Rebuke follows recent breach that exposed email accounts of US federal officials.
See full article...
See full article...
US senator blasts Microsoft for “negligent cybersecurity practices”
- Thread starter JournalBot
- Start date
Wyden's not one of the usual nutcases, but I wonder what this means in practice:
'He urged Garland to examine whether Microsoft’s “negligent practices violated federal law.” And he called on Khan to investigate Microsoft’s privacy and data security practices to determine if they violated laws enforced by the FTC.'
Software license agreements are chock full of disclaimers that make it impossible to hold manufacturers responsible for any incidental or consequential damages related to bugs/flaws, much less any configuration errors by the customer.
On the one hand, attaching liability to flaws in software could force developers to seriously clean up their practices. OTOH, given the generally immature state of software engineering, how many ISVs could survive having liability for customers' damages caused by bugs?
'He urged Garland to examine whether Microsoft’s “negligent practices violated federal law.” And he called on Khan to investigate Microsoft’s privacy and data security practices to determine if they violated laws enforced by the FTC.'
Software license agreements are chock full of disclaimers that make it impossible to hold manufacturers responsible for any incidental or consequential damages related to bugs/flaws, much less any configuration errors by the customer.
On the one hand, attaching liability to flaws in software could force developers to seriously clean up their practices. OTOH, given the generally immature state of software engineering, how many ISVs could survive having liability for customers' damages caused by bugs?
Upvote
54
(58
/
-4)
Security is only ever as good as the seriousness of the consequences for its failure.
Upvote
81
(84
/
-3)
Yeah... as much as I would like it, most software firms would pretty much shut down if they had to be liable for bugs.
Upvote
72
(74
/
-2)
I'm not sure what the answer is either. You can't trust private parties to do audits (SOC2 for example) because the auditor has a vested interest in helping their customers so they can have repeat business. Government could do 'FDA style inspections' and make sure companies are actually "trying" to do cybersecurity right, but Government is typically horribly inefficient and would probably not hire the right folks to do these kinds of inspections.
The insurance angle is certainly interesting as they actively pressure companies to implement better processes and tooling. Maybe force all businesses to have cyber insurance (especially if they rely on technology to exist) and let the Insurer's apply (require?) the best practices?
Upvote
-8
(10
/
-18)
On the other hand, nothing would ever get released since there's basically a infinite amount of bugs when you're writing complex long ass code.
Shit like this will always happen.
Upvote
52
(58
/
-6)
Ron Wyden is literally the only member of Congress worth listening to on tech issues. He's the only one who's shown even passing understanding of Section 230 or Net Neutrality, and has been consistently the voice of reason when it comes to technology in the US.
He was also outspoken against the PATRIOT Act (and the warrantless surveillance of US citizens that it enabled) as early as 2006.
He was also outspoken against the PATRIOT Act (and the warrantless surveillance of US citizens that it enabled) as early as 2006.
Upvote
165
(168
/
-3)
Any organization's security is only as good as the engineer that cares the least. Raking Microsoft over the coals won't change that. Not sure what will.
Upvote
36
(40
/
-4)
I've got some gripes about him but it'd come off as whataboutism, but yeah in general he seems to be one of the at least decent few out there.
Upvote
33
(36
/
-3)
I'm pretty sure that if Oracle manifests as a corporeal being, breaks in to your house, drinks all your beer, and kills your dog; the license agreement entitles them to bill you for the on-site hours plus travel time.
Upvote
146
(147
/
-1)
Not to mention additional charges for having non-standard beer and a dog (but no cat) on the premises in the first place.
Upvote
60
(61
/
-1)
Anyone know if the stolen emails from the state department and commerce department where stolen from the regular Azure cloud or the US government Azure cloud? If it's the latter, I could see there possibly being laws that supersede any language in the license agreements.
Upvote
17
(18
/
-1)
Upvote
35
(42
/
-7)
It’s a little depressing that I knew who did this before even reading the article.
We really need another Senator acting in the public’s best interest in the technology space.
We really need another Senator acting in the public’s best interest in the technology space.
Upvote
44
(46
/
-2)
I don't disagree with the idea that companies need to start being held accountable in meaningful ways, but Mr. Wyden is not really winning any points with me here. Data leaks and financial leaks have been happening for almost two decades now since the boom of internet commerce, and nobody has ever really seemed to care. But as soon as the feds have some emails leaked by a Tech corp, all of a sudden the sky is falling. Again, don't get me wrong, I do understand that the potential political fallout for something like this is bad for the US, and late is better than never if we are going after companies, but it feels like doing the right thing for the wrong reason here.
