Discussion
Federal Cyber Experts Thought Microsoft’s Cloud Was “a Pile of Shit.” They Approved It Anyway.
robtherobber: Wow, Microsoft is really pushing the wrong boundaries in every direction, isn't it? Executives must be thinking, like many before them, that Microsoft is too big to fail.
joe_mamba: Executives only react to share price movements. If share prices are high because whatever investors think, then execs will just open another champagne bottle.Steve Jobs was the last tech CEO who didn't care about wall street and only care about quality products and consumers.
dogleash: > By late 2024, FedRAMP reviewers concluded that they had little choice but to authorize the technology — not because their questions had been answered or their review was complete, but largely on the grounds that Microsoft’s product was already being used across Washington.The article talks a lot about conflicts of interest, but this is the line I went looking for. A bureaucracy fighting itself over goal to prioritization, and what's a necessary roadblock vs red tape is the less sexy but more meaningful problem at the core of this.
ovidev: The Justice Department CIO who pressured FedRAMP to approve GCC High was hired by Microsoft the next year. I wonder if this shouldn't invalidate the authorization in the first place?
gertrunde: The sheer amount of conflict of interest with folk involved in this later getting employed by Microsoft is a bit crazy.
debarshri: Recently tried using Entra ID. There are 12 ways to enforce MFA, 20 days ways to disable users, 4 ways to authenticate users, Add conditional access stuff with 50 variables and templates etc.You can customize the way you want. After configuring it, my colleagues could not log in. Thats one way to secure your organization.
ddtaylor: The government does most things poorly and with little regard to budget or quality. They can't solve problems that are much simpler than cloud computing, so why should I expect them to perform better at a more complex problem?
fdghrtbrt: If you "went looking for" this line, you're just reading into the statements your preconceptions.I on the other hand have no expectation, and so it's not clear whether the "bureaucracy fighting itself" is a cause or a symptom. You're implying it's a cause and the solution is "less red tape". But it could be just a symptom of conflicts of interest, and less red tape just leads to more efficient corruption.Again, you're just reading into it what you already believe in.
Eridrus: I think plenty of software is a pile of shit and still derive value from it.
snovymgodym: Yeah I'd go so far as to say that most useful software is "bad" in some way.
joezydeco: There are extra ways to do that, but they're on a document deep in a Sharepoint directory that you can't access.
iamleppert: Azure is easily the most expensive, least reliable and worst cloud available. It's borderline scam. An example today, I provisioned high IOPS SSDs (supposedly) and what is actually connected to the instance? A spinning hard drive! I didn't even know they were still made, but I guess Azure uses them and scams their users into thinking you're getting an SSD for $700/mo when its really an old hard drive.I would warn anyone far and wide to avoid Azure at all costs, especially if you are a startup. And especially if you are doing any kind of AI because the only GPUs they have available are ancient and also crazy over-priced.If I cared more, I'd try to migrate away from Azure. But I don't, and that's probably Azure's business model at this point.
Hizonner: Sure. Your average private corporation would do much better at sanely evaluating Microsoft's cloud, and sanely acting on that evaluation.Right.You bet.Absolutely.
yoyohello13: That’s Microsoft. 1000s of features and none of them really work the way they are supposed to.
gertrunde: It's not very clear from the article, but I get the feeling from the context that the 'pile of shit' quote referenced the package of documentation about the service rather than the service itself.(That seems to be the main complaint, that Microsoft never provided the clear information required to conduct the assessment properly).
21asdffdsa12: Wait- so they basically threw up their hands? No documentation! Not evaluable? Thus clearly of value for somebody? Big stamp, job well done! NEXT?
yoyohello13: Basically exactly what my org did. The momentum of being a Microsoft shop is hard to fight against.
markstos: Frustrating that FedRAMP is both a pain to get compliant with and also apparently is not a strong signal of actual security.
colechristensen: I see you've never worked in a compliance environment before.
Havoc: And may such evil days never come to past
iscoelho: Microsoft has never been good at security, and that is why their centralization to the cloud is absolutely terrifying.I'm reminded of Storm-0558 [1] where a stolen signing key was able to forge authentication tokens for any MSA / Azure AD / Government AD user. They downplayed the severity. Just imagine if that level of access was used to pull a Stryker on a nation-wide scale. This is an economic disaster waiting to happen.[1] https://www.microsoft.com/en-us/security/blog/2023/07/14/ana...
FrustratedMonky: Is this just a case of MS needing to merge a lot of platforms, and there are gaps and overlaps.?Maybe the critical question, are they making continuing improvements? Especially to merge conflicting functions.Like when they bought Minecraft, or Skype. Each already had user management. Xbox was a mess. Merging them all took a lot of years.
hiddencost: Basically false. They're better at health care. Better at education. Better at feeding people. Better at charity.
