[HN Gopher] SolarWinds hackers were able to access Microsoft sou... ___________________________________________________________________ SolarWinds hackers were able to access Microsoft source code Author : accountinhn Score : 342 points Date : 2020-12-31 18:24 UTC (4 hours ago) (HTM) web link (msrc-blog.microsoft.com) (TXT) w3m dump (msrc-blog.microsoft.com) | pmlnr wrote: | It's simple: open source Microsoft, then this is not an attack | vector any more ;) | cogman10 wrote: | I wonder if incidents like this will push MS towards open | sourcing windows. | | IDK what their revenue looks like, but I'm guessing that selling | the OS isn't as front and center as it used to be (from the way | they are changing in terms of supporting things like linux). | | Even if they keep a pretty tight license around the source, | releasing it to the public would earn a lot of good will while | potentially finding and fixing security problems. | ksec wrote: | >I wonder if incidents like this will push MS towards open | sourcing windows. | | What I am thinking as well. Unimaginable if it was 10 years | ago, but modern Microsoft seems to be taking a different | approach. And Apple desperately need some competition to keep | Tim Cook honest. | sterlind wrote: | (I work for MS but not on Windows.) | | I don't think Windows will be open-sourced precisely because | it's not as important as it used to be. It'd be a ton of work | to root out vendor code incompatible with OSS licensing, remove | internal dependencies etc. That's not worth it unless we have | big plans for Windows to stay relevant, which I have no | knowledge of but suspect that we don't. | | Probably we'll see the most relevant pieces be opened up, like | the driver model awhile back. | rightbyte wrote: | They can open source it and still keep the copyright. I mean | it is not automatically GPL just becouse they put it on a | public git server. | aeyes wrote: | Not without refactoring third party code which is used | under license. | agar wrote: | Not if Windows includes source code purchased or licensed | from third parties who contractually prohibit MS from | publishing their source code. | | Which it probably does. | mattl wrote: | I think IE was based on third party stuff. I'm sure | there's bits of that floating around everywhere. | cogman10 wrote: | So while not the whole thing, seems like they could open | source core pieces like the kernel. That will probably take | some code reorg to achieve though so maybe that's why it'll | never happen. Last I heard on HN, windows was pretty much | just a giant repo with everything in it. That'd have to | change for them to release core pieces (If it hasn't | already). | cglong wrote: | FWIW, Microsoft has been slowly shifting some components to | OSS (Command Prompt, Windows Terminal, Calculator, WinUI). | | Disclaimer: work at Microsoft but in Azure | cogman10 wrote: | As far as community trust goes, MS has been killing it | for the last several years. They've done a 180 in terms | of being good software citizens. I'm really hopeful that | core pieces (such as the kernel) end up hitting the | public eye. | MeinBlutIstBlau wrote: | I always thought the reason they charged for their OS was due | to their anti-trust lawsuit so as to state that they weren't | actively trying to dominate the market or something along those | lines? Also, OEM operating systems are kind of circumventing | that. | easton wrote: | The reason I always heard was that there's tons of binary | blobs in Windows they bought from vendors that'd have to be | reimplemented (the zip library is the most notable example). | | Russinovich said never say never though, so I don't know. | https://www.wired.com/2015/04/microsoft-open-source- | windows-... | acct776 wrote: | Being open source is not correlated with charging licensing | fees. | | It just means you can read the source. | Jestar342 wrote: | Some licenses very explicitly prohibit source | distribution/publication. | robotnikman wrote: | I've heard that one of the major obstacles to open sourcing | Windows is that a lot of code in the Windows codebase may be | proprietary and owned by companies other than Microsoft. | | Apparently its also an obstacle for many other closed source | programs when it comes to considering a transition to open | source | [deleted] | frombody wrote: | Very curious as to the details they aren't releasing. | | If you read between the lines they are saying that accounts were | compromised, but not through token stealing, which means the | attackers got the passwords to the accounts, and likely skirted | MFA requirements because they were already inside, or there were | none. | | While there are many avenues to steal passwords once you have the | foothold the attackers did, it would be interesting to know the | details as to how these particular accounts were compromised. | mc32 wrote: | With a large and sophisticated Corp like Microsoft, wouldn't | they have a Zero Trust kind of security model which means certs | and MFA regardless of location, behavior, etc. | | Obviously a lot we can only speculate about. | somethingwitty1 wrote: | I've worked in big companies like Microsoft, so can only | comment from that perspective. Due to their size, they often | do not have MFA regardless of location. Many didn't even use | MFA. Most have been moving there, but it was long, multi-year | projects. So I wouldn't be surprised if Microsoft doesn't | have MFA for everything. | srtjstjsj wrote: | MFA was standard in industry leaders 10 years ago. | isbjorn16 wrote: | MSFT employee here: I don't know of an internal service | that I use that doesn't have MFA. | | I am not going to make a broad statement saying they don't | exist, I'm just saying I haven't found one yet. It's really | annoying because I rarely have my phone on me when I'm at | home so I have to go track it down. I'd be so happy if they | let me use a yubikey :( | bluedino wrote: | A company like Microsoft probably gets "hacked" what, a hundred | times a day? A thousand? | frombody wrote: | Can you elaborate on your point? | | What I am saying is that these credentials can be stolen from | MITM attacks, log files stored on random servers, or even | basic mistakes like literally writing the password where | other people can see it. | | Knowing what kind of operational mistakes Microsoft made that | led to account compromises would help others from becoming | victim to similar attacks. | jeffrallen wrote: | Poor hackers. I hear Visene soothes bleeding eyes. | stagger87 wrote: | Your comment breaks several guidelines here. | | https://news.ycombinator.com/newsguidelines.html | asah wrote: | closed source = only the badguys get to see it. :-( | vthallam wrote: | > This means we do not rely on the secrecy of source code for the | security of products, and our threat models assume that attackers | have knowledge of source code. So viewing source code isn't tied | to elevation of risk | | I don't know how much of this is true. Wouldn't it be helpful for | bad actors to understand