean
| it is not automatically GPL just becouse they put it on a
| public git server.
| aeyes wrote:
| Not without refactoring third party code which is used
| under license.
| agar wrote:
| Not if Windows includes source code purchased or licensed
| from third parties who contractually prohibit MS from
| publishing their source code.
|
| Which it probably does.
| mattl wrote:
| I think IE was based on third party stuff. I'm sure
| there's bits of that floating around everywhere.
| cogman10 wrote:
| So while not the whole thing, seems like they could open
| source core pieces like the kernel. That will probably take
| some code reorg to achieve though so maybe that's why it'll
| never happen. Last I heard on HN, windows was pretty much
| just a giant repo with everything in it. That'd have to
| change for them to release core pieces (If it hasn't
| already).
| cglong wrote:
| FWIW, Microsoft has been slowly shifting some components to
| OSS (Command Prompt, Windows Terminal, Calculator, WinUI).
|
| Disclaimer: work at Microsoft but in Azure
| cogman10 wrote:
| As far as community trust goes, MS has been killing it
| for the last several years. They've done a 180 in terms
| of being good software citizens. I'm really hopeful that
| core pieces (such as the kernel) end up hitting the
| public eye.
| MeinBlutIstBlau wrote:
| I always thought the reason they charged for their OS was due
| to their anti-trust lawsuit so as to state that they weren't
| actively trying to dominate the market or something along those
| lines? Also, OEM operating systems are kind of circumventing
| that.
| easton wrote:
| The reason I always heard was that there's tons of binary
| blobs in Windows they bought from vendors that'd have to be
| reimplemented (the zip library is the most notable example).
|
| Russinovich said never say never though, so I don't know.
| https://www.wired.com/2015/04/microsoft-open-source-
| windows-...
| acct776 wrote:
| Being open source is not correlated with charging licensing
| fees.
|
| It just means you can read the source.
| Jestar342 wrote:
| Some licenses very explicitly prohibit source
| distribution/publication.
| robotnikman wrote:
| I've heard that one of the major obstacles to open sourcing
| Windows is that a lot of code in the Windows codebase may be
| proprietary and owned by companies other than Microsoft.
|
| Apparently its also an obstacle for many other closed source
| programs when it comes to considering a transition to open
| source
| [deleted]
| frombody wrote:
| Very curious as to the details they aren't releasing.
|
| If you read between the lines they are saying that accounts were
| compromised, but not through token stealing, which means the
| attackers got the passwords to the accounts, and likely skirted
| MFA requirements because they were already inside, or there were
| none.
|
| While there are many avenues to steal passwords once you have the
| foothold the attackers did, it would be interesting to know the
| details as to how these particular accounts were compromised.
| mc32 wrote:
| With a large and sophisticated Corp like Microsoft, wouldn't
| they have a Zero Trust kind of security model which means certs
| and MFA regardless of location, behavior, etc.
|
| Obviously a lot we can only speculate about.
| somethingwitty1 wrote:
| I've worked in big companies like Microsoft, so can only
| comment from that perspective. Due to their size, they often
| do not have MFA regardless of location. Many didn't even use
| MFA. Most have been moving there, but it was long, multi-year
| projects. So I wouldn't be surprised if Microsoft doesn't
| have MFA for everything.
| srtjstjsj wrote:
| MFA was standard in industry leaders 10 years ago.
| isbjorn16 wrote:
| MSFT employee here: I don't know of an internal service
| that I use that doesn't have MFA.
|
| I am not going to make a broad statement saying they don't
| exist, I'm just saying I haven't found one yet. It's really
| annoying because I rarely have my phone on me when I'm at
| home so I have to go track it down. I'd be so happy if they
| let me use a yubikey :(
| bluedino wrote:
| A company like Microsoft probably gets "hacked" what, a hundred
| times a day? A thousand?
| frombody wrote:
| Can you elaborate on your point?
|
| What I am saying is that these credentials can be stolen from
| MITM attacks, log files stored on random servers, or even
| basic mistakes like literally writing the password where
| other people can see it.
|
| Knowing what kind of operational mistakes Microsoft made that
| led to account compromises would help others from becoming
| victim to similar attacks.
| jeffrallen wrote:
| Poor hackers. I hear Visene soothes bleeding eyes.
| stagger87 wrote:
| Your comment breaks several guidelines here.
|
| https://news.ycombinator.com/newsguidelines.html
| asah wrote:
| closed source = only the badguys get to see it. :-(
| vthallam wrote:
| > This means we do not rely on the secrecy of source code for the
| security of products, and our threat models assume that attackers
| have knowledge of source code. So viewing source code isn't tied
| to elevation of risk
|
| I don't know how much of this is true. Wouldn't it be helpful for
| bad actors to understand how Windows defenses work looking at the
| code thereby increasing the risk?
| drvdevd wrote:
| Whether or not it would be helpful to attackers, this is still
| the correct threat model for Microsoft to operate with.
| Sufficiently motivated attackers can reverse anything they
| distribute publicly anyway.
| lrem wrote:
| Nobody seems to mention an important aspect: megacorps like
| Microsoft, Amazon, Google or Oracle hire thousands of engineers
| each year. It's not particularly hard for a bad actor to get an
| agent hired into their target and gain access, for nefarious
| purposes, in the legit way.
| phendrenad2 wrote:
| Remember that anyone can manually decompile Microsoft source
| code. It's a lengthy tedious process, but that's nothing for a
| determined attacker.
| ipython wrote:
| That's not nearly comparable to commented source code repo.
| "Decompiling" leaves you with a barely readable facsimile of
| the original code, and most likely won't even compile again.
|
| The true value in source code at this level are the comments
| and symbols. Microsoft provides most ofthe symbols, the
| comments you can't recover from a binary.
| mmaunder wrote:
| Agreed. They're using that argument to frame their breach as a
| win. The reality is that open source is easier to reverse
| engineer and find vulnerabilities in because you have the
| source. Our researchers do this every day and closed source
| makes that harder. Advocacy debates in favor of open source
| have muddied this conversation - but that is the cold hard
| reality.
