The aftermath to the recent Microsoft Azure hack by suspected PRC actors.

What is the solution to this? Make sure cloud services are open source so they can be independently vetted? If government and corporate entities chose to use open source solutions, most are presented “as is” with no warranty.

  • ookees@beehaw.org
    link
    fedilink
    English
    arrow-up
    10
    ·
    1 year ago

    Why businesses continue to trust Microsoft I’ll never quite understand. The number of breaches Microsoft has had overall the last 5 years is amazing. Compare that to what I believe is the ZERO breaches Google has had in the same time frame. Not that Google is to be trusted, but if anything of magnitude would have happened there it would have certainly leaked by now.

    Cloud at this point is very hard to ignore. Internal IT team sizes shrinking, it’s becoming harder running all of those business needs internally. Businesses will learn the hard way when they continue to put their trust in the cloud, especially Microsoft’s. Some facets of IT are just too much work to bother with keep hosting internally. Exchange is a steaming pile of garbage. I managed it for years, so I can see why people cloud their email. Which I’m all for, because email is just a bitch to run in general. But use Gmail or something else. It’s a night and day difference. I’m dreading the day my company decides that Microsoft is the better deal just because Office needs updating. Instead of keeping the status quo, spend the money training employees on alternatives and run as far as you can from Microsoft’s hold.

    Microsoft makes a lot of good products but keeping them secure is an after thought.

    • shagie@programming.dev
      link
      fedilink
      arrow-up
      6
      ·
      1 year ago

      Compare that to what I believe is the ZERO breaches Google has had in the same time frame.

      From earlier this month: Google Cloud Build bug lets hackers launch supply chain attacks

      A critical design flaw in the Google Cloud Build service discovered by cloud security firm Orca Security can let attackers escalate privileges, providing them with almost nearly-full and unauthorized access to Google Artifact Registry code repositories.

      Dubbed Bad.Build, this flaw could enable the threat actors to impersonate the service account for the Google Cloud Build managed continuous integration and delivery (CI/CD) service to run API calls against the artifact registry and take control over application images.

      As to why don’t you hear about more GCP flaws? I refer you to this uncomfortable truth: https://twitter.com/QuinnyPig/status/1173394437298196480

      “What does AWS have that GCP doesn’t?”
      “A meaningful customer base?”

      • ookees@beehaw.org
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        I forgot about the build bug. Ghost token I was unaware of. Ok so two? And ghost token required users to have had a allowed the malicious app in question.

        Meaningful customers is an opinion. I can list a bunch.

        • shagie@programming.dev
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          That was one tweet in a tweet thread from a… guy who is a bit of a character and does stuff with AWS. He pokes a fair bit of fun at Amazon and others in the cloud.

          The thread reader rollup of it is https://threadreaderapp.com/thread/1173367909369802752.html which is an amusing read by itself.

          My favorite is still:

          “Why use AWS instead of IBM Cloud?”
          “IBM has a cloud?!”
          “I’m as puzzled as you, I’m just reading off the notecard here.”

          The best part of that is when you find out that IBM’s on prem cloud is called “IBM Cloud Private”.

          https://www.ibm.com/docs/en/cloud-private/3.1.1?topic=started-cloud-private-overview

          And then, when the sales teams talk about it, IBM Cloud Private is too long to say again and again… so they start calling it by its abbreviations… not IBMCP but rather ICP… and you start picturing the sales team wearing clown makeup. And when they talk about Machine Learning you share Using AI to Find Where Clowns End and Juggalos Begin with the devops guy sitting next to you and get some muffled chuckles.

          Not that those events have ever happened… or would be admitted to.

    • jcarax@beehaw.org
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      Why businesses continue to trust Microsoft I’ll never quite understand.

      Technological debt and an easy path to hybrid environments.