Upvote
6
(25
/
-19)
The whole issue of Fedramp for us government tenants vs non-Fedramp office 365 tenets really needs to be expound upon in a story like this. Office 365 for the federal government is supposed to be much more secure because the requirements are much more stringent, and the data centers and servers have to be separate from the consumer cloud. What I don’t understand is how a vulnerability on the consumer side impacted the Fedramp side.
Upvote
59
(59
/
0)
- Add bookmark
- Featured
- #20
Laws always supersede license agreements. Always. The agreements either comply with the law and are enforceable or they do not and are not. That's how laws work.
Upvote
47
(48
/
-1)
Interesting side note: Wyden is 74 years old. I love how he shatters the stereotype that boomers can't understand tech.
I think Wyden is right to call out Microsoft here. It sounds like a really bad lapse of basic security policy. It's not just another breach from some random company, Azure AD is supposed to be the gold standard for security for all companies that use Microsoft for securing their network which includes my current employer.
Microsoft has plenty of cash to pay the best security people in the world to make sure Azure AD is bulletproof. The breach indicates that they either don't employ such people or don't listen to their recommendations.
I think Wyden is right to call out Microsoft here. It sounds like a really bad lapse of basic security policy. It's not just another breach from some random company, Azure AD is supposed to be the gold standard for security for all companies that use Microsoft for securing their network which includes my current employer.
Microsoft has plenty of cash to pay the best security people in the world to make sure Azure AD is bulletproof. The breach indicates that they either don't employ such people or don't listen to their recommendations.
Upvote
75
(76
/
-1)
He's also one of the few examples I can think of that don't act as supporting evidence for my view that it might not be the worst idea in the world to consider forced retirement from congress, supreme court, and the executive branch at whatever age social security kicks in.
edit: wait, those power-hungry fucks would just raise the retirement age/social security age.
A nice clean 65 it is, then.
Upvote
25
(25
/
0)
That’s depressing. We’re going to need a proper successor and it’s just a fucking blasted landscape of partisan idiocy.
Upvote
25
(25
/
0)
Laws could be passed limiting liability to some percentage of a company's gross income, possibly increasing with sequential failures, which would better protect the tiny struggling software firm. This might reduce the "let the customers debug it; ship it now!" directives from marketing and top executives without bankrupting the company.
Upvote
15
(16
/
-1)
While that is definitely true, I don't think he is staying that they should be held accountable for any bugs and flaw generally but this more of a question of whether they should be held accountable for "do as a I say, not what I do" to the tune of $20B in revenue and potentially breaching their federal contract requirements.
The example here is MS sales and marketing saying:
"Hey, security is really hard because things like identity management are really hard to do as an individual organization because of things like xyz" but then turn around don't even bother rotating a critical key 5 years.
I think the FTC angle won't go anywhere but if MS wasn't following security practices required by their federal contract (and that key rotation example looks real bad), they should be held accountable to major penalties. Not that I expect that to occur and I suspect Wyden knows that as well. But the more noise around this, it does hurt MS business selling to other businesses so they will be incentivized to do better.
Upvote
24
(25
/
-1)
True, but...
I CAN see a strong case for laws mandating that KNOWN flaws be handed immediately and will full resources until they are confirmed fixed, with penalties for every DAY that they are not being addressed once the flaw became known to them.
Not once the flaw was publicly announced, but once the internal processes of a company discovers a flaw.
I'd also want to see some reasonable time limit imposed on the fixing part, with a case-by-case provision for extending that time limit a certain number of times.
Basically, this would force companies to deal with flaws as they arose. What we DO NOT know about his case is whether or not this exploited flaw (whatever it is) was known to Microsoft, nor what mitigation efforts they may have taken.
Against a nation/state's resources, not even Microsoft can withstand that for long, so the level of effort put into breaking in should be a factor in the decisions to "punish" a company. But companies can't be allowed to sweep shit under the rug, or hand it off to the next shift, if they haven't done anything substantive in addressing the issue because "reasons" (usually money).
As for punishment, I'd make the minimum fine ten times what it takes to actually fix the damned thing. The financial incentive to fix them, find them, deal with them, instead of letting them slide and hoping for the best (as happens in so many cases where a white-hat submits their findings, and the company does NOTHING) would then be far higher.
Granted, someone else will come up with something different I expect, and I'm not married to my suggestions here. But until we enact regulation/laws that make it FAR more expensive to let a known flaw exist at all without immediately working on a solution, or until it's eventually exploited (even if that may not be the case here, since we don't have any info on that) and public outcry demands it be fixed, nothing will change.
Anything that lights fires under the complacent asses of those who pinch the pennies to lose a pound is fine by me.
Upvote
9
(11
/
-2)
OOoooo... Someone in Congress yelled at someone.
