|
Another Microsoft security breach! This is beginning to get boring.
This exploit was discovered by a security company called Wiz, so let's hope no great damage has been done. They found that some data held by Azure can be read, modified and deleted because of a fault in database software called CosmosDB. Users have been warned to change their access keys.
https://www.reuters.com/technology/e...ls-2021-08-26/ |
Maybe repost it in the Windows vs Linux thread?
I read on how they did it. https://www.wiz.io/blog/chaosdb-how-...mers-databases This is why my bike tuner laptop stays off line. As much as possible. I guess their/Redmonds azure foray is running into glitches. https://azure.microsoft.com/en-us/ |
I've never understood this "cloud" business. Why do people suppose that their data is more secure on someone else's server than on their own?
|
Quote:
As for the boring aspect, although the last 25 years have been repetitious as far as M$ failures, the failures are getting more expensive and dangerous as M$ products creep into places they don't belong, such as anything mission critical anywhere. So in that context the part I find boring is the media's lack of coverage of the total cost of ownership of M$ products and the many alternatives which are faster, better, cheaper, easier, etc. all at once. As for the "cloud", around 25 years ago, you couldn't convince any large business, let alone a multinational, to work with services that weren't self-hosted. That included various databases. Then as now the threat was that competitors could likely monitor the activities. The difference is that now, none in decision making positions care. They care so little that many even run M$ Exchange in place of e-mail thus giving their most pernicious competitor access to more or less all their written communications. The presence of M$ Exchange anywhere is a sign that no one reads the licensing, which in the case of M$ says flat out that they have access. And that's not counting "bug doors". So a lot of the fault falls on the trade press, though much also on the post-secondary "education" system -- but I stop for now. |
I wasn't much keeping an eye on anything M$ except maybe browsers and windows versions. I have no clue what azure even does, or fails to do.
It does strike me that M$ haven't a clue about security. Not even internet security. And the resistence among the user base to say, entering a password for what should be a secure operation is so great that it's clear users don't want it either. How would you educate the M$ user base to check md5sums of downloads? You noitice, do you, that it's 2 linux users complaining about M$ Security? Do you see this sort of thing on M$ forums? |
No but then I have nothing to do with M$ forums. I do note in the mainstream press that M$ is being allowed to shift the blame, and attention, away from their egregious and poor design onto various external entities. Years ago they used to blame "Linux people" for the break-ins and that was enough to apparently absolve M$ of any responsibility, or they would just blame those who reported problems for the same result. Now with the international climate like it is, they point to various nation state actors and sincethose nation states are problematic for many US politicians, the politicians are more than happy to let M$ shift the blame and thus facilitate M$ evasion of responsibility for the ransomware epidemic that they have more or less single handedly created for the world.
|
Quote:
|
I'm actually going to take issue with the thread title. Only "beginning to get boring"? I think it's been boring for 30 years. Does anyone remember those boot viruses that would infect everyone who read a floppy? Form, Ping Pong, CIH. CIH was actually nasty. It would overwrite your BIOS on April 26th, which in those days was the kiss of death.
|
Quote:
|
Microsoft without security breaches is like Hardy without Laurel.
"Here's another fine mess you've gotten me into!" |
Since Microsoft tracks vulnerabilities using a 16 digit code with 36 values per digit [0-9,A-Z] I would not expect you to understand just how many Microsoft breaches have been detected since 1996, but take it for granted that the number is larger than the length of your attention span. No matter how good your focus. It got boring by 1999. There should be another word for what it is by now.
|
Quote:
But i still can't find the actual article. It was pretty funny, but tbh I'm not amused by this type of "internet parody" (?) anymore, since it facilitates the birth of all sorts of crazy conspiration myths and ultimately created Q-Anon. Poe's Law is a serious problem. |
1 Attachment(s)
Quote:
|
Quote:
I don't even think that article is a parody. |
Seriously, every operating system, specifically including Linux, is susceptible to security vulnerabilities, and so there are rather large teams of "white hat" researchers who are constantly looking for them. Whenever a "security update" is published for your distro, you should always apply it immediately, if not automatically.