|
| Now that an adversary has MS's source code, it is indeed easier
| for them to do vulnerability research. So this is a net loss
| for MSs overall security posture, not a win.
| dwheeler wrote:
| It is generally accepted in the security community that hiding
| source code does _not_ provide security.
|
| The principles for developing secure software were identified
| in the 1970s by Saltzer and Schroeder, and they're still true
| today. One of those principles is "open design", that is, don't
| depend on design secrecy for security of the system. Instead,
| depend on secrecy of things that are trivially changed (like
| private keys and passwords). Then, when the secret is exposed
| (or you think it might be), you quickly change all the secrets
| and there's no problem. One source of this paper:
| https://www.cs.virginia.edu/~evans/cs551/saltzer/
|
| In the case of Windows, the source code is not really secret
| anyway. Most governments have continuous access to the source
| code, typically through the Microsoft Government Support
| Program (GSP) https://www.microsoft.com/en-
| us/securityengineering/gsp Many businesses and universities
| also have access to Windows source code. You can see various
| programs to provide such access in different cases via
| https://www.microsoft.com/en-us/sharedsource/ In addition,
| Microsoft employs a huge number of employees who have access to
| its source code, and you can't really keep a secret long when a
| large number of people know the secret. Efforts like bribes,
| appeals to patriotism, etc. will eventually successfully get
| someone to reveal a secret if there's a large enough group,
| especially since it's relatively easy to identify who works for
| Microsoft or otherwise might have such access.
|
| If that's not enough, Microsoft distributes executables, and
| disassembers & decompilers can provide enough information for
| static analysis anyway. So you could re-derive what you need to
| attack Windows if you needed the source code for some reason.
|
| Anyone who depends on secrecy of code to provide security is in
| trouble. Typically the real reason to keep (some) code secret
| is to support certain proprietary business models and to meet
| certain legal obligations, and are not really about security.
|
| Note that Microsoft understands this; they're quite clear in
| stating that the security of Windows does not depend on keeping
| its source code a secret.
| hguant wrote:
| It's not just governments - if you give them enough money
| they'll send you the source, and all the tools required to
| build it. Device manufacturers in particular need this - you
| think SeaGate is using the online windows docs when they
| write SSD drivers?
| dividuum wrote:
| Isn't that the Kerckhoffs's principle?
| https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle
| dwheeler wrote:
| Open design is basically a generalization of Kerckhoffs's
| principle.
|
| Kerckhoffs's principle is usually stated as "A cryptosystem
| should be secure even if everything about the system,
| except the key, is public knowledge." Note that
| Kerckhoffs's principle only refers to cryptosystems. The
| open design principle is a generalization that applies to
| all systems, whether or not they are cryptosystems.
| [deleted]
| jcelerier wrote:
| windows source code has been open to academics for something
| like two decades
| webmobdev wrote:
| Yeah, the whole point of looking through the source code is to
| find undocumented APIs and bugs to exploit.
| saltyshake wrote:
| there are many books written on Windows undocumented APIs.
| these things aren't hidden at all.
| webmobdev wrote:
| Yeah, right. Everything is so open about all MS binaries
| that they don't even need to be closed source! It takes a
| lot of time and effort to find these poking the binaries,
| and then experimenting them. The source code makes this
| task obviously easy.
| monocasa wrote:
| A lot of times stuff like undocumented APIs and bugs are
| easier to find taking apart the binary anyway. Goofy stuff
| tends to be obfuscated in source as engineers add so much
| abstraction around the goofy pieces, but it's clear in the
| final binary.
| webmobdev wrote:
| > A lot of times stuff like undocumented APIs and bugs are
| easier to find taking apart the binary anyway.
|
| Is that why Microsoft, and all you people who poke at its
| binaries, have fixed all the bugs in MS binaries? /s
| [deleted]
| monocasa wrote:
| Why do you think the people poking around MS's binaries
| overwhelmingly want the bugs they find to be fixed?
| thisiszilff wrote:
| I'd imagine the answer is yes, viewing the source code would
| increase the risk relative to an attacker that did not have
| access to the source code, but the statement is saying that
| whatever risk assessment Microsoft does already assumes
| attackers have knowledge of source code. EG, they are
| conservative and do not rely on source code secrecy when making
| any security evaluations.
| burnthrow wrote:
| That assumes total security competence at Microsoft. The
| Linux model benefits from public audit.
| TrueDuality wrote:
| For what it's worth I'm familiar with Microsoft's security
| team (both for their infrastructure and code) first hand
| and they are some of the most competent individuals I've
| ever had the pleasure to know.
|
| I'm personally not a huge fan of Windows, and it definitely
| has flaws but the amount of considerations taken into
| account, and the speed with which issues are identified and
| repaired in a code base of that size, especially while
| maintaining a disgusting amount of backwards compatibility
| is crazy impressive.
|
| That aside, having access to the source code does make
| finding issues easier. It sounds like that knowledge is
| assumed in their risk assessments which would make that a
| fair statement.
| rbanffy wrote:
| This puts them on the same level of Linux - when doing
| Linux threat assessment we can count the attacker has the
| source code for everything.
|
| In any case, it's silly to think otherwise. It's always
| safer to assume everyone that we wouldn't want to know
| something already knows that, whatever it is.
| brianberns wrote:
| Yes, but on the other hand, all the Linux source code is
| publicly available, and it's still considered secure.
| glouwbug wrote:
| Causation vs. correlation, Linux is secure because it _is_
| open source. Closed systems can cut corners, assuming the
| source stays secret
| acct776 wrote:
| No, it is not, by any stretch of the imagination, by security
| researchers.
|
| This has been on the front page all day: https://madaidans-
| insecurities.github.io/guides/linux-harden...
|
| It is safe to assume it is more PRIVATE than a Microsoft OS,
| but not more secure.
|
| Please don't react emotionally to this... It was a bit
| jarring of a shift in thought to me as well, at first.