MrBuddyCasino: Theres no need to be THIS cynical.
brudgers: [delayed]
debarshri: Moments like this, I miss clippy.
hedora: Same here, except with Minecraft and XBox One.I don’t understand how they have non-zero market share.
ryandrake: I remember trying to buy $9 worth of Minecraft In-app Whatever for my kid, and the goose chase Microsoft put me on just to log in and buy something was totally out of this world. I ended up needing to contact their fraud department around step 74.
kevincloudsec: the product got deployed across the government while the security review was still in progress. then fedramp approved it because it was already everywhere. seem like i saw a lobbyist or two with a broom sweeping something under a rug...
Pxtl: The problem is modern MS doing three contradictory things at the same time:- FB's move fast and break things. Constantly launching new libs.- Linus's we do not break user space. Great commitment to backwards compatibility.- Never deprecating dead products until they've been de facto abandoned for like decades.This combination means every MS product is a labyrinth of overlapping APIs with no guidance as to which one is actually the good one. Some are abandoned garbage, some are brand new and incomplete, and some are both, and there's no way of knowing which are which even experts can mislead you.
Rygian: I'll do you one better: stealing the signing key was not even necessary.https://www.bleepingcomputer.com/news/security/microsoft-ent...
iscoelho: I knew there was another incident that I was forgetting, insanity... I don't understand how Microsoft keeps getting away with this and everyone just forgets.
mastax: Out of all the SSO login flows Microsoft has to have the buggiest. It’s the only one I can remember routinely having issues with. Why are there so many redirects? And why doesn’t the “remember me” checkbox ever work?
CDSlice: It is also the only SSO flow I have ever seen that fundamentally cannot work if you have more than one account remembered on your device. So far the only way I’ve found to get it to let you log out of account A and then log into account B is to clear all cookies otherwise it gives you permission denied errors. Have no idea how it can be this horrible
jbombadil: > [...]And because federal agencies were allowed to deploy the product during the review, GCC High spread across the government as well as the defense industry. By late 2024, FedRAMP reviewers concluded that they had little choice but to authorize the technology — not because their questions had been answered or their review was complete, but largely on the grounds that Microsoft’s product was already being used across Washington.This sounds like the crux of the issue. The combination of: "tool can be used during analysis" and "analysis takes long" shifts the barrier of rejection from "is this tool safe?" to "is this tool so unsafe that we're willing to start a fight with a lot of other government agencies to remove it, find an alternative, etc?".Not criticizing FedRAMP. Proper security review takes time. And probably more when dealing with vendors.
chii: It's why these enterprise vendors want foot in the door at all costs.They know that if they get entrenched first, it's impossible to migrate away. That's basically free money from a customer that has zero cost ceiling.
andychase: That's false that Government agencies have 0 cost ceiling. Maybe DoD does, but most offices have extremely tight budgets.
everdrive: The experts were correct. Azure is the biggest pile of shit I've ever had to work with. Everything feels evolutionary. In other words, a new product in azure is barely a product at all, but a small appendage which totally inherits a bunch of preexisting Azure "stuff." And all this preexisting may not really make sense for the product, and it might inherit stuff that makes the product much worse. But, it doesn't matter. To even think about using the product, you need to learn way more about the larger Azure ecosystem than you ever bargained for, and of course deal with Microsoft products that do not really integrate well because the teams don't talk to each. Log formats, conventions, everything will be different as you float around to different parts of Azure. Basic security concepts, such as a SIEM will be implemented in such strange ways that you wonder if Microsoft has any idea what a SIEM even is.
bmurphy1976: How is this different than Amazon? Same problem there. Oh, you're using this new service? Need to view the logs? Want a nice friendly UI to do that? Fuck you here's Cloudwatch. Good luck.
shrubble: This fits perfectly with traditional Microsoft strategies of getting a door in the door and then having the user’s internal pressure on the organization help get the Microsoft product established.Decades ago, Lotus 1-2-3 on top of MSDOS was the lever; today it’s GCC High.
scottyah: To be fair, it's not always out of maliciousness. A lot of gov workers/contractors join the supplier company because they know the product and how to fix it better than the people currently at the company. Similar to the guy who infamously got hired at Apple just to fix a bug.You're just forced to use vendors and if you actually care about the mission, it's just a different team on the same mission.Of course you know you're being taken advantage of, and long-term maybe you should have gone to the non-technical side to fight it, but at the end of the day you just want to keep the young boys being shipped off to war safe, and you're much better suited to achieve that by remaining on the technical side....or so I've heard.
throwway120385: Yeah I have had this experience too. Woe betide ye if your company gets bought by another company with pre-existing Azure AD.