All of these systems are internally so complex that it's not a matter of "whether" a new vulnerability exists. |
The thread OP does not relate to a vulnerability in an OS.
"The vulnerability is in Microsoft Azure's flagship Cosmos DB database" |
Quote:
To the comment about how many vulnerabilities MS has, there are a litany of them for Apple and Linux as well. Each one found and fixed is one less to worry about. |
I have not seen a successful OS/2, DOS (IBM or FREE), or CPM exploit in years, I have NEVER seen one for KOLIBRIOS. We are not talking about vulnerabilities, we are talking about actual breaches. At having breaches, Microsoft leads the pack by far. Part of that is that the environment is target rich for someone creating Microsoft breaches. More hardware that is vulnerable and poorly configured for security comes with Microsoft software than any other. Not that is is the only vulnerable target, but that it is the most COMMON most vulnerable target.
Of servers containing desirable data, the most vulnerable targets run on Microsoft systems. It is both the most common target, the easiest exploit, and the most tempting in general. All of this makes it likely to REMAIN the OS with the highest number of breaches for a good long time. Only in part because it is less secure than others, but mostly because it more successful at getting loaded onto machines that will hold data. |
The fact is, 20th century OSes had basdically no security, as programmers concentrated on 'boldly going where no one had gone before' and not hackage. Once it was realised people were being hacked, spammed & robbed, Unix (linux/bsd/whatever) reacted a whole lot faster and better than other OSes - Apple & M$. CP/M, Dos, & OS/2 were dead by this stage, so they didn't react at all. I built HLFS in the early 2000s which had patches to implement
GCC & the kernel have made huge strides in security. Vulnerabilities now lie less in the C/C++ code and server programs, and more in individual packages (e.g. javascript), weak passwords, poor encryption, and the like. All fixed I/O (e.g. ISA cards, or software addresses) are gone, and low memory is protected. That requires a much larger amount of work on the part of a hacker. It's a fact that attacking encryption was not thought worth the effort when single core CPUs ran at Mhz. But with multicore CPUs running at Ghz, This Little Beast boasts 160 × Arm A-76 cores @ 3Ghz, and would certainly shorten tasks that could be suitably arranged. Much more so for password cracking. So the hacker is better armed. Exploits were discovered recently enough in wpa_supplicant and bash, and patches went up within a week. The best I've seen from M$ is 'Patch Tuesday.' But a hacker doesn't have to bother cracking encryption to control a windows/Apple Box. In most cases, he can just use known exploits that have been reported to Apple or M$, and not fixed, or not fixed well enough. Apple have unpatched zero day exploits. Or they can grab a Google OS (Android, Chrome) or iOS, hack them and appear as legit in the eyes of some server. That's the way it's going: hack something soft, which is a trusted source. In the hack of the Health Service Executive here in Ireland some months back, the backup servers were apparently on the same network as the boxes they were backing up. I have that from a tech insider. An interesting search is: Unpatched zero day exploit +<OS>. I admit to not reading the search results.:redface:
This link is interesting, though. |
Quote:
These things get reported in direct proportion to the popularity of the OS. Also, hackers (the bad ones) aren't very interested in hacking any of these - no incentive. |
Quote:
|
Quote:
Kinda describes me in a pub. Being 6 foot 7 inches. I am usually guaranteed a interesting evening. Being uniform does have it's advantages. No body notices you then. < except for Windows > I get the same attention from the po po when on my motorcycle also. Funny how folks look at this. Run Windows and get hacked for being the norm. Run Linux like a outlaw and nobody cares. Kinda opposite? |
^ Wrong analogy. Linux isn't illegal.