| acct776 wrote:
| Downvoters, consider reading first: https://madaidans-
| insecurities.github.io/linux.html
| richardwhiuk wrote:
| That article is comes from an extremely naive security
| posture.
| tester756 wrote:
| I'm curious whether somebody will challenge it
| MeinBlutIstBlau wrote:
| Linux isn't any more secure or safer than a lock on my door
| will prevent someone from just breaking the window. Hackers
| do in fact target linux machines, just not average desktop
| users. They typically go after servers since they run
| basically everything. And chances are, standard linux users
| know what they're doing so a ransomware attack isn't really
| much to frighten a linux user as much as it is to just piss
| them off but still recover in like 24 hours or less.
| daniel-levin wrote:
| Microsoft shares source code with lots of partners. It would be
| asinine to admit that source code leaks, accidental or
| otherwise, would compromise their security. If they did that,
| it would create headaches for their massive contracts where
| source sharing is a prerequisite. So they toe the party line
| and say no, in fact, source code leaks do not compromise
| security.
| TedDoesntTalk wrote:
| > Microsoft shares source code with lots of partners
|
| ALL source code for ALL active AND inactive projects? I
| highly doubt it.
|
| You simply have no idea if the attackers had access to
| unshared, proprietary code or not. Like Azure server-side
| components.
| srtjstjsj wrote:
| The source code is already out there, so any compromises have
| already been found and exploited. Leaking it further won't
| create more vulnerabilities, and more likely will cause
| existing vulnerabilities to be found by white hats
| macjohnmcc wrote:
| Many years ago when I worked at Microsoft I asked for the
| source code to Solitaire. A few days later I received a stack
| of CD-ROMs with the entire source code of Windows NT (4.0
| maybe).
| rbanffy wrote:
| > a stack of CD-ROMs with the entire source code of Windows
| NT
|
| That's a lot of code. Scary.
| mandeepj wrote:
| >That's a lot of code.
|
| It's estimated to be around 40 million lines of code
| macjohnmcc wrote:
| And it was not compressed it was just a bunch of files
| and folders. My guess is it was around 15 CD-ROMs
| herodoturtle wrote:
| And what of the source code to Solitaire!?
|
| Cool memory, thanks for sharing.
| macjohnmcc wrote:
| It took ages to figure out where the code even was in the
| many files and folders. The directory structure did not
| make it obvious.
| macjohnmcc wrote:
| I just thought of something. At the time blank CD-R's
| were about $15 each and the fastest burners at the time
| were 2x burners. I'm sorry I wasted so much of time the
| person who burned these and the cost of the media!
| westmeal wrote:
| Can't wait until cozy bear leaks that :D
| macjohnmcc wrote:
| Make that winning animation use the GPU!
| sedatk wrote:
| That was before Source Depot, I presume.
| codezero wrote:
| I don't know if I missed it in the article, but did they say
| anything explicit about write access? Seeing the source may give
| access to new zero days, but it would be much worse if the
| attackers were able to seed a large number of commits into the
| code that introduce subtle vulnerabilities.
| 1f60c wrote:
| This reminds me of The Linux Backdoor Attempt of 2003[0], when
| someone (maybe a three-letter agency, maybe not) was able to
| insert a subtle bug in the Linux kernel.
|
| [0]: https://freedom-to-tinker.com/2013/10/09/the-linux-
| backdoor-...
| yjftsjthsd-h wrote:
| > was able to insert a subtle bug in the Linux kernel.
|
| ... was able to insert a bug into a _mirror_ of the kernel,
| which was caught in short order.
| joosters wrote:
| ... _which was caught in short order_
|
| That means nothing, of course it was caught, otherwise we'd
| never had heard about it. We can only speculate about the
| ones that haven't been caught...
| yjftsjthsd-h wrote:
| We can look at _why_ it was caught (people paying
| attention to commits, policy of requiring commits to be
| properly signed off), and conclude that it would be
| difficult to add anything without being caught. Or, put
| differently, if you believe that bad actors can get
| around that level of precautions, you might as well give
| up because everything else would be equally compromised.
| thatsamonad wrote:
| Sounds like the attackers did not have write access. From the
| original blog post:
|
| > _The account did not have permissions to modify any code or
| engineering systems and our investigation further confirmed no
| changes were made. These accounts were investigated and
| remediated._
|
| I would also hope that direct commits don't go immediately to a
| production system without some sort of review. At my workplace
| we have branch protections for all "main" branches that would
| result in a deployment. At least one other person has to review
| changes and all of our automated checks have to pass before
| anything can even get close to running through a deployment
| pipeline.
| codezero wrote:
| Whew, that's good to hear. I assume anyone trying to inject
| malicious code is going to try to do so in a way that doesn't
| go through normal code review channels.
| thatsamonad wrote:
| True. However, hopefully that's being mitigated through
| things like not allowing authors to review their own
| commits, not using the same accounts to push code changes
| and do deployments (i.e. having a read-only account for
| deployments), etc.
|
| However, if it were an admin account that were breached
| that would definitely make it possible to circumvent any
| number of protections in place.
| CurtHagenlocher wrote:
| At least for the projects I work with at Microsoft, nearly no
| user accounts have direct write access to source repos.
| Checkins are done by a service account only after a pull
| request has successfully been built and run tests, and has been
| signed off on by appropriate users -- e.g. I can't sign off on
| my own PR.
|
| EDIT: Sorry, somehow I missed the reply by thatsamonad or I
| would have replied to it instead of its parent.
| rightbyte wrote:
| I meam it sounds like a good security mesuare but also like a
| pain to work with? I have recurring nightmare that management
| realize that submits can be blocked if they generate CI
| warnings and there will be no warnings anymore.
| tikkabhuna wrote:
| Tools that generate warnings can be configured to only do
| so on new or modified code. We do the same for our code. It
| can be a difficult, but ultimately some codebases require
| it.
| [deleted]
| [deleted]
| Trisell wrote:
| I predict a rash of eventual FireEye, Cisco, and other vendor
| zero days in the near to mid future. If you are a nation state
| actor what better way to find zero days then to get the source
| code and find the bugs to exploit. This is the only thing that
| makes sense that would be worth the risk of attacking companies
| such as FireEye and Microsoft.
