Whistleblower says Microsoft left US govt hackable – Asia Times
by Renee Dudley, with research by Doris Burke
This story was originally published by ProPublica, a Pulitzer Prize-winning investigative newsroom.
Microsoft hired Andrew Harris for his extraordinary skill in keeping hackers out of the nation’s most sensitive computer networks. In 2016, Harris was hard at work on a mystifying incident in which intruders had somehow penetrated a major US tech company.
The breach troubled Harris for two reasons. First, it involved the company’s cloud — a virtual storehouse typically containing an organization’s most sensitive data. Second, the attackers had pulled it off in a way that left little trace.
He retreated to his home office to “war game” possible scenarios, stress-testing the various software products that could have been compromised.
Early on, he focused on a Microsoft application that ensured users had permission to log on to cloud-based programs, the cyber equivalent of an officer checking passports at a border. It was there, after months of research, that he found something seriously wrong.
The product, which was used by millions of people to log on to their work computers, contained a flaw that could allow attackers to masquerade as legitimate employees and rummage through victims’ “crown jewels” — national security secrets, corporate intellectual property, embarrassing personal emails — all without tripping alarms.
To Harris, who previously had spent nearly seven years working for the US Defense Department, it was a security nightmare. Anyone using the software was exposed, regardless of whether they used Microsoft or another cloud provider such as Amazon. But Harris was most concerned about the federal government and the implications of his discovery for national security. He flagged the issue to his colleagues.
They saw it differently, Harris said. The federal government was preparing to make a massive investment in cloud computing, and Microsoft wanted the business. Acknowledging this security flaw could jeopardize the company’s chances, Harris recalled one product leader telling him. The financial consequences were enormous. Not only could Microsoft lose a multibillion-dollar deal, but it could also lose the race to dominate the market for cloud computing.
Harris said he pleaded with the company for several years to address the flaw in the product, a ProPublica investigation has found. But, at every turn, Microsoft dismissed his warnings, telling him they would work on a long-term alternative — leaving cloud services around the globe vulnerable to attack in the meantime.
Harris was certain someone would figure out how to exploit the weakness. He had come up with a temporary solution, but it required customers to turn off one of Microsoft’s most convenient and popular features: the ability to access nearly every program used at work with a single logon.
He scrambled to alert some of the company’s most sensitive customers about the threat and personally oversaw the fix for the New York Police Department. Frustrated by Microsoft’s inaction, he left the company in August 2020.
Within months, his fears became reality. US officials confirmed reports that a state-sponsored team of Russian hackers had carried out SolarWinds, one of the largest cyberattacks in US history.
They used the flaw Harris had identified to vacuum up sensitive data from a number of federal agencies – including, ProPublica has learned, the National Nuclear Security Administration, which maintains the United States’ nuclear weapons stockpile, and the National Institutes of Health, which at the time was engaged in Covid-19 research and vaccine distribution.
The Russians also used the weakness to compromise dozens of email accounts in the Treasury Department, including those of its highest-ranking officials. One federal official described the breach as “an espionage campaign designed for long-term intelligence collection.”
Harris’ account, told here for the first time and supported by interviews with former colleagues and associates as well as social media posts, upends the prevailing public understanding of the SolarWinds hack.
From the moment the hack surfaced, Microsoft insisted it was blameless. Microsoft President Brad Smith assured Congress in 2021 that “there was no vulnerability in any Microsoft product or service that was exploited” in SolarWinds.
He also said customers could have done more to protect themselves.
Harris said they were never given the chance.
“The decisions are not based on what’s best for Microsoft’s customers but on what’s best for Microsoft,” said Harris, who now works for CrowdStrike, a cybersecurity company that competes with Microsoft.
Microsoft declined to make Smith and other top officials available for interviews for this story, but it did not dispute ProPublica’s findings. Instead, the company issued a statement in response to written questions.
“Protecting customers is always our highest priority,” a spokesperson said. “Our security response team takes all security issues seriously and gives every case due diligence with a thorough manual assessment, as well as cross-confirming with engineering and security partners. Our assessment of this issue received multiple reviews and was aligned with the industry consensus.”
ProPublica’s investigation comes as the Pentagon seeks to expand its use of Microsoft products — a move that has drawn scrutiny from federal lawmakers amid a series of cyberattacks on the government.
Smith is set to testify on Thursday before the House Homeland Security Committee, which is examining Microsoft’s role in a breach perpetrated last year by hackers connected to the Chinese government. Attackers exploited Microsoft security flaws to gain access to top US officials’ emails. In investigating the attack, the federal Cyber Safety Review Board found that Microsoft’s “security culture was inadequate and requires an overhaul.”
For its part, Microsoft has said that work has already begun, declaring that the company’s top priority is security “above all else.” Part of the effort involves adopting the board’s recommendations. “If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security,” the company’s CEO, Satya Nadella, told employees in the wake of the board’s report, which identified a “corporate culture that deprioritized both enterprise security investments and rigorous risk management.”
ProPublica’s investigation adds new details and pivotal context about that culture, offering an unsettling look into how the world’s largest software provider handles the security of its own ubiquitous products. It also offers crucial insight into just how much the quest for profits can drive those security decisions, especially as tech behemoths push to dominate the newest — and most lucrative — frontiers, including the cloud market.
“This is part of the problem overall with the industry,” said Nick DiCola, who was one of Harris’s bosses at Microsoft and now works at Zero Networks, a network security firm. Publicly-traded tech giants “are beholden to the share price, not to doing what’s right for the customer all the time. That’s just a reality of capitalism. You’re never going to change that in a public company because at the end of the day, they want the shareholder value to go up.”
A “Cloud-First World”
Early this year, Microsoft surpassed Apple to become the world’s most valuable company, worth more than $3 trillion. That triumph was almost unimaginable a decade ago. (The two remain in close competition for the top spot.)
