Microsoft Signing Key Stolen by Chinese - Schneier on Security (www.schneier.com)
from sv1sjp@lemmy.world to cybersecurity@infosec.pub on 07 Aug 2023 20:33
https://lemmy.world/post/2830266

#cybersecurity

threaded - newest

hillbicks@feddit.de on 07 Aug 2023 21:16 next collapse

Actually, two things went badly wrong here. The first is that Azure accepted an expired signing key, implying a vulnerability in whatever is supposed to check key validity. The second is that this key was supposed to remain in the the system’s Hardware Security Module—and not be in software. This implies a really serious breach of good security practice. The fact that Microsoft has not been forthcoming about the details of what happened tell me that the details are really bad.

Jesus fucking Christ… I really did not expect this from Microsoft I have to say. The first one is strange already but the second one? Really looking forward to their explanation of this cluster fuck…

housepanther@lemmy.goblackcat.com on 07 Aug 2023 21:23 next collapse

Ooops!? I mean what can a person really say about this other than this was an epic failure on Microsoft’s part. Either through hubris, lack of oversight, or just good plain old incompetence of management the Chinese have the keys to the castle. This really highlights the inherent weakness of proprietary software solutions and (in)security through obscurity. This is why everything I do that is not related to my job as a Windows desktop support engineer is going to be on open source.

assembly@lemmy.world on 07 Aug 2023 21:30 next collapse

How does one even recover from this. I guess the assumption stays the same that everything on a corp network is compromised. Can’t imagine this is going to win Azure new business for DoD workloads.

detoxlife@exploding-heads.com on 07 Aug 2023 21:36 next collapse

Maybe our government shouldn’t be using corporate products. Maybe we should use that shit ton of money in our military budget to create our own software.

Sabata11792@kbin.social on 07 Aug 2023 23:34 next collapse

The government could save so much money gathering data directly instead of buying it from Microsoft.

xylogis@infosec.pub on 08 Aug 2023 09:29 collapse

Remember the OPM hack? Remember when pretty much every bit of PII for everyone in the government leaked? What makes you think the US government could do a better job?

Sabata11792@kbin.social on 08 Aug 2023 12:17 collapse

I failed in sarcasm.

Nougat@kbin.social on 08 Aug 2023 00:38 collapse

https://en.wikipedia.org/wiki/Red_Star_OS

detoxlife@exploding-heads.com on 08 Aug 2023 22:29 collapse

Apple OSX clone.

CrabAndBroom@lemmy.ml on 07 Aug 2023 22:32 collapse

This sort of thing is exactly the reason why I don’t want things like TMP and Pluton built into my computer hardware. Microsoft is incompetent at best and outright malicious at worst, and allowing them to add “security features” directly at the hardware level is madness IMO.

[deleted] on 07 Aug 2023 23:42 collapse

.