| kevin_morrill wrote:
| Why would this actually be true? If it's easier to find in
| source, Microsoft probably would have found it. Ever single
| feature there goes through multiple security reviews and there
| is tons of code linting. All the penetration testers I have met
| don't even bother looking at source. They just start trying
| things they think will flummox the software.
| hguant wrote:
| >They just start trying things they think will flummox the
| software.
|
| This works...until you go against a target that's heard of
| fuzzing before and has the time and money to do it to their
| own code.
|
| The really interesting Windows exploits require a combination
| of "throwing stuff that will flummox the software" and a deep
| level understanding of structures hidden to the average
| developer. Look at Yardin Shafir's really wonderful blog post
| about developing a kernel bug to a PoC - there's a lot of
| moving parts and security checks in modern windows, and
| having the source is a HUGE help.
| gafferongames wrote:
| > SolarWinds hackers were able to access Microsoft source code
|
| Are they OK? Ze googles, they do nothing
| cs702 wrote:
| Reading this, the question that immediately pops in my head is:
|
| Could a hack like this one go undetected for so long in a widely
| used free/open-source project developed in the open, such as the
| Linux kernel?
|
| While I have no doubt that something like this could happen to
| the Linux kernel source code (because security is Capital-H
| Hard), my perception is that something like this is less likely
| to happen to the Linux kernel -- and, were it to happen, it would
| likely be detected sooner, due to the inherent _transparency_ of
| widely used open-source code.
| kerng wrote:
| I do security research and bug bounties on side sometimes and
| had read/write access to a couple of large open source projects
| in the past, incl. being able to impersonate employees from
| well known companies that work on open source stuff.
|
| Most common issue was access tokens found in public places.
|
| Would be interesting to know what happens when code is updated
| - which I obviously wouldn't do. Wonder how long it would take
| until caught.
|
| Since open source projects probably dont do "red teaming" (to
| use a fancy buzz word) I wonder how they could practice this?
| wil421 wrote:
| Why would you need to back door Linux when you can find a
| company like Solarwinds that is already in most networks with
| greater access to the network as a whole than a Linux server.
| AnIdiotOnTheNet wrote:
| Considering how long bugs can go unfixed and undetected even in
| large open source projects, I think it can totally happen. Just
| create a backdoor that looks like an honest mistake, submit it
| in a PR that adds some feature or fix, and exploit it at will
| as people update. Heartbleed took over 2 years to find and fix.
| staticassertion wrote:
| I suspect adding bugdoors to Linux is far easier than it is
| than for Windows, but there are already so many bugs it's
| easier and more viable to just look for them than to try to
| insert them.
| xen2xen1 wrote:
| Code was added once to Debian (IIRC) and it was detected almost
| immediately due to code signing.
| AnIdiotOnTheNet wrote:
| On the other hand, Debian broke OpenSSL generation and didn't
| detect it for almost 2 years. That appears to have been a
| legitimate mistake, but it is quite conceivable that a
| malicious actor gets a change merged that contains a backdoor
| that looks like an innocent mistake and goes undetected for a
| long time.
| newacct583 wrote:
| The exploit in this case had access to the build (and
| presumably signing) system. That wouldn't have helped. The
| protection against this would have been the comparatively new
| efforts at reproducible builds. A modified binary, in theory,
| could be detected by current Fedora and Ubuntu releases (not
| sure about Debian or other distros). I don't think we've had
| an attack in practice though.
| aquaticsunset wrote:
| As others (and Microsoft) mentioned, it was read only access.
| The only points of concern here would be if that statement
| somehow was not true and they were able to add undetected
| changes, or if their security audit process was severely
| lacking.
|
| But yeah, to your point - being able to read and analyze the
| Linux kernel source is considered a feature, not a liability :)
| neodymiumphish wrote:
| I think you're connecting two points he made that weren't
| connected.
|
| On the one hand, open source projects make for an environment
| where bad actors could propose changes to the software that
| include these bug/backdoors. The benefit to the open source
| arena is that these changes can easily be analyzed and
| tested.
|
| In Microsoft's case, the source being visible but not
| editable is still a real risk (assuming the bad actor is able
| to extract the data they're viewing for further analysis),
| because they can use the source to determine avenues for
| attack.
|
| The fact that is was read-only does help ensure that no new
| attack vectors were created, but it still increases the
| chance of new attack vectors being found/used in the future.
| [deleted]
| joe_the_user wrote:
| This hack wasn't really a failure of code construction but a
| failure of institutional practices. The same thing could have
| happened if SolarWinds had a garbagy sys admin tool that
| happened to also be open source but still otherwise followed
| the procedures of SolarWinds.
|
| Giant bureaucracies have a bunch of tasks they need to
| accomplish. Giant bureaucracies hire poorly trained people to
| accomplish those tasks and buy software to aid it's those
| people in accomplishing those tasks. The software is sold "by
| the feature" so it is colloquially "garbage" that is itself
| produced as cheaply as necessary to achieve these features.
| Naturally, such garbage is constantly updated and all these
| giant bureaucracies are sieves with these updates running
| through them. Sure, if these bureaucracies hired competent
| people, downloaded open source tools, tested the tools
| themselves and essentially had their own quality control in-
| house, this might not have happened. But that wouldn't be the
| out-sourcing-based, cut costs and skills to the bone,
| neoliberal paradigm that's near and dear to the high level
| managers' heart, now would it?
|
| Now, you would think that an event like this would create a
| realization "what we do is too important for outsourcing, for
| bargain-basement, neoliberal style operations". But the Office
| of Personnel Management hack [1] was what should have created
| this realization and didn't.
|
| [1]
| https://en.wikipedia.org/wiki/Office_of_Personnel_Management...
| popup21 wrote:
| A blind man can see that this was a rigged election. Denial and
| evasion are progressive liberal personality traits.
