upvote

points

by throwoutway19 hours ago |
comments
upvoteby charles_f17 hours ago|
next
[-]
In which one expert called the documentation provided "a pile of shit", which propublica took the liberty of extending to Azure itself
reply
upvoteby panzagl6 hours ago|
parent|
next
[-]
In those types of reviews/audits, documentation is the first indicator of whether a security organization has their act together. It's about building a trust relationship between the accreditor and contractor that will have to endure for years, as nation-state level actors throw their resources at finding vulnerabilities. MS couldn't do this or couldn't be bothered to do this. So shit documentation -> shit security processes and operations -> shit security -> shit cloud product in a government context. So the title wasn't that much of a stretch.
reply
upvoteby hsbauauvhabzb17 hours ago|
parent|
prev|
[-]
And they weren’t wrong
reply
upvoteby bulbar14 hours ago|
parent|
[-]
They still lied, because they didn't say "X is shit" but "Z said that X is shit", however Z apparently never said that.

I have become very cautious of such stories for this very reason. Who gets how much blame has a lot to do with "culture" or momentum. Bashing Microsoft for example is always super fine, but at multiple occasions I found the facts to be much more nuanced.

reply
upvoteby bigfatkitten12 hours ago|
parent|
next
[-]
In this case, it’s just yet another design-level vulnerability in Microsoft cloud’s services. There isn’t much room for nuance.
reply
upvoteby benterix12 hours ago|
parent|
prev|
next
[-]
It's true, they lied. But, paradoxically, in this case, while they lied about details, the conclusion is still true: Azure is very far from AWS and GCP as far as security is concerned. I have my own suspicions why it is so, but the reasons are not important, what counts is the final conclusion: if you really care for security, you'd better chose one of the other two.
reply
upvoteby hrmtst938373 hours ago|
parent|
next
[-]
Azure looks worse right now. AWS and GCP still ship plenty of auth bugs, bad defaults, and policy footguns, so if you care about securty the sane move is to assume every cloud will fail in ways the marketing page forgot to mention and build your controls around that, not around a brand ranking.
reply
upvoteby twoodfin9 hours ago|
parent|
prev|
[-]
“Fake but accurate.”

ProPublica has an agenda, and they slant their reporting to push it.

You can like their agenda and support this effort, but it’s not journalism.

reply
upvoteby toomuchtodo7 hours ago|
parent|
[-]
What is their agenda?
reply
upvoteby twoodfin1 hours ago|
parent|
[-]
Compare 600+ stories tagged for the Trump administration:

https://www.propublica.org/topics/trump-administration

…with 16(!!) since 2020 on Biden’s term:

https://www.propublica.org/topics/biden-administration

My favorite missing Biden story that should have been right in their wheelhouse: The unprecedented $36 billion bailout of the Teamsters’ pension fund.

https://www.statesman.com/story/news/politics/politifact/202...

reply
upvoteby hsbauauvhabzb14 hours ago|
parent|
prev|
next
[-]
If a slop engine calls a slop company slop, has anyone really lost?
reply
upvoteby lostmsu6 hours ago|
parent|
[-]
We lost, for one of us got tricked to bring it here.
reply
upvoteby rithdmc9 hours ago|
parent|
prev|
[-]
Titles are editorialised and space limited. The first couple lines in the article linked above make the nuance pretty clear.

[edit: 'pretty' instead of 'perfectly']

reply
upvoteby 1 hours ago|
parent|
next
[-]
deleted
reply
upvoteby lostmsu6 hours ago|
parent|
prev|
[-]
You are defending not just clickbait, but libelous clickbait.
reply
upvoteby rithdmc4 hours ago|
parent|
next
[-]
I doubt this reaches the bar for libel by a long shot.
reply
upvoteby panzagl6 hours ago|
parent|
prev|
[-]
It's only libelous if it's not true. This vulnerability says otherwise.
reply
upvoteby lostmsu5 hours ago|
parent|
[-]
It is libelous because it is a claim that "X said Y", not "Y".
reply
upvoteby panzagl5 hours ago|
parent|
[-]
Ah, so you're worried about the review team being misrepresented, not that Azure is shit.
reply
upvoteby int0x2917 hours ago|
prev|
next
[-]
Ars just republished it under license
reply
upvoteby DetroitThrow17 hours ago|
prev|
next
[-]
Every security engineer I know working at Azure is on the verge of self-harm because of the current situation, or is the dumbest IC I've ever met and somebody I think should have never become a security engineer. Sample size ~12.
reply
upvoteby jacquesm11 hours ago|
parent|
[-]
That is quite the indictment.
reply
upvoteby DetroitThrow7 hours ago|
parent|
[-]
I am not very close with every one of these engineers, and some no longer work at MSFT, but yes talking to employees in Seattle working on security made me never want to use Azure.
reply
upvoteby bigfatkitten1 hours ago|
parent|
[-]
Last I heard, the CO+I org has some pretty serious cultural problems that contribute to this, and which will not be easily solved.
reply
upvoteby g-b-r16 hours ago|
prev|
[-]
Bloomberg and CNBC don't seem to have reported about this, maybe someone with contacts could make them aware?
reply