Let's try this one: You ride a standard off-the-shelf big brand motorcycle, you can get spare parts everywhere, but you're alo likely to get scammed, and even more likely to get your bike stolen (because big brand, big numbers, easier to resell). Or You ride a rare brand of motorcycle you had to put together yourself, possibly with customisations, you are going to have a hrader time getting spare parts, but when you do you can be sure they're the real deal, and also your bike is less likely to get stolen because it's much harder to resell. |
Another viewpoint on "Another Microsoft security breach! This is beginning to get boring.":
In 1980s this was shocking, in the 1990s it became boring. Since 1999 this has just been normal and expected. |
Security is a process. As long as people are studying computer software in search of exploitable bugs, other people have to be fighting a counter-offensive. This of course will never, ever stop. And, every computer operating system and programming language will always be susceptible. This isn't exactly "boring," but it is also not exactly "news."
|
sundialsvcs: very well said, thank you.
|
Quote:
Code:
Bug: An elusive creature living in a program that makes it incorrect. The activity of "debugging," or |
As we'rer on bugs, here's interesting stuff on Chinese mobiles
https://www.bbc.com/news/technology-58652249 |
Quote:
|
Oh dear... Chinese competition are becoming such a big threat to "big tech"....
Last few paragraphs of the article quickly remind the reader of the recent tensions with regards to Taiwan. There is no mention of bugging - the Xiaomi devices apparently, according to the Lithuanians, have built in censorship, only relevant to China, which would obviously damage sales if it were enabled elsewhere... There is also some mention of usage stats being transmitted to somewhere in Singapore... so not so different to what Faecebook, Microsoft, Apple, google, Amazon, even Mozilla get up to... The "Chinese phones" statement is also rather ironic considering all the big fabs for US, Japanese and Korean manufacturers are in China anyway. It was actually the US - Trump - who threatened Johnson and the British over Huawei, prior to that the doors were wide open, for better or for worse. |
Well, Trump seemed to be in a minority of one when he started on that, but maybe by some freak of nature he was right. It certainly won't improve their Electronic exports!
The fact is, everything has an FPGA or an ASIC in it. These can have any number of devices. The southbridge type device in each PC has disk controllers, network card, wifi chip, bluetooth, infra-red, GPS if someone takes the humour, keyboard, mouse, usb, and whatever else, usually in precompiled cores. Where this gets interesting is because of the special position of Taiwan. So much semiconductor stuff to drive the world's devices goes through Taiwan'S TSMC. They will be the only ones able to manufacture the next generation of 3nm chip wafers. They will certainly be the first. IBM's 2nm looks like a proof-of-concept only and some imaginative accounting. Would the West go to war to save Taiwan? It may come down to that. Otherwise, no joy on the 3nm chips, and progress halts. In fact, any product fitted with them could only get bugged replacements if China takes over Taiwan. |
Quote:
I am not sure to what extent any of this also applies to firmware (which is more likely to be made in China). But I think I remember some articles from years ago where firmware spying was an issue. |
Firmware is an interesting one.
A chip or IP core (for putting in an ASIC) say for example a network card, can be released with a proprietary cpu inside. This could simply be a standard cpu with the instruction set changed - easy to do at that low level. The point is, nobody outside your company would know exactly what the firmware actually did. It would perhaps be a wise move for some of these larger firms with the Chinese Government looking over your shoulder so intrusively. Even now, there's no onus oon a company to disclose what their internal cpu is. Then, they can simply say it's proprietary if asked. It may cost them DoD sales. What I haven't figured is what they do with all the data. They have more data than google. |
Quote:
So, that's what others also do with that data. They sell it. Maybe to their government, maybe to someone else - the principle is the same. |
Quote:
XDA Developers actually investigated the claims: https://www.xda-developers.com/xiaom...ist-explained/ |
Quote:
What an interesting and utterly half-baked article. Like most of xda-developers, really. I can't say I'm bothered by any of this, but it's always interesting to get a glimpse into this parallel universe of "smart"phone users. Who probably outnumber us by orders of magnitude. |
Yes, I'm with you on that - however he does quite a bit more investigation into actual the issue than UK mainstream media...
The BBC article amounts to: "this random guy in Lithuania says that Chinese phones are loaded with spyware and censorship... well it's the Chinese..." |
| All times are GMT -5. The time now is 10:19 AM. |