| juanbyrge wrote:
| Is the source code buildable, or is it mainly for documentation
| purposes? I'm guessing the build system and tool chains required
| for building windows are massively complex. Are these distributed
| with the windows source code as well?
|
| Also I'm guessing that there are a lot of other proprietary
| vendor-supplied pieces that get built with Windows. What happens
| if these are not available?
| tozeur wrote:
| Internal builds barely work with millions of dollars and man
| power invested. I can't imagine anyone else outside of Msft
| being able to build Windows lol
| koreanguy wrote:
| misleading clickbait title post, pathetic
|
| from microsoft
|
| "Our investigation into our own environment has found no evidence
| of access to production services or customer data. The
| investigation, which is ongoing, has also found no indications
| that our systems were used to attack others."
| HenryKissinger wrote:
| > Microsoft said the account did not have the ability to monitor
| any Microsoft code. The blog post further added it has found no
| evidence of access "to production services or customer data."
|
| The article is in contradiction with the headline, isn't it?
| tmaly wrote:
| If you go back to the original CISA post December 17, 2020 they
| noted a different attack vector other than SolarWinds had
| compromised some systems.
| vm wrote:
| The reuters link posted here is click-bait junk. This section
| from the Microsoft blog provides better context.
|
| >We detected unusual activity with a small number of internal
| accounts and upon review, we discovered one account had been
| used to view source code in a number of source code
| repositories. The account did not have permissions to modify
| any code or engineering systems and our investigation further
| confirmed no changes were made. These accounts were
| investigated and remediated.
|
| >At Microsoft, we have an inner source approach - the use of
| open source software development best practices and an open
| source-like culture - to making source code viewable within
| Microsoft. This means we do not rely on the secrecy of source
| code for the security of products, and our threat models assume
| that attackers have knowledge of source code. So viewing source
| code isn't tied to elevation of risk.
|
| https://msrc-blog.microsoft.com/2020/12/31/microsoft-interna...
| webmobdev wrote:
| > At Microsoft, we have an inner source approach - the use of
| open source software development best practices and an open
| source-like culture
|
| MS has an "open source" culture? I laughed and remain
| skeptical ...
| temac wrote:
| If somebody needed an example of open source washing...
| tmotwu wrote:
| Not untrue. Internal orgs adopt a monorepo structure - the
| source for the majority of the infra is readable from
| almost any developer within the company.
| DaiPlusPlus wrote:
| I figured that's where Raymond Chen gets the bulk of his
| material from: looking at the perforce/sd diffs from
| 1997.
| deadso wrote:
| They specifically said it's _not_ open source. Hence the
| open source-like. To distinguish, they even have a
| different name for it - inner source.
| webmobdev wrote:
| > To distinguish, they even have a different name for it
| - inner source.
|
| Yeah, I recognize MBA speak when I see it. That's why I
| chuckled. They were hacked and somebody saw their code.
| Now some guy in upper management has to spew some
| bullshit to protect the company's "image".
| elygre wrote:
| The term "inner source" was not coined by Microsoft. The
| wikipedia page [1] shows the history of the term.
|
| 1: https://en.wikipedia.org/wiki/Inner_source
| [deleted]
| bpye wrote:
| Work at MS, that term has been used for a long time
| internally, certainly longer than I have worked here. It
| really is very useful to be able to go find the code for
| a product when you want to understand how something
| works.
| goalieca wrote:
| Sure they don't do security through obscurity but any pen-
| tester will tell you that whitebox knowledge is certainly a
| huge help.
| thatsamonad wrote:
| Though this is bad for Microsoft, does it make the situation
| substantially worse from a security perspective? Assuming they're
| following good practices like not storing access keys, passwords,
| etc, in their source control system(s), this seems like more of
| an IP protection issue.
|
| I could be wrong about that, though, and I'd be curious to learn
| and understand more.
| j_walter wrote:
| Exploits are much easier to find if you have pure source code
| and not having to reverse engineer it.
| acct776 wrote:
| Assuming your source isn't a fucking mess, is commented, APIs
| documented, etc
| onionisafruit wrote:
| Right. One place I worked would probably benefit from
| attackers getting access to the source code. It would cost
| them weeks of productivity trying to figure it out.
| tpmx wrote:
| The core Windows source code is surprisingly readable/well
| written, I've heard.
| rhexs wrote:
| No, it's still much easier.
| arkadiyt wrote:
| It just lowers the cost of exploit development, that's all.
| tempfs wrote:
| Umm, that IS a big deal for the most deployed normal-user OS
| in the world.
| acct776 wrote:
| ...if you're a normal user.
|
| Or in charge of protecting them.
| frombody wrote:
| There was at least one SAML bug found in Office 365 federation
| some years back that would allow anyone to log into anyone
| else's account.
| munchbunny wrote:
| If SolarWinds was compromised and the attackers could use that
| as a backdoor into Microsoft's datacenter, the problem isn't
| really about protecting source code. The problem is whether
| attackers were able to leverage that into stealing data from or
| sabotaging Microsoft customers. After all, that customer list
| contains many parts of the US government and civilian
| infrastructure in general, plus major international
| corporations.
| TechieKid wrote:
| The update literally says that "found no evidence of access
| to production services or customer data."
| munchbunny wrote:
| I think you're misunderstanding my point.
|
| The "risk" mentioned in the quote a few comments up, and in
| the context of the post by MSRC, isn't about the risk of
| leaking Microsoft IP. It's about the risk that Microsoft
| customers might have been affected. Whether or not MSRC
| found evidence of a breach of customer accounts/data is a
| related but separate question.
| somethingwitty1 wrote:
| There are two aspects to the comment though: 1. Did they
| access services/data as part of this? 2. Can/did they use
| what they got to impact customers/gain access to customer
| data.
|
| The comment in the article speaks to #1. And of course, we
| have to take that with a grain of salt. I doubt any company
| impacted by this would be fully honest if there was a
| customer breach. Regardless, you also can't prove a
| negative. So all they can really say is what they did.