how Windows defenses work looking at the | code thereby increasing the risk? | drvdevd wrote: | Whether or not it would be helpful to attackers, this is still | the correct threat model for Microsoft to operate with. | Sufficiently motivated attackers can reverse anything they | distribute publicly anyway. | lrem wrote: | Nobody seems to mention an important aspect: megacorps like | Microsoft, Amazon, Google or Oracle hire thousands of engineers | each year. It's not particularly hard for a bad actor to get an | agent hired into their target and gain access, for nefarious | purposes, in the legit way. | phendrenad2 wrote: | Remember that anyone can manually decompile Microsoft source | code. It's a lengthy tedious process, but that's nothing for a | determined attacker. | ipython wrote: | That's not nearly comparable to commented source code repo. | "Decompiling" leaves you with a barely readable facsimile of | the original code, and most likely won't even compile again. | | The true value in source code at this level are the comments | and symbols. Microsoft provides most ofthe symbols, the | comments you can't recover from a binary. | mmaunder wrote: | Agreed. They're using that argument to frame their breach as a | win. The reality is that open source is easier to reverse | engineer and find vulnerabilities in because you have the | source. Our researchers do this every day and closed source | makes that harder. Advocacy debates in favor of open source | have muddied this conversation - but that is the cold hard | reality. | | Now that an adversary has MS's source code, it is indeed easier | for them to do vulnerability research. So this is a net loss | for MSs overall security posture, not a win. | dwheeler wrote: | It is generally accepted in the security community that hiding | source code does _not_ provide security. | | The principles for developing secure software were identified | in the 1970s by Saltzer and Schroeder, and they're still true | today. One of those principles is "open design", that is, don't | depend on design secrecy for security of the system. Instead, | depend on secrecy of things that are trivially changed (like | private keys and passwords). Then, when the secret is exposed | (or you think it might be), you quickly change all the secrets | and there's no problem. One source of this paper: | https://www.cs.virginia.edu/~evans/cs551/saltzer/ | | In the case of Windows, the source code is not really secret | anyway. Most governments have continuous access to the source | code, typically through the Microsoft Government Support | Program (GSP) https://www.microsoft.com/en- | us/securityengineering/gsp Many businesses and universities | also have access to Windows source code. You can see various | programs to provide such access in different cases via | https://www.microsoft.com/en-us/sharedsource/ In addition, | Microsoft employs a huge number of employees who have access to | its source code, and you can't really keep a secret long when a | large number of people know the secret. Efforts like bribes, | appeals to patriotism, etc. will eventually successfully get | someone to reveal a secret if there's a large enough group, | especially since it's relatively easy to identify who works for | Microsoft or otherwise might have such access. | | If that's not enough, Microsoft distributes executables, and | disassembers & decompilers can provide enough information for | static analysis anyway. So you could re-derive what you need to | attack Windows if you needed the source code for some reason. | | Anyone who depends on secrecy of code to provide security is in | trouble. Typically the real reason to keep (some) code secret | is to support certain proprietary business models and to meet | certain legal obligations, and are not really about security. | | Note that Microsoft understands this; they're quite clear in | stating that the security of Windows does not depend on keeping | its source code a secret. | hguant wrote: | It's not just governments - if you give them enough money | they'll send you the source, and all the tools required to | build it. Device manufacturers in particular need this - you | think SeaGate is using the online windows docs when they | write SSD drivers? | dividuum wrote: | Isn't that the Kerckhoffs's principle? | https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle | dwheeler wrote: | Open design is basically a generalization of Kerckhoffs's | principle. | | Kerckhoffs's principle is usually stated as "A cryptosystem | should be secure even if everything about the system, | except the key, is public knowledge." Note that | Kerckhoffs's principle only refers to cryptosystems. The | open design principle is a generalization that applies to | all systems, whether or not they are cryptosystems. | [deleted] | jcelerier wrote: | windows source code has been open to academics for something | like two decades | webmobdev wrote: | Yeah, the whole point of looking through the source code is to | find undocumented APIs and bugs to exploit. | saltyshake wrote: | there are many books written on Windows undocumented APIs. | these things aren't hidden at all. | webmobdev wrote: | Yeah, right. Everything is so open about all MS binaries | that they don't even need to be closed source! It takes a | lot of time and effort to find these poking the binaries, | and then experimenting them. The source code makes this | task obviously easy. | monocasa wrote: | A lot of times stuff like undocumented APIs and bugs are | easier to find taking apart the binary anyway. Goofy stuff | tends to be obfuscated in source as engineers add so much | abstraction around the goofy pieces, but it's clear in the | final binary. | webmobdev wrote: | > A lot of times stuff like undocumented APIs and bugs are | easier to find taking apart the binary anyway. | | Is that why Microsoft, and all you people who poke at its | binaries, have fixed all the bugs in MS binaries? /s | [deleted] | monocasa wrote: | Why do you think the people poking around MS's binaries | overwhelmingly want the bugs they find to be fixed? | thisiszilff wrote: | I'd imagine the answer is yes, viewing the source code would | increase the risk relative to an attacker that did not have | access to the source code, but the statement is saying that | whatever risk assessment Microsoft does already assumes | attackers have knowledge of source code. EG, they are | conservative and do not rely on source code secrecy when making | any security evaluations. | burnthrow wrote: | That assumes total security competence at Microsoft. The | Linux model benefits from public audit. | TrueDuality wrote: | For what it's worth I'm familiar with Microsoft's security | team (both for their infrastructure and code) first hand | and they are some of the most competent individuals I've | ever had the pleasure to know. | | I'm personally not a huge fan of Windows, and it definitely | has flaws but the amount of considerations taken into | account, and the speed with which issues are identified