In 2014, the same year that Harris joined Microsoft and Nadella became the CEO, Wall Street and consumers alike viewed the company as stuck in the past, clinging to the “shrink-wrapped” software products like Windows that put it on the map in the 1990s. Microsoft’s long-stagnant share price reflected its status as an also-ran in almost every major technological breakthrough since the turn of the century, from its Bing search engine to its Nokia mobile phone division.
As the new CEO, Nadella was determined to reverse the trend and shake off the company’s fuddy-duddy reputation, so he staked Microsoft’s future on the Azure cloud computing division, which then lagged far behind Amazon. In his earliest all-staff memo, Nadella told employees they would need “to reimagine a lot of what we have done in the past for a … cloud-first world.”
Microsoft salespeople pitched business and government customers on a “hybrid cloud” strategy, where they kept some traditional, on-premises servers (typically stored on racks in customers’ own offices) while shifting most of their computing needs to the cloud (hosted on servers in Microsoft data centers).
Security was a key selling point for the cloud. On-site servers were notoriously vulnerable, in part because organizations’ overburdened IT staff often failed to promptly install the required patches and updates. With the cloud, that crucial work was handled by dedicated employees whose job was security.
The dawn of the cloud era at Microsoft was an exciting time to work in the field of cybersecurity for someone like Harris, whose high school yearbook features a photo of him in front of a desktop computer and monitor with a mess of floppy disks beside him. One hand is on the keyboard, the other on a wired mouse. Caption: “Harris the hacker.”
As a sophomore at Pace University in New York, he wrote a paper titled “How to Hack the Wired Equivalent Protocol,” referring to a network security standard, and was awarded a prestigious Defense Department scholarship that the government uses to recruit cybersecurity specialists. The National Security Agency paid for three years of his tuition, which included a master’s degree in software engineering, in exchange for a commitment to work for the government for at least that long, he said.
Early in his career, he helped lead the Defense Department’s efforts to protect individual devices. He became an expert in the niche field known as identity and access management, securing how people log in.
As the years wore on, he grew frustrated by the lumbering bureaucracy and craved the innovation of the tech industry. He decided he could make a bigger impact in the private sector, which designed much of the software the government used.
At Microsoft he was assigned to a secretive unit known as the “Ghostbusters” (as in: “Who you gonna call?”), which responded to hacks of the company’s most sensitive customers, especially the federal government. As a member of this team, Harris first investigated the puzzling attack on the tech company and remained obsessed with it, even after switching roles inside Microsoft.
Eventually, he confirmed the weakness within Active Directory Federation Services, or AD FS, a product that allowed users to sign on a single time to access nearly everything they needed. The problem, he discovered, rested in how the application used a computer language known as SAML to authenticate users as they logged in.
This is what makes a SAML attack unique. Typically, hackers leave what cybersecurity specialists call a “noisy” digital trail. Network administrators monitoring the so-called “audit logs” might see unknown or foreign IP addresses attempting to gain access to their cloud services. But SAML attacks are much harder to detect. The forged token is the equivalent of a robber using a copied master key. There was little trail to track, just the activities of what appear to be legitimate users.
Harris and a colleague who consulted for the Department of Defense spent hours in front of both real and virtual whiteboards as they mapped out how such an attack would work, the colleague told ProPublica. The “token theft” risk, as Harris referred to it, became a regular topic of discussion for them.
A Clash With “Won’t Fix” Culture
Before long, Harris alerted his supervisors about his SAML finding. Nick DiCola, his boss at the time, told ProPublica he referred Harris to the Microsoft Security Response Center, which fields reports of security vulnerabilities and determines which need to be addressed. Given its central role in improving Microsoft product security, the team once considered itself the “conscience of the company,” urging colleagues to improve security without regard to profit. In a meeting room, someone hung a framed photo of Winston “the Wolf,” the charismatic fixer in Quentin Tarantino’s movie “Pulp Fiction” who is summoned to clean up the aftermath of bloody hits.
Members of the team were not always popular within the company. Plugging security holes is a cost center, and making new products is a profit center, former employees told ProPublica. In 2002, the company’s founder, Bill Gates, tried to settle the issue, sending a memo that turned out to be eerily prescient. “Flaws in a single Microsoft product, service or policy not only affect the quality of our platform and services overall, but also our customers’ view of us as a company,” Gates wrote, adding: “So now, when we face a choice between adding features and resolving security issues, we need to choose security.”
At first, Gates’ memo was transformational and the company’s product divisions were more responsive to the center’s concerns. But, over time, the center’s influence waned.
Its members were stuck between cultural forces. Security researchers — often characterized as having outsized egos — believed their findings should be immediately addressed, underestimating the business challenges of developing fixes quickly, former MSRC employees told ProPublica.
Product managers had little motivation to act fast, if at all, since compensation was tied to the release of new, revenue-generating products and features. That attitude was particularly pronounced in Azure product groups, former MSRC members said, because they were under pressure from Nadella to catch up to Amazon.
“Azure was the Wild West, just this constant race for features and functionality,” said Nate Warfield, who worked in the MSRC for four years beginning in 2016. “You will get a promotion because you released the next new shiny thing in Azure. You are not going to get a promotion because you fixed a bunch of security bugs.”
Former employees told ProPublica that the center fielded hundreds or even thousands of reports a month, pushing the perennially understaffed group to its limits. The magazine Popular Science noted that volume as one of the reasons why working in the MSRC was one of the 10 “worst jobs in science,” between whale feces researchers and elephant vasectomists.
“They’re trained, because they’re so resource constrained, to think of these cases in terms of: ‘How can I get to ‘won’t fix,’” said Dustin Childs, who worked in the MSRC in the years leading up to Harris’ saga. Staff would often punt on fixes by telling researchers they would be handled in “v-next,” the next product version, he said. Those launches, however, could be years away, leaving customers vulnerable in the interim, he said.
The center also routinely rejected researchers’ reports of weaknesses by saying they didn’t cross what its staff called a “security boundary.” But when Harris discovered the SAML flaw, it was a term with no formal definition, former employees said.