| Which doesn't mean services/data weren't compromised. Given
| the size of Microsoft, I find it hard to believe that every
| service running there has the logs/audit trail to know
| whether they were inappropriately accessed.
|
| But I took the OPs comment to be focused on #2 as well.
| There is a very real possibility that having access to the
| source code could help the attackers attack customers.
| Having access to the source code can help in locating
| vulnerabilities that allow future attacks against
| customers/services.
| stewofkc wrote:
| I think as hacks become more and more common, and as more
| businesses lose revenue from data breaches, more companies will
| adopt better privacy and data security practices.
|
| If someone "hacks" DuckDuckGo's databases, for example, they
| won't find any useful information. If they accessed Facebook's
| data storage, they would have tons of information about millions
| of people.
|
| As companies like Microsoft, Apple, etc. adopt stronger data
| security, I think the general population will shift their
| practices as well.
|
| This video (https://www.youtube.com/watch?v=eeBRt4qGHH8) kind of
| made everything click for me as far as how a "hack" can impact a
| person beyond just the data being publicly accessible.
| jtchang wrote:
| On the whole this does not affect my perception of Microsoft. In
| fact it probably tilts it in their favor. They were able to
| conduct a thorough investigation and figure out the attackers had
| access to the source. The reality is that while it makes future
| attacks easier it has already been taken into account for a large
| majority of risk assessments.
|
| People trash Microsoft a lot but some of the people there are the
| best in their respective fields.
| samstave wrote:
| >>> ___They were able to conduct a thorough investigation_ __
|
| Prove that.
| ByteJockey wrote:
| My problems with microsoft really aren't around their security
| practices (these days).
|
| It's more around the ads in the start menu, the telemetry they
| send, and their tendency to reset my telemetry settings around
| updates.
|
| I don't feel like I'm in full control when I'm using a computer
| running windows. Which, y'know, is probably fine for 95% of
| computer users, they want more of an appliance than a general
| computing experience.
| dmtroyer wrote:
| I mean, true they detected this but you don't know what you
| don't know...
| superfrank wrote:
| Do people still trash Microsoft? Maybe it's just because I'm in
| Seattle, but I feel like their reputation has really turned a
| corner in the past year or two.
|
| There's still a lot of cruft from who they used to be, but I
| feel like most people I know echo the sentiment that Satya has
| been a revolution. Things like them embracing Linux, acquiring
| and not ruining NPM and Github, contributing to open source
| projects, and all the work they've done with Dotnet Core seem
| to really have bought them a lot of goodwill, at least with the
| people I know.
| Spooky23 wrote:
| Microsoft is like the government... everyone has a
| relationship with them, and those experiences vary from high
| trust / strategic down to a sort of taxman.
|
| If your work is such that scaling to bazillions of servers or
| other artifacts isn't an issue, Microsoft is a smart choice.
| If you are building Facebook, it is a dumb choice.
| oblio wrote:
| I think using their dev tools is a solid choice. Using
| their OS or their DB... not so much, primarily due to
| licensing.
| trinix912 wrote:
| I only wish more of those tools would be cross platform.
| I know it's not happening, but it'd be nice if I could
| develop WPF stuff right on my macbook without a VM.
| fortran77 wrote:
| They do on Hacker News! People here seem oblivious to the
| fact that Microsoft is right behind Apple in valuation.
| tdhz77 wrote:
| What does this valuation matter?
| hollerith wrote:
| There is some correlation between selling good products
| and valuation. Intel's valuation for example went down
| 25% in 2020 in contrast to the NASDAQ US Composite index
| (of which Intel is a part) which went up over 40%.
| [deleted]
| coliveira wrote:
| They are doing this to survive, not because they love open
| source and Linux. MS is still every ounce of the company they
| were in the 90s, they just saw the writing on the wall and
| decided to play for the new generation of developers. I don't
| trust them any better.
| boxmonster wrote:
| A lot of people don't update their opinions because it takes
| work. I know because I've made it habit of checking my
| assumptions and I still forget. For example, people still
| trash PHP and post a "A Fractal of Bad Design" when PHP 8 is
| now on par with any other language and not an amateur
| minefield. Some things get better, some things get worse.
| It's best to check in once in awhile. Microsoft is much
| better than it was 20 years ago.
| webmobdev wrote:
| Good point and maybe true for PHP, but not for Microsoft or
| its products. They've continued to "update" their bad
| practices too, and its not just old criticisms that are
| rehashed again against them.
| lalalandland wrote:
| While Windows 10 i pretty good and stable system, the bundled
| programs that are default for photos etc are truly awful. In
| corporate environments it's often hard or impossible to
| install 3rd party programs, so when the default bundled
| software suck, it is frustrating to deal with...
| jjcon wrote:
| Could be my neck of the woods too but where I am Microsoft
| has the best reputation among the Major tech companies (not a
| privacy nightmare, great research division, has started
| supporting open source, remains fairly apolitical)
| wizzwizz4 wrote:
| > _Things like them embracing Linux_
|
| Have you seen the WSL2 DirectX support?[0] They're extending
| it, too!
|
| [0]: https://news.ycombinator.com/item?id=23241040
| oblio wrote:
| They'll extinguish desktop Linux any day now!
| phendrenad2 wrote:
| It's funny because Linux did just that to Unix. Embrace
| (new OS that does everything Unix does, and free!),
| extend (Linux has features not found in classic Unixes),
| extinguish (Linux is now the de facto standard, so anyone
| who wants to use Unix is laughed at).
|
| Microsoft gets mocked for embrace/extend/extinguish, but
| really, it means just do a better job than the
| competition. Embrace: "do what others are doing", extend:
| "do a better job at it, have more features than the
| competition", extinguish: "sell customers on those
| features and improvements". How anyone could be against
| competition, simply because it's framed in a cheesy
| phrase, is beyond me.
| Dylan16807 wrote:
| You can compete without working to convert an ecosystem
| from standardized to proprietary. If that happens it
| becomes much harder for anyone else to compete, and the
| end result is reduced competition.
| oblio wrote:
| That's what most companies do, though.