and | repaired in a code base of that size, especially while | maintaining a disgusting amount of backwards compatibility | is crazy impressive. | | That aside, having access to the source code does make | finding issues easier. It sounds like that knowledge is | assumed in their risk assessments which would make that a | fair statement. | rbanffy wrote: | This puts them on the same level of Linux - when doing | Linux threat assessment we can count the attacker has the | source code for everything. | | In any case, it's silly to think otherwise. It's always | safer to assume everyone that we wouldn't want to know | something already knows that, whatever it is. | brianberns wrote: | Yes, but on the other hand, all the Linux source code is | publicly available, and it's still considered secure. | glouwbug wrote: | Causation vs. correlation, Linux is secure because it _is_ | open source. Closed systems can cut corners, assuming the | source stays secret | acct776 wrote: | No, it is not, by any stretch of the imagination, by security | researchers. | | This has been on the front page all day: https://madaidans- | insecurities.github.io/guides/linux-harden... | | It is safe to assume it is more PRIVATE than a Microsoft OS, | but not more secure. | | Please don't react emotionally to this... It was a bit | jarring of a shift in thought to me as well, at first. | acct776 wrote: | Downvoters, consider reading first: https://madaidans- | insecurities.github.io/linux.html | richardwhiuk wrote: | That article is comes from an extremely naive security | posture. | tester756 wrote: | I'm curious whether somebody will challenge it | MeinBlutIstBlau wrote: | Linux isn't any more secure or safer than a lock on my door | will prevent someone from just breaking the window. Hackers | do in fact target linux machines, just not average desktop | users. They typically go after servers since they run | basically everything. And chances are, standard linux users | know what they're doing so a ransomware attack isn't really | much to frighten a linux user as much as it is to just piss | them off but still recover in like 24 hours or less. | daniel-levin wrote: | Microsoft shares source code with lots of partners. It would be | asinine to admit that source code leaks, accidental or | otherwise, would compromise their security. If they did that, | it would create headaches for their massive contracts where | source sharing is a prerequisite. So they toe the party line | and say no, in fact, source code leaks do not compromise | security. | TedDoesntTalk wrote: | > Microsoft shares source code with lots of partners | | ALL source code for ALL active AND inactive projects? I | highly doubt it. | | You simply have no idea if the attackers had access to | unshared, proprietary code or not. Like Azure server-side | components. | srtjstjsj wrote: | The source code is already out there, so any compromises have | already been found and exploited. Leaking it further won't | create more vulnerabilities, and more likely will cause | existing vulnerabilities to be found by white hats | macjohnmcc wrote: | Many years ago when I worked at Microsoft I asked for the | source code to Solitaire. A few days later I received a stack | of CD-ROMs with the entire source code of Windows NT (4.0 | maybe). | rbanffy wrote: | > a stack of CD-ROMs with the entire source code of Windows | NT | | That's a lot of code. Scary. | mandeepj wrote: | >That's a lot of code. | | It's estimated to be around 40 million lines of code | macjohnmcc wrote: | And it was not compressed it was just a bunch of files | and folders. My guess is it was around 15 CD-ROMs | herodoturtle wrote: | And what of the source code to Solitaire!? | | Cool memory, thanks for sharing. | macjohnmcc wrote: | It took ages to figure out where the code even was in the | many files and folders. The directory structure did not | make it obvious. | macjohnmcc wrote: | I just thought of something. At the time blank CD-R's | were about $15 each and the fastest burners at the time | were 2x burners. I'm sorry I wasted so much of time the | person who burned these and the cost of the media! | westmeal wrote: | Can't wait until cozy bear leaks that :D | macjohnmcc wrote: | Make that winning animation use the GPU! | sedatk wrote: | That was before Source Depot, I presume. | codezero wrote: | I don't know if I missed it in the article, but did they say | anything explicit about write access? Seeing the source may give | access to new zero days, but it would be much worse if the | attackers were able to seed a large number of commits into the | code that introduce subtle vulnerabilities. | 1f60c wrote: | This reminds me of The Linux Backdoor Attempt of 2003[0], when | someone (maybe a three-letter agency, maybe not) was able to | insert a subtle bug in the Linux kernel. | | [0]: https://freedom-to-tinker.com/2013/10/09/the-linux- | backdoor-... | yjftsjthsd-h wrote: | > was able to insert a subtle bug in the Linux kernel. | | ... was able to insert a bug into a _mirror_ of the kernel, | which was caught in short order. | joosters wrote: | ... _which was caught in short order_ | | That means nothing, of course it was caught, otherwise we'd | never had heard about it. We can only speculate about the | ones that haven't been caught... | yjftsjthsd-h wrote: | We can look at _why_ it was caught (people paying | attention to commits, policy of requiring commits to be | properly signed off), and conclude that it would be | difficult to add anything without being caught. Or, put | differently, if you believe that bad actors can get | around that level of precautions, you might as well give | up because everything else would be equally compromised. | thatsamonad wrote: | Sounds like the attackers did not have write access. From the | original blog post: | | > _The account did not have permissions to modify any code or | engineering systems and our investigation further confirmed no | changes were made. These accounts were investigated and | remediated._ | | I would also hope that direct commits don't go immediately to a | production system without some sort of review. At my workplace | we have branch protections for all "main" branches that would | result in a deployment. At least one other person has to review | changes and all of our automated checks have to pass before | anything can even get close to running through a deployment | pipeline. | codezero wrote: | Whew, that's good to hear. I assume anyone trying to inject | malicious code is going to try to do so in a way that doesn't | go through normal code review channels. | thatsamonad wrote: | True. However, hopefully that's being mitigated through | things like not allowing authors to review their own | commits, not using the same accounts to push code changes | and do deployments (i.e. having a read-only account for | deployments), etc. | | However, if it were an admin account that were breached | that would definitely make it possible to circumvent any | number of protections in place. | CurtHagenlocher wrote: | At least for the projects I work with at Microsoft, nearly no | user accounts have direct write access to source repos. | Checkins are done by a service account only after a pull | request has successfully been built and run tests, and has been | signed off on by appropriate users -- e.g. I can't sign off on | my own PR. | | EDIT: Sorry, somehow I missed the reply by thatsamonad or I | would have replied to it instead of its parent. | rightbyte wrote: | I meam it sounds like a good security mesuare but also like a | pain to work with? I have recurring nightmare that management | realize that submits can be blocked if they generate CI | warnings and there will be no warnings anymore. | tikkabhuna wrote: | Tools that generate warnings can be configured to only do | so on new or modified code. We do the same for our code. It | can be a difficult, but ultimately some codebases require | it. | [deleted] | [deleted] | Trisell wrote: | I predict a rash of eventual FireEye, Cisco, and other vendor | zero days in the near to mid future. If you are a nation state | actor what better way to find zero days then to get the source | code and find the bugs to exploit. This is the only thing that | makes sense that would be worth the risk of attacking companies | such as FireEye and Microsoft. | kevin_morrill wrote: | Why would this actually be true? If it's easier to find in | source, Microsoft probably would have found it. Ever single | feature there goes through multiple security reviews and there | is tons of code linting. All the penetration testers I have met | don't even bother looking at source. They just start trying | things they think will flummox the software. | hguant wrote: | >They just start trying things they think will flummox the | software. | | This works...until you go against a target that's heard of | fuzzing before and has the time and money to do it to their | own code. | | The really interesting Windows exploits require a combination | of "throwing stuff that will flummox the software" and a deep | level understanding of structures hidden to the average | developer. Look at Yardin Shafir's really wonderful blog post | about developing a kernel bug to a PoC - there's a lot of | moving parts and security checks in modern windows, and | having the source is a HUGE help. | gafferongames wrote: | > SolarWinds hackers were able to access Microsoft source code | | Are they OK? Ze googles, they do nothing | cs702 wrote: | Reading this, the question that immediately pops in my head is: | | Could a hack like this one go undetected for so long in a widely | used free/open-source project developed in the open, such as the | Linux kernel? | | While I have no doubt that something like this could happen to | the Linux kernel source code (because security is Capital-H | Hard), my perception is that something like this is less likely | to happen to the Linux kernel -- and, were it to happen, it would | likely be detected sooner, due to the inherent _transparency_ of | widely used open-source code. | kerng wrote: | I do security research and bug bounties on side sometimes and | had read/write access to a couple of large open source projects | in the past, incl. being able to impersonate employees from | well known companies that work on open source stuff. | | Most common issue was access tokens found in public places. | | Would be interesting to know what happens when code is updated | - which I obviously wouldn't do. Wonder how long it would take | until caught. | | Since open source projects probably dont do "red teaming" (to | use a fancy buzz word) I wonder how they could practice this? | wil421 wrote: | Why would you need to back door Linux when you can find a | company like Solarwinds that is already in most networks with | greater access to the network as a whole than a Linux server. | AnIdiotOnTheNet wrote: | Considering how long bugs can go unfixed and undetected even in | large open source projects, I think it can totally happen. Just | create a backdoor that looks like an honest mistake, submit it | in a PR that adds some feature or fix, and exploit it at will | as people update. Heartbleed took over 2 years to find and fix. | staticassertion wrote: | I suspect adding bugdoors to Linux is far easier than it is | than for Windows, but there are already so many bugs it's | easier and more viable to just look for them than to try to | insert them. | xen2xen1 wrote: | Code was added once to Debian (IIRC) and it was detected almost | immediately due to code signing. | AnIdiotOnTheNet wrote: | On the other hand, Debian broke OpenSSL generation and didn't | detect it for almost 2 years. That appears to have been a | legitimate mistake, but it is quite conceivable that a | malicious actor gets a change merged that contains a backdoor | that looks like an innocent mistake and goes undetected for a | long time. | newacct583 wrote: | The exploit in this case had access to the build (and | presumably signing) system. That wouldn't have helped. The | protection against this would have been the comparatively new | efforts at reproducible builds. A modified binary, in theory, | could be detected by current Fedora and Ubuntu releases (not | sure about Debian or other distros). I don't think we've had | an attack in practice though. | aquaticsunset wrote: | As others (and Microsoft) mentioned, it was read only access. | The only points of concern here would be if that statement | somehow was not true and they were able to add undetected | changes, or if their security audit process was severely | lacking. | | But yeah, to your point - being able to read and analyze the | Linux kernel source is considered a feature, not a liability :) | neodymiumphish wrote: | I think you're connecting two points he made that weren't | connected. | | On the one hand, open source projects make for an environment | where bad actors could propose changes to the software that | include these bug/backdoors. The benefit to the open source | arena is that these changes can easily be analyzed and | tested. | | In Microsoft's case, the source being visible but not | editable is still a real risk (assuming the bad actor is able | to extract the data they're viewing for further analysis), | because they can use the source to determine avenues for | attack. | | The fact that is was read-only does help ensure that no new | attack vectors were created, but it still increases the | chance of new attack vectors being found/used in the future. | [deleted] | joe_the_user wrote: | This hack wasn't really a failure of code construction but a | failure of institutional practices. The same thing could have | happened if SolarWinds had a garbagy sys admin tool that | happened to also be open source but still otherwise followed | the procedures of SolarWinds. | | Giant bureaucracies have a bunch of tasks they need to | accomplish. Giant bureaucracies hire poorly trained people to | accomplish those tasks and buy software to aid it's those | people in accomplishing those tasks. The software is sold "by | the feature" so it is colloquially "garbage" that is itself | produced as cheaply as necessary to achieve these features. | Naturally, such garbage is constantly updated and all these | giant bureaucracies are sieves with these updates running | through them. Sure, if these bureaucracies hired competent | people, downloaded open source tools, tested the tools | themselves and essentially had their own quality control in- | house, this might not have happened. But that wouldn't be the | out-sourcing-based, cut costs and skills to the bone, | neoliberal paradigm that's near and dear to the high level | managers' heart, now would it? | | Now, you would think that an event like this would create a | realization "what we do is too important for outsourcing, for | bargain-basement, neoliberal style operations". But the Office | of Personnel Management hack [1] was what should have created | this realization and didn't. | | [1] | https://en.wikipedia.org/wiki/Office_of_Personnel_Management... | popup21 wrote: | A blind man can see that this was a rigged election. Denial and | evasion are progressive liberal personality traits. | juanbyrge wrote: | Is the source code buildable, or is it mainly for documentation | purposes? I'm guessing the build system and tool chains required | for building windows are massively complex. Are these distributed | with the windows source code as well? | | Also I'm guessing that there are a lot of other proprietary | vendor-supplied pieces that get built with Windows. What happens | if these are not available? | tozeur wrote: | Internal builds barely work with millions of dollars and man | power invested. I can't imagine anyone else outside of Msft | being able to build Windows lol | koreanguy wrote: | misleading clickbait title post, pathetic | | from microsoft | | "Our investigation into our own environment has found no evidence | of access to production services or customer data. The | investigation, which is ongoing, has also found no indications | that our systems were used to attack others." | HenryKissinger wrote: | > Microsoft said the account did not have the ability to monitor | any Microsoft code. The blog post further added it has found no | evidence of access "to production services or customer data." | | The article is in contradiction with the headline, isn't it? | tmaly wrote: | If you go back to the original CISA post December 17, 2020 they | noted a different attack vector other than SolarWinds had | compromised some systems. | vm wrote: | The reuters link posted here is click-bait junk. This section | from the Microsoft blog provides better context. | | >We detected unusual activity with a small number of internal | accounts and upon review, we discovered one account had been | used to view source code in a number of source code | repositories. The account did not have permissions to modify | any code or engineering systems and our investigation further | confirmed no changes were made. These accounts were | investigated and remediated. | | >At Microsoft, we have an inner source approach - the use of | open source software development best practices and an open | source-like culture - to making source code viewable within | Microsoft. This means we do not rely on the secrecy of source | code for the security of products, and our threat models assume | that attackers have knowledge of source code. So viewing source | code isn't tied to elevation of risk. | | https://msrc-blog.microsoft.com/2020/12/31/microsoft-interna... | webmobdev wrote: | > At Microsoft, we have an inner source approach - the use of | open source software development best practices and an open | source-like culture | | MS has an "open source" culture? I laughed and remain | skeptical ... | temac wrote: | If somebody needed an example of open source washing... | tmotwu wrote: | Not untrue. Internal orgs adopt a monorepo structure - the | source for the majority of the infra is readable from | almost any developer within the company. | DaiPlusPlus wrote: | I figured that's where Raymond Chen gets the bulk of his | material from: looking at the perforce/sd diffs from | 1997. | deadso wrote: | They specifically said it's _not_ open source. Hence the | open source-like. To distinguish, they even have a | different name for it - inner source. | webmobdev wrote: | > To distinguish, they even have a different name for it | - inner source. | | Yeah, I recognize MBA speak when I see it. That's why I | chuckled. They were hacked and somebody saw their code. | Now some guy in upper management has to spew some | bullshit to protect the company's "image". | elygre wrote: | The term "inner source" was not coined by Microsoft. The | wikipedia page [1] shows the history of the term. | | 1: https://en.wikipedia.org/wiki/Inner_source | [deleted] | bpye wrote: | Work at MS, that term has been used for a long time | internally, certainly longer than I have worked here. It | really is very useful to be able to go find the code for | a product when you want to understand how something | works. | goalieca wrote: | Sure they don't do security through obscurity but any pen- | tester will tell you that whitebox knowledge is certainly a | huge help. | thatsamonad wrote: | Though this is bad for Microsoft, does it make the situation | substantially worse from a security perspective? Assuming they're | following good practices like not storing access keys, passwords, | etc, in their source control system(s), this seems like more of | an IP protection issue. | | I could be wrong about that, though, and I'd be curious to learn | and understand more. | j_walter wrote: | Exploits are much easier to find if you have pure source code | and not having to reverse engineer it. | acct776 wrote: | Assuming your source isn't a fucking mess, is commented, APIs | documented, etc | onionisafruit wrote: | Right. One place I worked would probably benefit from | attackers getting access to the source code. It would cost | them weeks of productivity trying to figure it out. | tpmx wrote: | The core Windows source code is surprisingly readable/well | written, I've heard. | rhexs wrote: | No, it's still much easier. | arkadiyt wrote: | It just lowers the cost of exploit development, that's all. | tempfs wrote: | Umm, that IS a big deal for the most deployed normal-user OS | in the world. | acct776 wrote: | ...if you're a normal user. | | Or in charge of protecting them. | frombody wrote: | There was at least one SAML bug found in Office 365 federation | some years back that would allow anyone to log into anyone | else's account. | munchbunny wrote: | If SolarWinds was compromised and the attackers could use that | as a backdoor into Microsoft's datacenter, the problem isn't | really about protecting source code. The problem is whether | attackers were able to leverage that into stealing data from or | sabotaging Microsoft customers. After all, that customer list | contains many parts of the US government and civilian | infrastructure in general, plus major international | corporations. | TechieKid