Microsoft says it found malicious software in its systems

The references NSA advisory https://media.defense.gov/2020/Dec/17/2002554125/-1/-1/0/AUT... basically says some people running AD in Azure have been compromised, so this seems to be bad reporting.

Stall until Friday afternoon before releasing bad news. Standard procedure.

I find that not applying electricity to computers makes them perform with flawless reliability. I had an old, dorm refrigerator-sized server as an end table for many years. It never failed.

Edit: Nobody else ever gave it instructions that went counter to mine, either. Security vulnerabilities are 100% non-exploitable without power. I should probably start an anti-APT business with that knowledge.

As I understand it from my readings here on HN, that will be a major undertaking, since the malicious software that Microsoft discovered in its systems is actually Windows 10.

I must be experiencing a real case of the Baader-Meinhof phenomenon. I hadn't noticed this attitude towards Rust until yesterday, and now I've seen it multiple times since then.

Then run on an airgapped computer with custom firmware in its hard drives.

The solution is to rewrite everything from scratch following sane design principles instead of adding more layers of cruft.

The language could be C, C++, Rust, Zig. But the design is more important than the language.

Of course, no one with enough resources to do this cares enough to do it.

The astronomical compile times would force Microsoft to either make Rust blisteringly fast, or develop affordable quantum computers.

I got a hearty chuckle out of this, thank you.

I always had a feeling the author of n-gate actively participates in some discussions here, and sometimes even provokes some threads.

That's wrong, though. You should first port Rust to the Amiga and then over there start to rewrite everything from scratch.

It's scary what was once called "spyware", "malware", "adware" or "other"-ware has become so commonplace and accepted.

You type in Windows 10 search and it sends your keystrokes to Microsoft, you log into Windows 10 OS (and they push hard for this during setup, they actively make it hard to use an "offline" profile) and it records your every interaction with that computer; with "full" telemetry it records every web page you visit, every app you launch, every app that has an error (you can download an app from MS store to see what telemetry W10 is sending to MS, it's quite illuminating)

These days, more and more of society expects you to have a smartphone and "apps"; "please can you scan a QR code to enter this restaurant". A supermarket has an app and offers in-store discounts on food, your data subsidizes the cost of what you purchase. Many offers are locked behind a social contract of "you give me data and I'll give you some money off". It's amusing to see how 'cheap' people are and how much data they are willing to freely give away in the name of a very very small discount (the data is worth much more than the savings you are getting).

An always online, always connected fully digital society is prone to attacks, hacks and disturbances. We've seen hospitals held to ransom and have paid bitcoins to get critical machines working again, something that shouldn't even be possible, yet one person who opens $phishingEmail.exe can bring down an entire network.

Our life is essentially in the hands of crudely built machines, with absolutely no security against basic human errors - and we trust these with the very foundation of society. One day we will witness a truly devastating hack, a disturbance unlike anything we've known previously, and it'll likely be as devastating as the Beirut explosion. It's not an if, but a when.

I want to return to a time without cars or computers, even just for a brief period (the lockdown was so nice this year. the hum of the birds and not the thunder of engines was a blessing).

I believe it'll happen as soon as on-premise hosting is given a marketing-friendly name. Like "cloudless". Host your containers in a cloudless habitat, at a fraction of the cost!

It will be hailed as a hallmark of innovation. Any voices claiming that such a thing has always been possible will be tutted.

Why do we think that 'our own servers' gives us 'better security'?

I think this is the illusion of control.

"security assurances as if I were to have my own locked cage at some colo."

'Locked cage' - is not going to help us secure it from the kind of intrusion we are afraid of.

Scale means more layers of vms, more redundancy, more sophisticated security teams etc..

Physically, Fort Knox has never been robbed, whereas any mom and pop shop can be.

I'm really surprised the US Military has not been working with the FAANGS to produce a new OS that is fundamentally more secure and containerized, including a networking stack with identity built right in, and of course, working on easy solutions for the user side of the equation as well to thwart social attacks. And maybe possibly systems architecture groupings to bifurcate systems from one another.

You can. You just have to use other software that isn't your go-to brand name software. Like: http://www.openoffice.org

Security resources are sparse and large companies pay lots of money and hire them away. So attempting to defend by yourself could leave you more vulnerable. Probably a middle ground is the best- to benefit from expertise on both sides.

> I have a lot of trust in Microsoft

I’d love to trust Microsoft. They have a lot of talented people working on a lot of cool things.

But, they voluntarily collaborated with the US Government to spy on their users at home and abroad, and those people are still in charge, as far as I know.

btw, one attack vector was that on premise is connected to azure ad and the on premise installation already had malware and the malware stealed security tokens.

Why can't you afford it now?

Almost everyone has lost personal information to such hacks at some point or the other. Critical infrastructure (e.g. hospital systems) has been held for ransom. National elections have been swayed by state-sponsored actors. Companies have lost plenty of IP to foreign competitors and governments.

They are already weaponized, and have been for a while. The time to start taking information security seriously was 15 years ago.

What makes you say this? I thought it was a common rumor that the NSA had backdoors in everything. Wouldn't Mutually Assured Destruction make an attack irrational, just as it deters nuclear attacks?

Absolutely nothing likely.

Honestly, this is a weird fucking hack. The update went out signed by Solar Winds. Somehow, they got this payload into the build-chain their developers use.

They re-emerge called "737-Max".

On Friday last week, SWI was trading around 23.5. Today it closed around 14.2, so it looks like the big money investors are betting on SolarWinds-the-business being toast. Even if it does survive, if it doesn't somehow stage a miracle recovery very quickly, the current senior leadership are surely done as soon as they've finished being ritually sacrificed so their replacements don't get saddled with too much of the fallout.

As another potentially interesting data point, SWI still appears to have a P/E close to 120 even now. Given that traditional value investors might consider something closer to 20 to be reasonable for an established business and the huge ratios of many big tech stocks only make sense if you think they're going to continue the dramatic growth some of them have enjoyed for a while, there could still be a long way for stocks in SWI to fall even if they do eventually stabilise.

Stealing a joke I saw on Twitter, they rebrand.

I was about to start a SW design literally the first day back next year.

Not any more.

I am pretty sure that Microsoft is then allowed to use the "no backdoor" edition internally...for the rest the "backdoor included" edition.

Ha ha ha :) That must be it for sure.

I know, right? It's not nice to refer to your own product as malicious software.