By 2017, the lack of clarity had become the “butt of jokes,” Warfield said. Several prominent security researchers who regularly interacted with the MSRC made T-shirts and stickers that said “____” (meaning fill in the blank) “is not a security boundary.”
“Any time Microsoft didn’t want to fix something, they’d just say, ‘That’s not a security boundary, we’re not going to fix it,’” Warfield recalled.
Unaware of the inauspicious climate, Harris met virtually with MSRC representatives and sketched out how a hacker could jump from an on-premises server to the cloud without being detected. The MSRC declined to address the problem. Its staff argued that hackers attempting to exploit the SAML flaw would first have to gain access to an on-premises server. As they saw it, Harris said, that was the security boundary — not the subsequent hop to the cloud.
Business over security
“WTF,” Harris recalled thinking when he got the news. “This makes no sense.”
Microsoft had told customers the cloud was the safest place to put their most precious data. His discovery proved that, for the millions of users whose systems included AD FS, their cloud was only as secure as their on-premises servers. In other words, all the buildings owned by the landlord are only as secure as the most careless tenant who forgot to lock a window.
Harris pushed back, but he said the MSRC held firm.
Harris had a reputation for going outside the chain of command to air his concerns, and he took his case to the team managing the products that verified user identities.
He had some clout, his former colleagues said. He had already established himself as a known expert in the field, had pioneered a cybersecurity threat detection method and later was listed as the named inventor on a Microsoft patent. Harris said he “went kind of crazy” and fired off an email to product manager Mark Morowczynski and director Alex Simons requesting a meeting.
He understood that developing a long-term fix would take time, but he had an interim solution that could eliminate the threat. One of the main practical functions of AD FS was to allow users to access both on-premises servers and a variety of cloud-based services after entering credentials only once, a Microsoft feature known as “seamless” single sign-on. Harris proposed that Microsoft tell its customers to turn off that function so the SAML weakness would no longer matter.
According to Harris, Morowczynski quickly jumped on a videoconference and said he had discussed the concerns with Simons.
“Everyone violently agreed with me that this is a huge issue,” Harris said. “Everyone violently disagreed with me that we should move quickly to fix it.”
Morowczynski, Harris said, had two primary objections.
First, a public acknowledgement of the SAML flaw would alert adversaries who could then exploit it. Harris waved off the concern, believing it was a risk worth taking so that customers wouldn’t be ignorant to the threat. Plus, he believed Microsoft could warn customers without betraying any specifics that could be co-opted by hackers.
According to Harris, Morowczynski’s second objection revolved around the business fallout for Microsoft. Harris said Morowczynski told him that his proposed fix could alienate one of Microsoft’s largest and most important customers: the federal government, which used AD FS. Disabling seamless SSO would have widespread and unique consequences for government employees, who relied on physical “smart cards” to log onto their devices.
Required by federal rules, the cards generated random passwords each time employees signed on. Due to the configuration of the underlying technology, though, removing seamless SSO would mean users could not access the cloud through their smart cards. To access services or data on the cloud, they would have to sign in a second time and would not be able to use the mandated smart cards.
Harris said Morowczynski rejected his idea, saying it wasn’t a viable option.
Morowczynski told Harris that his approach could also undermine the company’s chances of getting one of the largest government computing contracts in US history, which would be formally announced the next year. Internally, Nadella had made clear that Microsoft needed a piece of this multibillion-dollar deal with the Pentagon if it wanted to have a future in selling cloud services, Harris and other former employees said.
Killing the competition
By Harris’s account, the team was also concerned about the potential business impact on the products sold by Microsoft to sign into the cloud. At the time, Microsoft was in a fierce rivalry with a company called Okta.
Microsoft customers had been sold on seamless SSO, which was one of the competitive advantages — or, in Microsoft parlance, “kill points” — that the company then had over Okta, whose users had to sign on twice, Harris said.
Harris’ proposed fix would undermine the company’s strategy to marginalize Okta and would “add friction” to the user experience, whereas the “No. 1 priority was to remove friction,” Harris recalled Morowczynski telling him. Moreover, it would have cascading consequences for the cloud business because the sale of identity products often led to demand for other cloud services.
“That little speed bump of you authenticating twice was unacceptable by Microsoft’s standards,” Harris said. He recalled Morowczynski telling him that the product group’s call “was a business decision, not a technical one.”
“What they were telling me was counterintuitive to everything I’d heard at Microsoft about ‘customer first,’” Harris said. “Now they’re telling me it’s not ‘customer first,’ it’s actually ‘business first.’”
DiCola, Harris’ then-supervisor, told ProPublica the race to dominate the market for new and high-growth areas like the cloud drove the decisions of Microsoft’s product teams. “That is always like, ‘Do whatever it frickin’ takes to win because you have to win.’ Because if you don’t win, it’s much harder to win it back in the future. Customers tend to buy that product forever.”
According to Harris, Morowczynski said his team had “on the road map” a product that could replace AD FS altogether. But it was unclear when it would be available to customers.
In the months that followed, Harris vented to his colleagues about the product group’s decision. ProPublica talked to three people who worked with Harris at the time and recalled these conversations. All of them spoke on the condition of anonymity because they feared professional repercussions. The three said Harris was enraged and frustrated over what he described to them as the product group’s unwillingness to address the weakness.
Neither Morowczynski nor Simons returned calls seeking comment, and Microsoft declined to make them available for interviews. The company did not dispute the details of Harris’ account. In its statement, Microsoft said it weighs a number of factors when it evaluates potential threats. “We prioritize our security response work by considering potential customer disruption, exploitability, and available mitigations,” the spokesperson said. “We continue to listen to the security research community and evolve our approach to ensure we are meeting customer expectations and protecting them from emerging threats.”
Another major warning
Following the conversation with Morowczynski, Harris wrote a reminder to himself on the whiteboard in his home office: “SAML follow-up.” He wanted to keep the pressure on the product team.
Soon after, the Massachusetts- and Tel Aviv-based cybersecurity firm CyberArk published a blog post describing the flaw, which it dubbed “Golden SAML,” along with a proof of concept, essentially a road map that showed how hackers could exploit the weakness.