wrote: | The update literally says that "found no evidence of access | to production services or customer data." | munchbunny wrote: | I think you're misunderstanding my point. | | The "risk" mentioned in the quote a few comments up, and in | the context of the post by MSRC, isn't about the risk of | leaking Microsoft IP. It's about the risk that Microsoft | customers might have been affected. Whether or not MSRC | found evidence of a breach of customer accounts/data is a | related but separate question. | somethingwitty1 wrote: | There are two aspects to the comment though: 1. Did they | access services/data as part of this? 2. Can/did they use | what they got to impact customers/gain access to customer | data. | | The comment in the article speaks to #1. And of course, we | have to take that with a grain of salt. I doubt any company | impacted by this would be fully honest if there was a | customer breach. Regardless, you also can't prove a | negative. So all they can really say is what they did. | Which doesn't mean services/data weren't compromised. Given | the size of Microsoft, I find it hard to believe that every | service running there has the logs/audit trail to know | whether they were inappropriately accessed. | | But I took the OPs comment to be focused on #2 as well. | There is a very real possibility that having access to the | source code could help the attackers attack customers. | Having access to the source code can help in locating | vulnerabilities that allow future attacks against | customers/services. | stewofkc wrote: | I think as hacks become more and more common, and as more | businesses lose revenue from data breaches, more companies will | adopt better privacy and data security practices. | | If someone "hacks" DuckDuckGo's databases, for example, they | won't find any useful information. If they accessed Facebook's | data storage, they would have tons of information about millions | of people. | | As companies like Microsoft, Apple, etc. adopt stronger data | security, I think the general population will shift their | practices as well. | | This video (https://www.youtube.com/watch?v=eeBRt4qGHH8) kind of | made everything click for me as far as how a "hack" can impact a | person beyond just the data being publicly accessible. | jtchang wrote: | On the whole this does not affect my perception of Microsoft. In | fact it probably tilts it in their favor. They were able to | conduct a thorough investigation and figure out the attackers had | access to the source. The reality is that while it makes future | attacks easier it has already been taken into account for a large | majority of risk assessments. | | People trash Microsoft a lot but some of the people there are the | best in their respective fields. | samstave wrote: | >>> ___They were able to conduct a thorough investigation_ __ | | Prove that. | ByteJockey wrote: | My problems with microsoft really aren't around their security | practices (these days). | | It's more around the ads in the start menu, the telemetry they | send, and their tendency to reset my telemetry settings around | updates. | | I don't feel like I'm in full control when I'm using a computer | running windows. Which, y'know, is probably fine for 95% of | computer users, they want more of an appliance than a general | computing experience. | dmtroyer wrote: | I mean, true they detected this but you don't know what you | don't know... | superfrank wrote: | Do people still trash Microsoft? Maybe it's just because I'm in | Seattle, but I feel like their reputation has really turned a | corner in the past year or two. | | There's still a lot of cruft from who they used to be, but I | feel like most people I know echo the sentiment that Satya has | been a revolution. Things like them embracing Linux, acquiring | and not ruining NPM and Github, contributing to open source | projects, and all the work they've done with Dotnet Core seem | to really have bought them a lot of goodwill, at least with the | people I know. | Spooky23 wrote: | Microsoft is like the government... everyone has a | relationship with them, and those experiences vary from high | trust / strategic down to a sort of taxman. | | If your work is such that scaling to bazillions of servers or | other artifacts isn't an issue, Microsoft is a smart choice. | If you are building Facebook, it is a dumb choice. | oblio wrote: | I think using their dev tools is a solid choice. Using | their OS or their DB... not so much, primarily due to | licensing. | trinix912 wrote: | I only wish more of those tools would be cross platform. | I know it's not happening, but it'd be nice if I could | develop WPF stuff right on my macbook without a VM. | fortran77 wrote: | They do on Hacker News! People here seem oblivious to the | fact that Microsoft is right behind Apple in valuation. | tdhz77 wrote: | What does this valuation matter? | hollerith wrote: | There is some correlation between selling good products | and valuation. Intel's valuation for example went down | 25% in 2020 in contrast to the NASDAQ US Composite index | (of which Intel is a part) which went up over 40%. | [deleted] | coliveira wrote: | They are doing this to survive, not because they love open | source and Linux. MS is still every ounce of the company they | were in the 90s, they just saw the writing on the wall and | decided to play for the new generation of developers. I don't | trust them any better. | boxmonster wrote: | A lot of people don't update their opinions because it takes | work. I know because I've made it habit of checking my | assumptions and I still forget. For example, people still | trash PHP and post a "A Fractal of Bad Design" when PHP 8 is | now on par with any other language and not an amateur | minefield. Some things get better, some things get worse. | It's best to check in once in awhile. Microsoft is much | better than it was 20 years ago. | webmobdev wrote: | Good point and maybe true for PHP, but not for Microsoft or | its products. They've continued to "update" their bad | practices too, and its not just old criticisms that are | rehashed again against them. | lalalandland wrote: | While Windows 10 i pretty good and stable system, the bundled | programs that are default for photos etc are truly awful. In | corporate environments it's often hard or impossible to | install 3rd party programs, so when the default bundled | software suck, it is frustrating to deal with... | jjcon wrote: | Could be my neck of the woods too but where I am Microsoft | has the best reputation among the Major tech companies (not a | privacy nightmare, great research division, has started | supporting open source, remains fairly apolitical) | wizzwizz4 wrote: | > _Things like them embracing Linux_ | | Have you seen the WSL2 DirectX support?