Big whoop. Zuckerberg told them to their faces after the Cambridge Analytica scandal years ago that if they wanted better consumer protections to do something about it since Facebook would not, and they still haven't done squat.
Congress is a joke. They could do something to better protect consumer privacy and data entrusted to companies. They could enact legislation to put more restrictions on what data can be harvested/traded/sold/given away/made available to parties outside of whom the individual has a contract with.
They won't, and Zuckerberg knew this even back then. He challenged them in their own house to act. All they do is pull people in, ask stupid meaningless questions that often have nothing to do with the problem at hand, get made fools of, and move onto the next thing they hope will earn one of them a 10-second talking point to be featured on one of the major news networks.
Big whoop. Zuckerberg told them to their faces after the Cambridge Analytica scandal years ago that if they wanted better consumer protections to do something about it since Facebook would not, and they still haven't done squat.
Congress is a joke. They could do something to better protect consumer privacy and data entrusted to companies. They could enact legislation to put more restrictions on what data can be harvested/traded/sold/given away/made available to parties outside of whom the individual has a contract with.
They won't, and Zuckerberg knew this even back then. He challenged them in their own house to act. All they do is pull people in, ask stupid meaningless questions that often have nothing to do with the problem at hand, get made fools of, and move onto the next thing they hope will earn one of them a 10-second talking point to be featured on one of the major news networks.
Upvote
23
(28
/
-5)
Meanwhile in the U.S. Senate:
‘Jackasses,’ ‘little s‑‑‑‑’: GOP congressman curses out teenage Senate pages
(edit - Van Orden is a representative, not a senator)
‘Jackasses,’ ‘little s‑‑‑‑’: GOP congressman curses out teenage Senate pages
Did someone put chaff in grandpa's granola again? And if he doesn't give a f___ who they are, why did he ask?
(edit - Van Orden is a representative, not a senator)
Upvote
18
(22
/
-4)
Oh, my goodness! Federal reps are seeing what their constituents have been living with for years!
Maybe robust privacy legislation would help.
Maybe robust privacy legislation would help.
Upvote
16
(16
/
0)
Agreed. What sounded like a decent ask just turns into a personal attack when you start saying "and what about this one time when". It's not relevant. Don't muddy the waters and make your point less focused.
Upvote
-7
(4
/
-11)
This is what Wyden was referring to when he referenced the Solarwinds breach. It's the exact same attack, just different protocols (SAML vs OIDC). Relevant portion below:
Validating tokens signed with an out of scope, expired key is about the furthest thing from a sophisticated attack as I can imagine. Absolutely appalling security practice that key expiration isn't enforced, that's the most basic of basics. Even if MS rotated those keys every 30 days it wouldn't matter because tokens signed with the expired keys would all still be accepted as valid.
Wikipedia said:
Validating tokens signed with an out of scope, expired key is about the furthest thing from a sophisticated attack as I can imagine. Absolutely appalling security practice that key expiration isn't enforced, that's the most basic of basics. Even if MS rotated those keys every 30 days it wouldn't matter because tokens signed with the expired keys would all still be accepted as valid.
Upvote
34
(36
/
-2)
Easy to forget that most of the foundational tech we talk about here,the Internet, web, personal computers, mobile phones, WiFi, etc. were invented by Boomers.
Heck it's likely that your favorite programming language was started by a boomer.
Upvote
27
(27
/
0)
Yes they do. You watch them all run for their fainting couches when they talk about TikTok and China, especially Warner, and he wants to make entire internet and every app less secure and less safe for literally ERRYBAHDY with bills like the EARN IT Act.
Their grandkids could probably advise them better than whoever is doing it now.
Upvote
6
(6
/
0)
Not sure senator's age is the issue as much as America likes voting in stupid people. Congress has no shortage of younger but dumb.
There is a cult of ignorance in the United States, and there has always been. The strain of anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that "my ignorance is just as good as your knowledge."
Isaac Asimov
Upvote
23
(25
/
-2)
IANAL, but there are certainly limits to what you can shield yourself from in a contract. Demonstrating gross negligence and/or material misrepresentations in particular could be potential ways to pierce the liability shield here. The YouTube channel Legal Eagle covered some of this regarding the liability waiver Oceangate's passengers signed:
View: https://youtu.be/RJQPthD9rx8
Which, generally seems like a reasonable legal boundary for action in things like this. Honest mistakes will happen and generally warrant correction without punishment, while gross negligence and fraud should absolutely be prosecuted appropriately, but there's absolutely room for improvement. With software, as with any critical infrastructure, there really ought to be the equivalent of a fire safety or electrical code: thorough, engineering-based, well reviewed technical guidelines crafted by subject matter experts that are granted force of law, rather than directly legislated rules.
Upvote
8
(8
/
0)