Years later, in his written testimony for the Senate Intelligence Committee, Microsoft’s Brad Smith said this was the moment the company learned of the issue. “The Golden SAML theory became known to cybersecurity professionals at Microsoft and across the U.S. government and the tech sector at precisely the same time, when it was published in a public paper in 2017,” Smith wrote.
Lavi Lazarovitz of CyberArk said the firm mentioned the weakness — before the post was published — in a private WhatsApp chat of about 10 security researchers from various companies, a forum members used to compare notes on emerging threats. When they raised the discovery to the group, which included at least one researcher from Microsoft, the other members were dismissive, Lazarovitz said.
“Many in the security research community — I don’t want to say mocked — but asked, ‘Well, what’s the big deal?’” Lazarovitz said.
Nevertheless, CyberArk believed it was worth taking seriously, given that AD FS represented the gateway to users’ most sensitive information, including email. “Threat actors operate in between the cracks,” Lazarovitz said. “So obviously, we understood the feedback that we got, but we still believed that this technique will be eventually leveled by threat actors.”
The Israel-based team also reached out to contacts at Microsoft’s Israeli headquarters and were met with a response similar to the one they got in the WhatsApp group, Lazarovitz said.
The published report was CyberArk’s way of warning the public about the threat. Disclosing the weakness also had a business benefit for the company. In the blog post, it pitched its own security product, which it said “will be extremely beneficial in blocking attackers from getting their hands on important assets like the token-signing certificate in the first place.”
The report initially received little attention. Harris, however, seized on it. He said he alerted Morowczynski and Simons from the product group as well as the MSRC. The situation was more urgent than before, Harris argued to them, because CyberArk included the proof of concept that could be used by hackers to carry out a real attack. For Harris, it harkened back to Morowczynski’s worry that flagging the weakness could give hackers an advantage.
“I was more energetic than ever to have us actually finally figure out what we’re going to do about this,” Harris said.
But the MSRC reiterated its “security boundary” stance, while Morowczynski reaffirmed the product group’s earlier decision, Harris said.
Harris said he then returned to his supervisors, including Hayden Hainsworth and Bharat Shah, who, as corporate vice president of the Azure cloud security division, also oversaw the MSRC. “I said, ‘Can you guys please listen to me,’” Harris recalled. “‘This is probably the most important thing I’ve ever done in my career.’”
Harris said they were unmoved and told him to take the problem back to the MSRC.
Microsoft did not publicly comment on the CyberArk blog post at the time. Years later, in written responses to Congress, Smith said the company’s security researchers reviewed the information but decided to focus on other priorities. Neither Hainsworth nor Shah returned calls seeking comment.
Defusing a ticking bomb
Harris said he was deeply frustrated. On a personal level, his ego was bruised. Identifying major weaknesses is considered an achievement for cybersecurity professionals, and, despite his internal discovery, CyberArk had claimed Golden SAML.
More broadly, he said he was more worried than ever, believing the weakness was a ticking bomb. “It’s out in the open now,” he said.
Publicly, Microsoft continued to promote the safety of its products, even boasting of its relationship with the federal government in sales pitches. “To protect your organization, Azure embeds security, privacy, and compliance into its development methodology,” the company said in late 2017, “and has been recognized as the most trusted cloud for US government institutions.”
Internally, Harris complained to colleagues that customers were being left vulnerable.
“He was definitely having issues” with the product team, said Harris’ former Microsoft colleague who consulted for the Defense Department. “He vented that it was a problem that they just wanted to ignore.”
Harris typically pivoted from venting to discussing how to protect customers, the former colleague said. “I asked him to show me what I’m going to have to do to make sure the customers were aware and could take corrective action to mitigate the risk,” he said.
Harris also took his message to LinkedIn, where he posted a discreet warning and an offer.
“I hope all my friends and followers on here realize by now the security relationship” involved in authenticating users in AD FS, he wrote in 2019. “If not, reach out and let’s fix that!”
Separately, he realized he could help customers with whom he had existing relationships, including the NYPD, the nation’s largest police force.
“Knowing this exploit is actually possible, why would I not architect around it, especially for my critical customers?” Harris said.
On a visit to the NYPD, Harris told a top IT official, Matthew Fraser, about the AD FS weakness and recommended disabling seamless SSO. Fraser was in disbelief at the severity of the issue, Harris recalled, and he agreed to disable seamless SSO.
In an interview, Fraser confirmed the meeting.
“This was identified as one of those areas that was prime, ripe,” Fraser said of the SAML weakness. “From there, we figured out what’s the best path to insulate and secure.”
More troubling revelations
It was over beers at a conference in Orlando in 2018 that Harris learned the weakness was even worse than he’d initially realized. A colleague sketched out on a napkin how hackers could also bypass a common security feature called multifactor authentication, which requires users to perform one or more additional steps to verify their identity, such as entering a code sent via text message.
They realized that, no matter how many additional security steps a company puts in place, a hacker with a forged token can bypass them all. When they brought the new information to the MSRC, “it was a nonstarter,” Harris said. While the center had published a formal definition of “security boundary” by that point, Harris’ issues still didn’t meet it.
By March 2019, concerns over Golden SAML were spilling out into the wider tech world. That month, at a conference in Germany, two researchers from the cybersecurity company Mandiant delivered a presentation demonstrating how hackers could infiltrate AD FS to gain access to organizations’ cloud accounts and applications. They also released the tools they used to do so.
Mandiant said it notified Microsoft before the presentation, making it the second time in roughly 16 months that an outside firm had flagged the SAML issue to the company.
In August 2020, Harris left Microsoft to work for CrowdStrike. In his exit interview with Shah, Harris said he raised the SAML weakness one last time. Shah listened but offered no feedback, he said.
“There is no inspector general-type thing” within Microsoft, Harris said. “If something egregious is happening, where the hell do you go? There’s no place to go.”
