State actor blamed for cyberattack on B.C. government systems
cbc.caMicrosoft is looking like the next Boeing for anyone paying attention to the attacks in the last couple years. End result of limitless greed. No TikTok or Snowden required, just the fantastic Microsoft software stack. They can't even protect themselves - https://www.crn.com/news/security/2024/microsoft-says-senior...
Azure's security is a joke. They're the only major cloud provider with cross-tenant security vulnerabilities, and they've had like 10 of them in the past years. Some of the absolutely trivial to exploit, indicating security isn't taken seriously.
Is that really fair? We had the xz thing recently, that was open source.
I'm not saying MS isn't the worst. But there are plenty of linux exploits. An expert IT person might keep that up to date but your average business, government agency, hospital is not up to it.
https://www.cisa.gov/sites/default/files/2024-04/CSRB_Review...
> The Board concludes that Microsoft’s security culture was inadequate. The Board reaches this conclusion based on:
> Microsoft’s failure to detect the compromise of its cryptographic crown jewels on its own, relying instead on a customer to reach out to identify anomalies the customer had observed
> Microsoft’s failure to detect a compromise of an employee’s laptop from a recently acquired company prior to allowing it to connect to Microsoft’s corporate network in 2021
I'm not sure what your point is except when it's Windows their is a single company to blame vs when it's linux there are only random contributors from all over
https://www.google.com/search?q=site%3Acisa.gov+linux+securi...
The difference is Microsoft charges money for it and its nearly a monopoly for government/healthcare/etc. Taxpayer and institution money. A lot of it.
Compare it to something out there for anyone to use for free with no obligations.
Do you not understand the difference between Microsoft and Windows?
I'm comparing two OSes and pointing out when one OS has issues there's a single source to point a finger at. When the other OS has just as many or similar issues there is no one to point a finger at. So if you total up the finger pointing, MS will appear to be doing worse than they are. Where as if you total up the issues instead of the blame, they're doing probably no worse than average, maybe better.
If we're talking services, it's similar. 100 companies, 50 using MS, 50 using random non-MS software. 10 breakins in each category. MS gets the finger pointed at them 10 times. 50 random non-MS companies each get the finger pointed at them just 1 out of 5. But both MS and Non-MS have the same amount of issues in this hypothetical example, but one looks worse, even if they're not.
In fact there could be 5 breakins with MS and 15 with non. But MS would have a finger pointed at them 5 times and 15 of the 50 random companies would each have a finger pointed at them only once. Yet, if you added up the numbers you'd be safer with MS (5 failures out of 50) instead of random non-MS (15 failures out of 50).
I'm not saying that's how it is. I'm saying it's plausible.
I'm not sure your point here. MS as a company is severely compromised culturally is the root of this discussion, which impacts its products, and you're splitting hairs specific product comparisons. This isn't specifically about "windows" its about a combination of security issues a single company has had and how that will impact all their products.
To compare "Microsoft" the company to individual competitors of its services doesn't serve anything here. Google, Amazon, Apple are its competitors in the relevant space (cloud/services/software) with similar size and scale would make for better comparisons if you must and OS is really one small part of the pie
This is childish and / or ignorant line of reasoning that ignores Apple, Google, IBM/Red Hat, Oracle, AWS, etc to land at an odd false dichotomy between Microsoft and "random non-MS software"
The xz thing never managed to hit production versions of the affected distros. You had to use testing or similar pre production releases to get hit by it.
Ironically enough the xz backdoor was discovered by a Microsoft employee too.
1.Being a public domain library, likely used in many other proprietary products, I doubt the xz library would have targetted linux systems only. It may have been the first target because Linux provided a very large blast radius but it might just have been the beginning of a broader rootkit.
So I wouldn't call the xz incident as linux specific.
2. I don't know why you oppose Microsoft, a provider of online services in the cloud with Linux, a small piece of software or an OS family depending on your definition.
This is apples vs oranges comparison.
I'm actually curious, if there is anyone here that's actually an expert on this stuff can you explain
(1) How do you tell a state actor from just hackers looking to make money?
(2) Is this a solvable problem?
I can't imagine most state agencies, hospitals, doctors offices, small businesses, being able to afford good experienced IT staff. I can't imagine outsourcing it to nearly any company and trusting that company. Exceptions might be Google or Apple but neither company provides more than email/docs/spreadsheets. They don't supply bookkeeping, appointments, medical record management, etc... and AFAICT, all the suppliers for those kinds of services have terrible security practices. And, even if Apple and Google could do a good job there's still social engineering.
(1) You really can't. The Mirai botnet was initially attributed to some state actor due to its massive DDoS attacks, but in the end it was just a bunch of teenagers.
I think this is important to keep in mind, media will attribute back to the ‘enemy of the day’ but the actual evidence is scant.
the recent Ministry of Defence, UK hack was blamed on China, but if you actually dig into it that’s just a hypothesis and it really could have been anyone. If this was happening straight after 9/11 we’d be blaming terrorists, etc.
Anytime states point a boogeyman, there must be a power grab lurking.
These companies can work on building and then actually distributing more secure operating systems. This won't fix problems like social engineering, but it will prevent/harden a ton of other attack vectors.
Since it allows much more fine grained control over data and resource access than contemporary popular systems, https://en.wikipedia.org/wiki/Capability-based_security and the concept of "hollowing out the attack surface with the https://en.wikipedia.org/wiki/Principle_of_least_privilege" can't be mentioned often enough.
Some specific projects to mention are https://en.wikipedia.org/wiki/Fuchsia_(operating_system) ,https://en.wikipedia.org/wiki/Genode and https://en.wikipedia.org/wiki/Qubes_OS
If these don't make it to the mainstream, it is the responsibility of FAANG companies that at least the concepts/mechanisms contained in them do, in other systems. To provide the world with a secure computing substrate.
There is an alternate option which is stop putting everything online and using the cloud.
The benefits have been greatly oversold by BigTech multimillion $$$ sales teams. They are lots of stories of bribery involving these contracts.
re. 1:
Assuming the source of the attribution is acting with pure intentions, it is usually a preponderance of (mostly circumstantial) evidence. Does the malware and MO look similar to past known attacks? Did they leave any localized strings in the binary file, if yes does that nation have an interest in hacking the target? Does the malware use a stack of 0-days and labour-intensive obfuscation techniques (indicating a large amount of resources)? Does the whole picture make sense when you put it all together?
The above is in an ideal world, in reality almost all attributions are political and based on almost nothing. Even if they were based on some other intelligence source, how could a random member of the public verify that?
On top of the difficulty of gathering evidence, there is an incentive alignment between the heads of hacked organizations and intelligence agencies. The hacked company will look better as the victim of a "cyberattack" or a "chinese cyberattack" then as the victim of "random.ransomware.0238023". The intelligence agency can get more funding and PR by proclaiming the same.
1) It sounds better if you say you were hacked by spooks rather than a teenager in their parents basement.
> 1) How do you tell a state actor from just hackers looking to make money?
Why do you think those governments are not just trying to make money? You should check how much crypto DPRK made from ransomware. Krebs and others wrote about it
Well yes, the real distinction is - is that someone trying to make money, and it’s ‘nothing personal’ or is it political
Either way a crook who wants easy money, no real distinction.
But it doesn't mean you can't trace what exact crook did by correlating various signs. Plus, nation state crooks have more capability usually.