|
| "Differentiate your product."
|
| "Let's build an IP portfolio."
|
| "We don't want to be the dumb pipe."
|
| "Build a moat around the product."
|
| "Don't let yourself be commoditized."
|
| Etc.
|
| All that coded or not so coded business language says the
| same thing: make it proprietary/uncopyable and make money
| off of it.
| cat199 wrote:
| > acquiring and not ruining NPM and Github
|
| a little early to come to this conclusion, one way or
| another, I think
| webmobdev wrote:
| Yes, people still thrash Microsoft because many of their
| business practises and products are thrashy, even if it
| needn't be.
|
| Windows is a great example - forced updates, forced ads,
| forced data-ming and spying, stupid UI changes etc. all make
| an otherwise decent OS a real pain to use and a must-avoid
| for the privacy conscious. These are easy to fix for a
| company like MS, but they do not.
| tester756 wrote:
| > forced updates
|
| I don't understand whinning about that when you have
| bilions of people using your OS, so shitton of people who
| are newbies at computers then you want to help them to stay
| as secure as possible.
|
| "at best(worst?)" this thing is "not nicest", but it's
| totally reasonable.
|
| you have reasonable control over updates on non-home
| versions, imo.
| xeeeeeeeeeeenu wrote:
| >I don't understand whinning about that when you have
| bilions of people using your OS, so shitton of people who
| are newbies at computers then you want to help them to
| stay as secure as possible.
|
| That doesn't explain forced _feature_ updates.
| bosswipe wrote:
| The thing that finally got me to abandon Windows was when
| a forced update wiped away the system settings that I had
| spent days figuring out to get a trackpad to work the way
| I wanted to.
| alpaca128 wrote:
| People who are newbies at computers wouldn't be able to
| find the switch to turn off updates anyway, so why not
| include the opt-out setting for users who care?
|
| Forced updates are unnecessary and a bad idea, even more
| so in rolling-release models.
| justapassenger wrote:
| Especially, as Windows updates, given basically infinite
| combination of hardware (often broken) and software
| (broken even more often) are super rock solid.
| cubano wrote:
| So true. I just yesterday, on a lark, took a win10 SSD
| from a new Dell and stuck it in a 10 year old HP, and
| within about a minute it booted much to my surprise.
|
| It didn't even need to connect to the internet.
| dougmany wrote:
| Don't try that with Arch Linux. That distro lost me
| forever because I didn't log into a computer for six
| months (in 2012) and the OS was recoverably broken.
| AsyncAwait wrote:
| From experience, I highly doubt it was actually
| unrecoverable. I did something similar many times & all
| it takes is to read archlinux.org news section & apply
| .pacnew config diffs where needed. Arch is a bleeding
| edge distro constantly marching ahead; that's one of its
| primary advantages, so it's best to update regularly.
| That being said it is very much possible to not update
| for months, just requires a bit of extra care when you
| finally do due to the large number of accumulated
| changes.
|
| I even did an online, in place switchover from SysV to
| systemd in 2011 and despite that being a scary amount of
| changes at once still got a working system.
| btgeekboy wrote:
| For quite a while, Windows was the holdout. MacOS
| wouldn't even flinch if you moved it to another machine;
| Linux might have needed a little help finding its root
| volume or NIC but would otherwise be happy. Windows,
| however, would fall over with a BSOD.
| dawnerd wrote:
| They've been way more stable than MacOS updates recently
| too. That has to say something about the processes
| Microsoft has in place to QA.
| zepto wrote:
| Have they? Or do the people they impact simply not blog
| about issues.
| mschuetz wrote:
| I dislike the forced windows update because they shove
| crap down your throat with the updates, try to force edge
| on you, and repeatedly try to get you to accept their
| privacy stuff.
| katbyte wrote:
| Microsoft is a very large company with many different
| internal orgs, your experience will vary greatly from one to
| the other (or product to product)
| mrmonkeyman wrote:
| The best people are always where the money is, not the morals.
|
| Wall street, defense, giant megacorps. I will trash them for
| it. It has nothing to do with being "competent".
| rcurry wrote:
| So true. There's this funny line in one of Paul Graham's essays
| where he says something like "making the wrong technology
| decision can doom your business - like choosing Windows in the
| 90s" I got such a kick out of that because I worked for
| CyberTrader in the 90s; we built our whole platform around
| Windows and wiped the floor with our competitors. We ended up
| the top day trading company in the US and were acquired by
| Charles Schwab for just shy of $500m. But at the time, you pit
| Windows NT with IOCP against anything else and it was game over
| in the low latency trading space.
| RhodoYolo wrote:
| Funny enough in 'founders at work' it sheds light on the
| early days of paypal. It seems to point towards one of the
| reasons Elon got fired as CEO of Paypal is because the
| broader team disagreed with Elon about whether to build
| around windows or linux and Elon argued that there was more
| tooling in windows at the time.
| nikanj wrote:
| Reading the old NT debugging blogs and Raymond Chan's stuff
| was very eye-opening. Microsoft has incredibly talented
| engineers ready to help Solve Problems, not just toss you the
| source code and wish you luck.
| [deleted]
| tenebrisalietum wrote:
| Cool, maybe they'll solve the problem of Teams freezing up
| constantly someday.
| superjan wrote:
| Try disabling gpu rendering.
| oblio wrote:
| I think that's the generic solution to Electron apps
| issues :-))
| gerdesj wrote:
| That works OK, even on Linux (anecdotally)
| gerdesj wrote:
| That does not happen, even with the beta grade Linux
| version on Arch (as I run it)
|
| You may have a rubbish internet connection. If you are
| using a VPN with a slow internet connection, investigate
| a split tunnel. Teams traffic involves only three IP
| ranges so it is easy to split out and route direct to
| shave a fair bit of latency.
|
| Other issues will require more investigation but they are
| local to you.
| webmobdev wrote:
| Doesn't mean they don't deserve the criticism or thrash
| directed at them for their products or business practices.