SolarWinds breaks
Four months later, news of the SolarWinds attack broke. Federal officials soon announced that beginning in 2019 Russian hackers had breached and exploited the network management software offered by a Texas-based company called SolarWinds, which had the misfortune of lending its name to the attack. The hackers covertly inserted malware into the firm’s software updates, gaining “backdoor” access to the networks of companies and government agencies that installed them. The ongoing access allowed hackers to take advantage of “post-exploit” vulnerabilities, including Golden SAML, to steal sensitive data and emails from the cloud.
Despite the name, nearly a third of victims of the attack never used SolarWinds software at all, Brandon Wales, then acting director of the federal Cybersecurity and Infrastructure Security Agency, said in the aftermath. In March 2021, Wales told a Senate panel that hackers were able to “gain broad access to data stores that they wanted, largely in Microsoft Office 365 Cloud … and it was all because they compromised those systems that manage trust and identity on networks.”
Microsoft itself was also breached.
In the immediate aftermath of the attack, Microsoft advised customers of Microsoft 365 to disable seamless SSO in AD FS and similar products — the solution that Harris had proposed three years earlier.
As the world dealt with the consequences, Harris took his long simmering frustration public in a series of posts on social media and on his personal blog. Challenging Brad Smith by name, and criticizing the MSRC’s decisions — which he referred to as “utter BS” — Harris lambasted Microsoft for failing to publicly warn customers about Golden SAML.
Microsoft “was not transparent about these risks, forced customers to use ADFS knowing these risks, and put many customers and especially US Gov’t in a bad place,” Harris wrote on LinkedIn in December 2020. A long-term fix was “never a priority” for the company, he wrote. “Customers are boned and sadly it’s been that way for years (which again, sickens me),” Harris said in the post.
In the months and years following the SolarWinds attack, Microsoft took a number of actions to mitigate the SAML risk. One of them was a way to efficiently detect fallout from such a hack. The advancement, however, was available only as part of a paid add-on product known as Sentinel.
The lack of such a detection, the company said in a blog post, had been a “blind spot.”
‘Microsoft Is back on top’
In early 2021, the Senate Select Committee on Intelligence called Brad Smith to testify about SolarWinds.
Although Microsoft’s product had played a central role in the attack, Smith seemed unflappable, his easy and conversational tone a reflection of the relationships he had spent decades building on Capitol Hill. Without referencing notes or reading from a script, as some of his counterparts did, he confidently deflected questions about Microsoft’s role.
Laying the responsibility with the government, he said that in the lead-up to the attack, the authentication flaw “was not prioritized by the intelligence community as a risk, nor was it flagged by civilian agencies or other entities in the security community as a risk that should be elevated” over other cybersecurity priorities.
Smith also downplayed the significance of the Golden SAML weakness, saying it was used in just 15% of the 60 cases that Microsoft had identified by that point. At the same time, he acknowledged that, “without question, these are not the only victims who had data observed or taken.”
When Senator Marco Rubio of Florida pointedly asked him what Microsoft had done to address Golden SAML in the years before the attack, Smith responded by listing a handful of steps that customers could have taken to protect themselves. His suggestions included purchasing an antivirus product like Microsoft Defender and securing devices with another Microsoft product called Intune.
“The reality is any organization that did all five of those things, if it was breached, it in all likelihood suffered almost no damage,” Smith said.
Neither Rubio nor any other senator pressed further.
Ultimately, Microsoft won a piece of the Defense Department’s multibillion-dollar cloud business, sharing it with Amazon, Google and Oracle.
Since December 2020, when the SolarWinds attack was made public, Microsoft’s stock has soared 106%, largely on the runaway success of Azure and artificial intelligence products like ChatGPT, where the company is the largest investor. “Microsoft Is Back on Top,” proclaimed Fortune, which featured Nadella on the cover of its most recent issue.
In September 2021, just 10 months after the discovery of SolarWinds, the paperback edition of Smith’s book, “Tools and Weapons,” was published. In it, Smith praised Microsoft’s response to the attack. The MSRC, Smith wrote, “quickly activated its incident response plan” and the company at large “mobilized more than 500 employees to work full time on every aspect of the attack.”
In the new edition, Smith also reflected on his congressional testimony on SolarWinds. The hearings, he wrote, “examined not only what had happened but also what steps needed to be taken to prevent such attacks in the future.” He didn’t mention it in the book, but that certainly would include the long-term alternative that Morowczynski first promised to Harris in 2017. The company began offering it in 2022.
Renee Dudley is a tech reporter at ProPublica. Follow her on X @renee_dudley.
Doris Burke, a senior research reporter at ProPublica, provided research.
‘Majority’ disagree with amnesty bill
The deputy speaker of the house purchases an investigation into the effects of online surveys for potential irregularities
PUBLISHED: 13 Jun 2024 at 20: 25
A bill sponsored by civil society organizations seeking asylum in social and lese-majeste cases dating up to September 2006 is opposed by the majority of House of Representatives survey respondents.
The final results of the month- long online survey showed that 64.66 % rejected the bill, with 35.34 % in favour.
From May 13 through midnight on June 12th, the secretary reported that 90,503 people took part in the survey.
However, in the final hours of the election on Wednesday night, there were complaints from bill supporters that the number of” No” votes had risen to 20,000, which appeared to be a coordinated operation. Due to Wednesday, they said, opinions , had been running close to 50: 50.
Padipat Suntiphada, the deputy speaker of the House, said the benefits may be criminal and he wants to take a second glance.
” I have requested that I check the IP addresses and any abnormalities that may have occurred on the website, as well as the legal authors ‘ thoughts.” I will remind everyone of the information quickly”, Mr Padipat, a former part of the Move Forward Party, wrote on his X accounts on Thursday.
The draft bill was proposed by Poonsuk Poonsukcharoen, of Thai Lawyers for Human Rights, and was seconded by 36, 723 individuals. It was submitted to congress for attention.
It aims to support relevant cases that date back to the day of Gen Sonthi Boonyaratklin’s revolt against the Thaksin Shinawatra government on September 19, 2006.