[0] They're extending | it, too! | | [0]: https://news.ycombinator.com/item?id=23241040 | oblio wrote: | They'll extinguish desktop Linux any day now! | phendrenad2 wrote: | It's funny because Linux did just that to Unix. Embrace | (new OS that does everything Unix does, and free!), | extend (Linux has features not found in classic Unixes), | extinguish (Linux is now the de facto standard, so anyone | who wants to use Unix is laughed at). | | Microsoft gets mocked for embrace/extend/extinguish, but | really, it means just do a better job than the | competition. Embrace: "do what others are doing", extend: | "do a better job at it, have more features than the | competition", extinguish: "sell customers on those | features and improvements". How anyone could be against | competition, simply because it's framed in a cheesy | phrase, is beyond me. | Dylan16807 wrote: | You can compete without working to convert an ecosystem | from standardized to proprietary. If that happens it | becomes much harder for anyone else to compete, and the | end result is reduced competition. | oblio wrote: | That's what most companies do, though. | | "Differentiate your product." | | "Let's build an IP portfolio." | | "We don't want to be the dumb pipe." | | "Build a moat around the product." | | "Don't let yourself be commoditized." | | Etc. | | All that coded or not so coded business language says the | same thing: make it proprietary/uncopyable and make money | off of it. | cat199 wrote: | > acquiring and not ruining NPM and Github | | a little early to come to this conclusion, one way or | another, I think | webmobdev wrote: | Yes, people still thrash Microsoft because many of their | business practises and products are thrashy, even if it | needn't be. | | Windows is a great example - forced updates, forced ads, | forced data-ming and spying, stupid UI changes etc. all make | an otherwise decent OS a real pain to use and a must-avoid | for the privacy conscious. These are easy to fix for a | company like MS, but they do not. | tester756 wrote: | > forced updates | | I don't understand whinning about that when you have | bilions of people using your OS, so shitton of people who | are newbies at computers then you want to help them to stay | as secure as possible. | | "at best(worst?)" this thing is "not nicest", but it's | totally reasonable. | | you have reasonable control over updates on non-home | versions, imo. | xeeeeeeeeeeenu wrote: | >I don't understand whinning about that when you have | bilions of people using your OS, so shitton of people who | are newbies at computers then you want to help them to | stay as secure as possible. | | That doesn't explain forced _feature_ updates. | bosswipe wrote: | The thing that finally got me to abandon Windows was when | a forced update wiped away the system settings that I had | spent days figuring out to get a trackpad to work the way | I wanted to. | alpaca128 wrote: | People who are newbies at computers wouldn't be able to | find the switch to turn off updates anyway, so why not | include the opt-out setting for users who care? | | Forced updates are unnecessary and a bad idea, even more | so in rolling-release models. | justapassenger wrote: | Especially, as Windows updates, given basically infinite | combination of hardware (often broken) and software | (broken even more often) are super rock solid. | cubano wrote: | So true. I just yesterday, on a lark, took a win10 SSD | from a new Dell and stuck it in a 10 year old HP, and | within about a minute it booted much to my surprise. | | It didn't even need to connect to the internet. | dougmany wrote: | Don't try that with Arch Linux. That distro lost me | forever because I didn't log into a computer for six | months (in 2012) and the OS was recoverably broken. | AsyncAwait wrote: | From experience, I highly doubt it was actually | unrecoverable. I did something similar many times & all | it takes is to read archlinux.org news section & apply | .pacnew config diffs where needed. Arch is a bleeding | edge distro constantly marching ahead; that's one of its | primary advantages, so it's best to update regularly. | That being said it is very much possible to not update | for months, just requires a bit of extra care when you | finally do due to the large number of accumulated | changes. | | I even did an online, in place switchover from SysV to | systemd in 2011 and despite that being a scary amount of | changes at once still got a working system. | btgeekboy wrote: | For quite a while, Windows was the holdout. MacOS | wouldn't even flinch if you moved it to another machine; | Linux might have needed a little help finding its root | volume or NIC but would otherwise be happy. Windows, | however, would fall over with a BSOD. | dawnerd wrote: | They've been way more stable than MacOS updates recently | too. That has to say something about the processes | Microsoft has in place to QA. | zepto wrote: | Have they? Or do the people they impact simply not blog | about issues. | mschuetz wrote: | I dislike the forced windows update because they shove | crap down your throat with the updates, try to force edge | on you, and repeatedly try to get you to accept their | privacy stuff. | katbyte wrote: | Microsoft is a very large company with many different | internal orgs, your experience will vary greatly from one to | the other (or product to product) | mrmonkeyman wrote: | The best people are always where the money is, not the morals. | | Wall street, defense, giant megacorps. I will trash them for | it. It has nothing to do with being "competent". | rcurry wrote: | So true. There's this funny line in one of Paul Graham's essays | where he says something like "making the wrong technology | decision can doom your business - like choosing Windows in the | 90s" I got such a kick out of that because I worked for | CyberTrader in the 90s; we built our whole platform around | Windows and wiped the floor with our competitors. We ended up | the top day trading company in the US and were acquired by | Charles Schwab for just shy of $500m. But at the time, you pit | Windows NT with IOCP against anything else and it was game over | in the low latency trading space. | RhodoYolo wrote: | Funny enough in 'founders at work' it sheds light on the | early days of paypal. It seems to point towards one of the | reasons Elon got fired as CEO of Paypal is because the | broader team disagreed with Elon about whether to build | around windows or linux and Elon argued that there was more | tooling in windows at the time. | nikanj wrote: | Reading the old NT debugging blogs and Raymond Chan's stuff | was very eye-opening. Microsoft has incredibly talented | engineers ready to help Solve Problems, not just toss you the | source code and wish you luck. | [deleted] | tenebrisalietum wrote: | Cool, maybe they'll solve the problem of Teams freezing up | constantly someday. | superjan wrote: | Try disabling gpu rendering. | oblio wrote: | I think that's the generic solution to Electron apps | issues :-)) | gerdesj wrote: | That works OK, even on Linux (anecdotally) | gerdesj wrote: | That does not happen, even with the beta grade Linux | version on Arch (as I run it) | | You may have a rubbish internet connection. If you are | using a VPN with a slow internet