| BrentOzar wrote:
| Here's the updated Microsoft post that contains the admission
| that the hackers viewed source code:
|
| https://msrc-blog.microsoft.com/2020/12/31/microsoft-interna...
|
| Drives me crazy that Reuters could write an entire post about a
| Microsoft blog post, yet not link to the post itself.
| giancarlostoro wrote:
| It drives me crazy when in 2020 news articles do not link to
| sources.
| dvdbloc wrote:
| Why would they? Will it increase revenue if they do?
| wslack wrote:
| Because the goal of news should be to inform, especially
| when talking about court filings, and we as viewers should
| not give traffic to sites that don't do basic linking work.
| Frost1x wrote:
| I believe parent was being rhetorical and or facetious.
|
| What we believe organizations _should_ do and what they
| _actually_ do in is often misaligned based on problematic
| underlying driving forces /goals.
|
| Profit motives have tended to overcome all other
| incentives in our (the US) economic structure. It may be
| a broader problem globally due to power and influence of
| the US.
|
| The same can be said about consumer motives. I probably
| _should_ shop locally more often, but I may not be able
| to afford local rates and have to pass the costs down the
| line if I want to continue supply more basic underlying
| goals (eating, staying sheltered, etc).
|
| At some point we have to have the difficult conversations
| of choosing the tradeoffs we do and don't want to
| support, otherwise we may let flawed underlying goal
| structures guide us to the paths of least resistance,
| which may ultimately not be good for humanity (or it may
| be, who knows).
|
| Given a lot of current directions, I find it hard to
| believe our underlying system structures are great for
| human well being. It may have been a good run for awhile
| but that may be a short temporal anomaly. We may have to
| more throughly consider long term consequences of goals
| we set that may run counter to their actual intent.
|
| It's easy for some to simply ignore the underlying
| problems and play the game optimally for oneself.
| Personally, I've never been happy with that option (the
| option which OP sort of alludes to).
| 28u34ri wrote:
| The goal of the "legacy news" is to support a paycheck.
|
| Wealthy individuals or groups will financially support
| these "legacy news" organizations as long as they have a
| say in what is put out.
| will4274 wrote:
| Because it's what their customers want? Higher quality news
| sources have begun to get it (even if 10 years late).
| [deleted]
| koolba wrote:
| If 2020 has taught us anything, it's that including sources
| will only lead to them being questioned to refute the
| article's premise.
| giancarlostoro wrote:
| Them Covington High Schoolers would like to have a word. It
| took me under 10 minutes to do what CNN didn't bother to
| do: confirm the claims of one man. It cost them dearly, and
| rightfully so.
| dang wrote:
| Ok, we've changed to that from
| https://www.reuters.com/article/us-global-cyber-
| microsoft/so.... Thanks!
| Godel_unicode wrote:
| If you've been following this story you'll realize that someone
| at Reuters really has it in for Microsoft. This despite the
| backlash they've seen in the community for their rather tenuous
| leaps of logic (see for instance this gem:
| https://in.reuters.com/article/global-cyber-usa/suspected-
| ru...).
|
| You'll note that they buried the byline in this piece at the
| bottom, crediting "Reuters staff" at the top.
| tpmx wrote:
| Trying to understand:
|
| You're saying Reuters shouldn't report severe security
| breaches at Microsoft? Or that they are doing it because
| someone there dislikes Microsoft? For the latter - does the
| motivation really matter?
| Godel_unicode wrote:
| I was responding to a comment about why Reuters didn't link
| their source for the article by pointing out that it's
| consistent with their coverage of trying to sensationalize
| a pretty boring story. If they linked the Microsoft blog
| post, people might realize that the story isn't what
| Reuters is trying to spin it as.
|
| Their motivation of generating click-bait at Microsoft's
| expense matters as it means you should seek clarifying
| information from other sources. Or just ignore Reuters and
| hope the drop in traffic drives them to more closely tell
| the whole story.
| tpmx wrote:
| But the Reuters piece
| (https://www.reuters.com/article/us-global-cyber-
| microsoft/so...) is on point. Microsoft was in fact
| breached and attacker(s) accessed source code.
|
| Simplified, sure, but not overly so.
|
| (Linking or not linking to corporate blog posts - I agree
| they should do that, but I suspect it's a general article
| style guide thing.)
| Godel_unicode wrote:
| Technically true as far as it goes, the important bit
| about the piece is what it doesn't say; no modifications
| or builds. To understand how important that is, and why
| Microsoft included it in big letters in their post, just
| see how many people here are asking/worrying about that
| possibility. Read isn't cool, nefariously wrote is cool.
|
| Technically true but highly misleading is a dangerous
| route to go, and it makes me sad how often stories tread
| that path in the name of clicks.
| guenthert wrote:
| MS blog might be safe, but I suspect Reuters just
| generally doesn't want to be responsible for the source
| being slashdotted (rather "reutered" then).
| tpmx wrote:
| My gut feeling is that it's more about an instinct not to
| drive traffic offsite from their customers online
| properties, perhaps combined with a now hilarious print-
| defensive attitude ("URLs don't work in print and our
| reports must work equally well both online and in
| print").
| kerng wrote:
| Breached is a legal term... they were compromised but
| probably didnt suffer a breach. The MSRC blog post is
| exactly there to cover those legal grounds I guess.
| guardiangod wrote:
| Many security companies' stock went up upon release of this
| news, as they have done in the last 2 weeks.
|
| I'd not be surprise if someone in Reuters is profitting from
| hyping the breach.
| lallysingh wrote:
| IIRC Bloomberg news rewards stock price changes directly.
| HatchedLake721 wrote:
| Original blog post by Microsoft - https://msrc-
| blog.microsoft.com/2020/12/31/microsoft-interna...
| netfortius wrote:
| Funny usage of the MS defender for the link to the "inner source"
| wikipedia entry:
|
| https://nam06.safelinks.protection.outlook.com/?url=https%3A...
| srtjstjsj wrote:
| Something bizarre in that URL
___________________________________________________________________
(page generated 2020-12-31 23:00 UTC)