A commission would be established to review the cases and decide which ones would receive immediate parole under the proposed legislation. These may include violations of the 2016 election rules, National Council for Peace and Order orders, and the Lese-majeste law. Essentially, the latter forbade opposing viewpoints on a law written for the military.
The review council had include 19 people, including the legislature leader, opposition leader, chief whip, staff of all political parties and representatives of the people facing legal behavior since the 2006 revolution.
Nonetheless, the bill does not apply to state officials who conducted increased pressure in rallies and those who violated Section 113 of the Criminal Code.
Section 113 pertains to acts of using force or threats with the intent to change the constitution, overthrow the legislature, government or judicial powers, divide the Kingdom of Thailand or seize administrative power.
The survey’s results were heeded by independent academic Pat Hemasuk, who urged all political parties to take into account the findings, noting that the majority of people do not want wrongdoers to be punished.
In addition, he also warned the ruling Pheu Thai Party that if it made the decision to continue with the amnesty request, it might lose seats in the upcoming general election.
Pheu Thai’s stance on the amnesty proposal is being closely watched as Thaksin Shinawatra, widely seen as the party’s de facto leader, now faces lese- majeste and computer crime charges.
According to reports, Thaksin has petitioned the Office of the Attorney General for” fair treatment” and claimed that the police who handled the initial complaint in 2015 were pressured by” those in power at the time” — a reference to the military regime that carried out a coup in 2014.
Faiz Azmi appointed new SC Malaysia chairman as Awang Adek Hussin retires
- Since June 2022, Awang Adek has served for a two-year name.
- Faiz Azmi is a board member of the SC and previously served as the professional president of PwC.
Awang Adek Hussin will retire as chairman of the Securities Commission Malaysia (SC ) with effect from June 15th, 2024.  , He will be succeeded by Mohammad Faiz Azmi ( main pic ), former Executive Chairman of PwC Malaysia, who will assume the role on 16 June 2024.  ,  ,
Mohammad Faiz has been a part of the SC committee since August 15, 2023, and he has taken that position. Awang Adek ( pic ) thanked the government, including the Ministry of Finance, the capital market sector, and a number of stakeholders for the support they provided him during his two-year tenure, and expressed the hope that Mohammad Faiz will receive the same support.  ,
Awang Adek made a significant contribution to the growth of the Indonesian investment sector, which the SC Board expressed its appreciation for.
Commander shunted over unfair salary deductions
PUBLISHED: 13 Jun 2024 at 18: 54
In a pending investigation into alleged conclusions from troops ‘ pay for utilities and other products, including a septic tank pumping fee, the Royal Thai Army has transferred the commander of a training system in Nakhon Ratchasima to its northeastern office.
Information of the expenses that were charged to a new soldier under the 2nd Army Support Command in Nakhon Ratchasima were made public by a Twitter website named E- Sol Khayee Khao 3 ( E- Sol crushing information ).
The post showed the conscript’s financial summary for the past 42- day cycle which revealed his earnings of 10, 990 baht and expenses of 6, 280 baht.
Among his expenses were costs for camping gear and his uniform, cleaning equipment, meals during a long- distance walk, alcohol and an ATK test kit, and a septic tank pumping fee. The latter cost 500 baht.  ,  ,  ,
Jirayu Houngsub, the spokesman for political affairs for the Defence Ministry, responded on Tuesday, stating that the salary deductions, including those related to the septic tank fee, were confirmed to be true.
Around 100 recruits were enlisted in the 22nd Transportation and Service Battalion unit, where this particular conscript was enlisted to train and join.
According to Mr Jirayu, the unit was found to have charged such expenses.
Lt Gen Adul Boonthamcharoen, the 2nd Army Region Commander, said the army had more than 200 new military training units but none have collected the septic tank pumping fee.
The relevant officers have been summoned for questioning, he said, adding that if violations were found within any units, wrongdoers would face disciplinary action.
Lt. Gen. Adul claimed that he initially ordered the transfer of Col Achawin Akapin, the 22nd Transportation and Service Battalion commander, to a post inactive at the 2nd Army area headquarters pending a probe.
Lt. Gen. Adul claimed that some of the information contained in the documents was true while others were false.
Defence Minister Sutin Klungsang claimed that the ministry had previously issued orders forbidding any deductions from soldiers ‘ salaries for non-official expenses.
” This is something that should not have happened. It is unacceptable”, Prime Minister Srettha Thavisin said.
Mr. Sutin emphasized that one of the ministry’s priorities is to ensure that enlisted officers will earn between 10,000 and 10,000 baht per month. This is in line with the government’s plan to raise the minimum wage for new hires.
” I demand that those responsible for this matter will be held accountable and punished,” said Mr. Sutin.
” Units nationwide have been mandated to the military inspector-general.” So far, there have been no reports of similar issues. Strict measures will be implemented”, he said.
” But some units may still have misunderstandings”, he added.
Fake powdered milk from Vietnam seized
According to authorities, online advertising with exaggerated claims compelled customers to purchase products.
PUBLISHED: 13 Jun 2024 at 18: 49
In a raid on a warehouse in Samut Prakan, buyer protection officers seized 18 million baht worth of illegally imported powdered dairy products, as well as six migrant workers.
Pol Maj Gen Witthaya Sriprasertparb, CPPD captain, said during a media briefing on Thursday that he had seized 41 items of information, along with about 20 000 cans of powdered cheese and other foods supplementation products from the inventory in tambon Bang Khru of Phra Pradaeng area.
The FDA intervened after the FDA discovered a website that promoted powdered milk and claimed inflated benefits. It claimed that the goods were New Zealand’s No. 1 best seller and had been FDA-certified in the US. The ads were posted on numerous social media websites.
Police investigators discovered the goods were kept at a warehouse in Phra Pradaeng, where they found 12, 625 bottles of powdered cheese from eight different businesses, 1, 776 substitute products for children, 3, 660 items of unregulated medicines and 95 supplement products.
