Thanks, we marked this one as a duplicate, because a followup post about a post that has already had a significant discussion here can't sustain a new discussion.
CVE-2025–55241, Azure EntraID had a problem that could have allowed attackers to impersonate any user, including Global Administrators, across any tenant. Its fixed now.
So, the premise that I was able to gather from their website before it went down is "cryptographic guarantees, not vendor trust", and they claim to be working towards that, apparently at https://github.com/tide-foundation, which is a tiny bit underwhelming right now.
> The root cause of this Microsoft vulnerability wasn’t poor coding or lack of testing. It also isn’t correct to say that it’s the need to trust Microsoft. It’s more accurately what we’re trusting Microsoft with — Authority.
> As long as someone or something holds it, it can be exploited.
Wide distribution, as opposed to centralization, seems to be the most reliable way to ensure continuity. Am I wrong in seeing this pattern in so many different areas? The distributed animal survives ecological or geological collapse in one region, the distributed activist group survives fed infiltration into one entity, the distributed army holds off the centralized one (with infinitely better funding and weaponry) for decades, the distributed political power survives demagogue takeover.
I might be abstracting way too far here, but it makes me wonder why we keep trying to centralize authority, when it keeps failing spectacularly.
As long as there is code their will remain a vulnerability.
All the security and compliances require that someone operates it, not everyone can design systems like Linux in an year or so.
The more darker truth is the entire existence of proprietary codebases and architectures, there's a saying either ask the question or forever remain foolish
It's time we ask it ourselves and the companies which we depend on to allow atleast open auditing their architecture
It's just one step but it prevents the level of exploits like these
The problem is the cloud. This sort of vulnerability is fundamentally impossible with an on-premise Exchange server and Active Directory. Once everyone's talking to and authenticating against one service, this sort of thing becomes difficult to avoid, especially when a company is bragging about how much code is written by LLMs now.
The real issue is, what do you use instead that you can make the non-technical users accept?
You can certainly move to google and get an overall improvement in track record and end user experience, but the fundamental issue raised in the article is still there
You can move to proton and get a pretty nice experience for mail and calendar, but it adds limitations regular users will be upset by. Their equivalent to word is very beta and they have nothing similar to excel.
You can move to nextcloud, and fix the fundamental issue, but every single piece of the solution will be even worse to use than microsoft's stack, and users will hate you.
If I could solve this, I could drop microsoft and google both
The article does not discuss what to use instead of Microsoft's products, it discusses a better architecture for authorization than the one Microsoft uses. The architecture which Microsoft uses is flawed and too many companies rely on it.
The solution in short:
"...distributed in the form a key who’s pieces live across a decentralized network."
If looking for alternatives to Microsoft's products I would recommend Infomaniak [0]. They have a fairly complete solution of business tools (email, contacts, calendar, cloud storage, file sharing, chat, video meetings, docs and sheets).
This article isn't just full of LLM-isms, it's unreadable because of it. When you completely delegate your editing to a machine, you're not just lazy, you're robbing yourself of the one thing that made you stand out --emdash-- your own voice.
Moreover, as we navigate this evolving paradigm, we must carefully consider the balance between efficiency, authenticity and a third thing in this list.
Maybe at the end of the day, the point of writing isn't delving into a topic and churning out text as fast as you can, but expressing your opinions in your own authentic voice.
darkamaul|5 months ago
One Token to rule them all – Obtaining Global Admin in every Entra ID tenant (13 days ago - 51 comment): https://news.ycombinator.com/item?id=45282497
tomhow|5 months ago
Den_VR|5 months ago
aappleby|5 months ago
KempyKolibri|5 months ago
OutOfHere|5 months ago
ZeroConcerns|5 months ago
komali2|5 months ago
> As long as someone or something holds it, it can be exploited.
Wide distribution, as opposed to centralization, seems to be the most reliable way to ensure continuity. Am I wrong in seeing this pattern in so many different areas? The distributed animal survives ecological or geological collapse in one region, the distributed activist group survives fed infiltration into one entity, the distributed army holds off the centralized one (with infinitely better funding and weaponry) for decades, the distributed political power survives demagogue takeover.
I might be abstracting way too far here, but it makes me wonder why we keep trying to centralize authority, when it keeps failing spectacularly.
dataflow|5 months ago
vednig|5 months ago
All the security and compliances require that someone operates it, not everyone can design systems like Linux in an year or so.
The more darker truth is the entire existence of proprietary codebases and architectures, there's a saying either ask the question or forever remain foolish
It's time we ask it ourselves and the companies which we depend on to allow atleast open auditing their architecture
It's just one step but it prevents the level of exploits like these
ocdtrekkie|5 months ago
procaryote|5 months ago
You can certainly move to google and get an overall improvement in track record and end user experience, but the fundamental issue raised in the article is still there
You can move to proton and get a pretty nice experience for mail and calendar, but it adds limitations regular users will be upset by. Their equivalent to word is very beta and they have nothing similar to excel.
You can move to nextcloud, and fix the fundamental issue, but every single piece of the solution will be even worse to use than microsoft's stack, and users will hate you.
If I could solve this, I could drop microsoft and google both
flakeoil|5 months ago
The solution in short: "...distributed in the form a key who’s pieces live across a decentralized network."
If looking for alternatives to Microsoft's products I would recommend Infomaniak [0]. They have a fairly complete solution of business tools (email, contacts, calendar, cloud storage, file sharing, chat, video meetings, docs and sheets).
[0] https://www.infomaniak.com
IlikeKitties|5 months ago
isoprophlex|5 months ago
Moreover, as we navigate this evolving paradigm, we must carefully consider the balance between efficiency, authenticity and a third thing in this list.
Maybe at the end of the day, the point of writing isn't delving into a topic and churning out text as fast as you can, but expressing your opinions in your own authentic voice.
card_zero|5 months ago
ares623|5 months ago
Hizonner|5 months ago
willvarfar|5 months ago
There are several bits in the article about how Tide and TideCloak demonstrates that authorityless auth works, but I'm not finding an explainer.
ingomaro|5 months ago
dazzawazza|5 months ago
letier|5 months ago
https://web.archive.org/web/20250923130941/https://tide.org/...
karlkloss|5 months ago
egamirorrim|5 months ago