connection, investigate | a split tunnel. Teams traffic involves only three IP | ranges so it is easy to split out and route direct to | shave a fair bit of latency. | | Other issues will require more investigation but they are | local to you. | webmobdev wrote: | Doesn't mean they don't deserve the criticism or thrash | directed at them for their products or business practices. | BrentOzar wrote: | Here's the updated Microsoft post that contains the admission | that the hackers viewed source code: | | https://msrc-blog.microsoft.com/2020/12/31/microsoft-interna... | | Drives me crazy that Reuters could write an entire post about a | Microsoft blog post, yet not link to the post itself. | giancarlostoro wrote: | It drives me crazy when in 2020 news articles do not link to | sources. | dvdbloc wrote: | Why would they? Will it increase revenue if they do? | wslack wrote: | Because the goal of news should be to inform, especially | when talking about court filings, and we as viewers should | not give traffic to sites that don't do basic linking work. | Frost1x wrote: | I believe parent was being rhetorical and or facetious. | | What we believe organizations _should_ do and what they | _actually_ do in is often misaligned based on problematic | underlying driving forces /goals. | | Profit motives have tended to overcome all other | incentives in our (the US) economic structure. It may be | a broader problem globally due to power and influence of | the US. | | The same can be said about consumer motives. I probably | _should_ shop locally more often, but I may not be able | to afford local rates and have to pass the costs down the | line if I want to continue supply more basic underlying | goals (eating, staying sheltered, etc). | | At some point we have to have the difficult conversations | of choosing the tradeoffs we do and don't want to | support, otherwise we may let flawed underlying goal | structures guide us to the paths of least resistance, | which may ultimately not be good for humanity (or it may | be, who knows). | | Given a lot of current directions, I find it hard to | believe our underlying system structures are great for | human well being. It may have been a good run for awhile | but that may be a short temporal anomaly. We may have to | more throughly consider long term consequences of goals | we set that may run counter to their actual intent. | | It's easy for some to simply ignore the underlying | problems and play the game optimally for oneself. | Personally, I've never been happy with that option (the | option which OP sort of alludes to). | 28u34ri wrote: | The goal of the "legacy news" is to support a paycheck. | | Wealthy individuals or groups will financially support | these "legacy news" organizations as long as they have a | say in what is put out. | will4274 wrote: | Because it's what their customers want? Higher quality news | sources have begun to get it (even if 10 years late). | [deleted] | koolba wrote: | If 2020 has taught us anything, it's that including sources | will only lead to them being questioned to refute the | article's premise. | giancarlostoro wrote: | Them Covington High Schoolers would like to have a word. It | took me under 10 minutes to do what CNN didn't bother to | do: confirm the claims of one man. It cost them dearly, and | rightfully so. | dang wrote: | Ok, we've changed to that from | https://www.reuters.com/article/us-global-cyber- | microsoft/so.... Thanks! | Godel_unicode wrote: | If you've been following this story you'll realize that someone | at Reuters really has it in for Microsoft. This despite the | backlash they've seen in the community for their rather tenuous | leaps of logic (see for instance this gem: | https://in.reuters.com/article/global-cyber-usa/suspected- | ru...). | | You'll note that they buried the byline in this piece at the | bottom, crediting "Reuters staff" at the top. | tpmx wrote: | Trying to understand: | | You're saying Reuters shouldn't report severe security | breaches at Microsoft? Or that they are doing it because | someone there dislikes Microsoft? For the latter - does the | motivation really matter? | Godel_unicode wrote: | I was responding to a comment about why Reuters didn't link | their source for the article by pointing out that it's | consistent with their coverage of trying to sensationalize | a pretty boring story. If they linked the Microsoft blog | post, people might realize that the story isn't what | Reuters is trying to spin it as. | | Their motivation of generating click-bait at Microsoft's | expense matters as it means you should seek clarifying | information from other sources. Or just ignore Reuters and | hope the drop in traffic drives them to more closely tell | the whole story. | tpmx wrote: | But the Reuters piece | (https://www.reuters.com/article/us-global-cyber- | microsoft/so...) is on point. Microsoft was in fact | breached and attacker(s) accessed source code. | | Simplified, sure, but not overly so. | | (Linking or not linking to corporate blog posts - I agree | they should do that, but I suspect it's a general article | style guide thing.) | Godel_unicode wrote: | Technically true as far as it goes, the important bit | about the piece is what it doesn't say; no modifications | or builds. To understand how important that is, and why | Microsoft included it in big letters in their post, just | see how many people here are asking/worrying about that | possibility. Read isn't cool, nefariously wrote is cool. | | Technically true but highly misleading is a dangerous | route to go, and it makes me sad how often stories tread | that path in the name of clicks. | guenthert wrote: | MS blog might be safe, but I suspect Reuters just | generally doesn't want to be responsible for the source | being slashdotted (rather "reutered" then). | tpmx wrote: | My gut feeling is that it's more about an instinct not to | drive traffic offsite from their customers online | properties, perhaps combined with a now hilarious print- | defensive attitude ("URLs don't work in print and our | reports must work equally well both online and in | print"). | kerng wrote: | Breached is a legal term... they were compromised but | probably didnt suffer a breach. The MSRC blog post is | exactly there to cover those legal grounds I guess. | guardiangod wrote: | Many security companies' stock went up upon release of this | news, as they have done in the last 2 weeks. | | I'd not be surprise if someone in Reuters is profitting from | hyping the breach. | lallysingh wrote: | IIRC Bloomberg news rewards stock price changes directly. | HatchedLake721 wrote: | Original blog post by Microsoft - https://msrc- | blog.microsoft.com/2020/12/31/microsoft-interna... | netfortius wrote: | Funny usage of the MS defender for the link to the "inner source" | wikipedia entry: | | https://nam06.safelinks.protection.outlook.com/?url=https%3A... | srtjstjsj wrote: | Something bizarre in that URL ___________________________________________________________________ (page generated 2020-12-31 23:00 UTC)