When police searched the warehouse, they discovered six migrant workers from Laos and Myanmar packing goods. All were detained and accused of conspiring to sell unregistered goods and operating without permits.
Vietnamese nationals are responsible for the smuggling of the products from their country, according to Pol Col Veeraphong Khlaithong, superintendent of CPPD sub-division 4. Before selling them online, they rented buildings to store the goods.
” Interested people are required to fill out their names, addresses and phone numbers on the website”, he said. The potential buyers are then contacted by the sellers via phone to persuade them of the goods ‘ qualities and to encourage further purchase.
The sales staff will contact the customers about the results of using the products and will provide additional products for sale about two or three weeks after receiving the products. Each month, 3, 000 to 6, 000 purchase orders are made”.
The powdered milk and other supplement products were sold at 1, 090 to 1, 190 baht a can.
According to investigators, the Vietnamese producers of the goods traveled to Thailand once a month to review the operation. Additionally, they kept abreast of Thai authorities ‘ warnings about uncertified powered milk products.
According to police, if they found out that their products were at risk of being inspected, they would immediately move their products to other storage facilities to avoid legal action.
Weerachai Nalawachai, the deputy secretary-general of the Food and Drug Administration, displays a can of fake powdered milk during a Thursday briefing. ( Photo supplied/Wassayos Ngamkham )
Cannabis advocates vow long rally against relisting
Group leaves health minister’s meeting after coming out of his purview for being too restrictive
PUBLISHED: 13 Jun 2024 at 18: 15
Cannabis supporters have pledged to hold a lengthy march the following month to protest the Ministry of Public Health’s program to reinstate the plant as a narcotic.
After its members walked out of a meeting on the subject with Public Health Minister Somsak Thepsutin on Wednesday, Prasitchai Nunual, writing Thai cannabis’s public minister, announced the organization’s intentions.
Prior to the conference, the group had been pressing the minister to pass a law governing the possession of marijuana and to establish a committee to conduct a study to determine whether a distinct cannabis act is necessary to manage the plant’s use.
The use of the plant may be governed by the Criminal Code, which imposes severe penalties for cannabis-related offenses, without a separate cannabis work.
Two years ago, cannabis was removed from the drug list without right laws governing its usage. The result was a rise in recreational marijuana use and the beginning of tens of thousands of stores all over the country that sold cannabis and related goods.
Prior to the previous government’s unsuccessful attempts to pass a cannabis costs, Prime Minister Srettha Thavisin has taken a tough stance and insisted that cannabis may be back on the cocaine record before the year is out.
Mr. Prasitchai urged the government to abandon its program to reclassify the factory as a narcotic, with the exception of situations where it could be demonstrated that legalization or decriminalization had been opposed to the interests of the people.
An hour into the conference, Mr Prasitchai and other members of the group staged a protest.
According to a cause close to the subject, he claimed Mr. Somsak was being too forceful on the agency’s announced walk and refusing to compromise.
Patients may experience
Prior to departing the meeting, Mr. Prasitchai warned that Prime Minister Srettha Thavisin may ask at least 10,000 people who use traditional medicine based on cannabis to find justice.
If hemp is recriminalized, he said, and he warned that if Mr. Somsak had his way, people may not be able to increase the flower in their backyards for personal use.
Again marijuana is reclassified as a Category 5 drug, it can only be grown and harvested on a huge scale for medical and research purposes.
Critics claim that the plan essentially places the business in the hands of large corporations because such ventures are capital-intensive.
Mr. Prasitchai claimed that a particular businessman with close ties to a political party was considering starting a similar venture. He declined to expound.
He labeled as “scaremongers” those who made “fictitious” states and tales about people losing their sanity from cannabis use.
Before convergent on July 8 for a long march close to Government House to demand that cannabis laws be enforced in a way that is fair to the people, the network has vowed to stay lower for a while.
However, Mr. Somsak claimed that at least two governmental regulations would be required to outline legitimate methods for growing cannabis for medical and research purposes, which would require a license. These regulations would also need to be issued.
He forbids medical marijuana use for outdoor purposes.
” That’s where the problem lies. People smoke marijuana in open spaces, and those who are close to them are alarmed by the taste, the minister said.
The permanent secretary for public health, Opas Karnkawinpong, confirmed the president’s plan to boycott the personal production of the flower for personal use.
Officers sidelined after oil-smuggling boats vanish
Three seized vessels that left the officers wharf in Sattahip are thought to be still in Thai lakes.
PUBLISHED: 13 Jun 2024 at 18: 01
In connection with the removal of three ships carrying 330, 000 litres of smuggled fuel and 18 crew members from a sea police wharf in Chon Buri, five police officers have been moved to inert positions.
The arteries are still being looked for, according to reports that they are connected to a significant oil criminal in southern Thailand. Police say they are heading for Vietnamese waters, but they may not have already made it that far.
A fact-finding committee has been established by the Central Investigation Bureau ( CIB ) to find out how three of the five vessels that were seizeable in an oil smuggling case disappeared early on Wednesday from the pier in the Sattahip district.
The payments of the officials are intended to maintain an honest and thorough research, according to older officers.
The analysis was divided into three groups, according to Pol Maj Gen Jaroonkiat Pankaew, the CIB deputy director who traveled to Sattahip to lead it. The missing ships and their crews were identified, and a control center was established to find the vessel owners to find the cause of the departure.
The three lost boats are probably still in the Gulf of Thailand, he said on Thursday, adding that they have not yet reached neighboring nations. ” That’s because they have fuel crew, allowing them to travel at a rate of just 7 to 8 knots. It may take about 15 hours to travel the 240 nautical mile radius to the neighboring nation.
The CIB director, Pol Lt Gen Jirabhop Bhuridej, signed an order on Thursday to assign the five aquatic authorities officials to inert positions at the CIB activities center.
The soldiers are Pol Col Intarat Panya, Marine Police Division 5, Pol Lt Col Ajin Wangwatthana, Division 5, Pol Lt Col Kobchai To-on, a Division 3 investigator, Pol Sgt Maj Thammarat Lekmontra, Division 5, Sub-Division 3, Division 5, and Pol Cpl Apichart Channu, Division 3 club leader, Marine Police Sub-Division 3, Division 5, and Pol Lt Col Ajin
Scorching heat in China is hurting summer crops, ministry says
BEIJING: The agriculture ministry reported on Thursday ( Jun 13 ) that the sweltering temperatures and drought are having a negative effect on summer planting. This year, temperatures are expected to reach record highs in some parts of China, which will prompt notifications and actions from regulators to lessen theContinue Reading
Fret not Delhi, Dhaka’s surely not in Beijing’s orb – Asia Times
For years, Sino- American competition for influence over Bangladesh has been a tough- driving pressure in South Asia’s geopolitics. As a cousin of India and a coastal state of the Indian Ocean, Bangladesh has often been embroiled in the conflict, and consequently, both Beijing and New Delhi have sought to expand their control over the country, often at the other’s expense.
Since the late 1950s, Bangladesh, known as East Pakistan between 1947 and 1971, has been a geopolitical battleground between the dragon ( China ) and the elephant ( India ). East Pakistan was in the Foreign circle at the time that Pakistan and China forged close relationships.
But, after Bangladesh’s independence in 1971, the country’s international policy was based on the maxim “friendship to all, malice towards none”, and adopted a no- aligned, non- aggressive and positively natural foreign policy. So, the nation has successfully balancing and maneuvering their strategic competition with both India and China while maintaining rational and cooperative relations with both.
Despite this, many American analysts <a href="https://www.oneindia.com/international/chinas-growing-role-in-bangladesh-raises-concerns-for-india-us-3722347.html”>have expressed concern about the potential integration of Bangladesh into China’s sphere of influence. However, this is a total interpretation of Dhaka’s foreign policy, so it is necessary to respond to this claim from a balanced and objective perspective.
Second, under customary international law, Bangladesh is a sovereign, independent state, and as a result, it is fully able to conduct its international politics without interference.
Bangladesh has complete freedom of action over its foreign policy, both legally and morally, as long as its actions do n’t violate any of the UN’s ( UN) Charter’s provisions. No other state has the legal authority to obstruct negotiations between Bangladesh and any other country, including China, and Bangladesh has the right to do so.
Although Bangladesh has complete freedom to pursue its foreign policy, it is apparent that India may make an effort to increase its security and therefore feel a certain way about China’s involvement in its immediate vicinity. However, New Delhi may know that Dhaka’s collaboration with Beijing is not directed against any other condition, including India.
Bangladesh’s partnership with China aims to meet its own development needs, and it is solely concerned with its inside development. The Indians should keep in mind that Dhaka has consistently demonstrated its civility to New Delhi while taking into account India’s safety concerns.
For instance, Dhaka has interdicted north Indian rebel leaders to India, extradited them to India, and resisted putting the strong seaport project in Sonadia Island, which is supported by China, into operation.
American analysts frequently classify certain Chinese initiatives and projects as potential risks to Indian interests. These include the possibility of providing US$ 5 billion in Chinese loans, Chinese-backed infrastructure projects, the development of a Chinese-financed underwater center in southwestern Bangladesh, and the upcoming Sino-Bangladesh military training.
When you examine these tasks and activities closely, it becomes clear that none of them are directed at India or interfere with American security or other interests.
First, Bangladesh wants to borrow$ 5 billion ( at an interest rate of 1 % ) from China to pay for its expenses and the purchase of raw materials. American passions are unaffected in any way by this. Because China is the only state that will lend to Bangladesh at for a low interest rate, Dhaka is requesting this product from Beijing.
Dhaka would have been happy to accept India’s credit if it had been willing to lend a$ 5 billion loan to Bangladesh at a 1 % interest rate. Some researchers may worry that Bangladesh is falling into a “debt trap” in China, but another foreign experts contend that Dhaka has a wealth of knowledge and minimal risk of default.
Next, some Indian experts worry that China is developing network in Bangladesh close to the Siliguri Corridor to defame India. These problems, too, are false. It should be remembered that Bangladesh is an” India- locked” position and among 64 Bengal towns, 30 share edges with India.
Bangladesh, it is undoubtedly entitled to all of its border districts to have equipment projects, and it has the right to choose which state to invest in them. Additionally, none of the jobs China is implementing in Bangladesh’s border towns are focused on the defense.
Additionally, China does not have the right to stop soldiers or military technology on Bangladeshi place, and upon the completion of these projects, these infrastructures may become controlled by Bangladeshis, not the Chinese.
Additionally, there is no treaty signed between Bangladesh and China regarding Chinese troops ‘ use of Bangladeshi territory during combat. Accordingly, in case of a war between China and India, China would not be able to use these infrastructures.
In addition, Bangladesh has shown goodwill toward India by providing the country with transit and transshipment facilities because the Siliguri Corridor does not allow India to access its northeastern territories in sufficient numbers.
Other Indian analysts are concerned about China’s$ 1 billion investment in the Teesta River Comprehensive Management and Restoration Project. It should be noted, however, that the Indian- implemented Teesta Barrage Project has created a serious water crisis in Bangladesh, and Dhaka’s efforts to resolve the issue diplomatically has met with failure.
However, the river has a significant economic impact for five northern Bangladeshi districts that have 22 electoral constituencies and have more than 10 million residents. Therefore, the restoration of the river is a significant internal political issue that affects the careers of numerous local politicians. This project, in no sense whatsoever, represents a threat to Indian interests.
Third, China has been Bangladesh’s largest source of military equipment since the late 1970s, primarily because of the low cost, ease of maintenance and relative efficiency of Chinese weapons. This, in itself, does not pose any threat to India.
Bangladesh also imports weapons from a number of other states including Russia, Turkey, the United States, the United Kingdom, Italy, France and Serbia, and is currently looking to further diversify its sources of arms. Bangladesh has also stated that it wants to purchase some military equipment from India.
Fourth, China has contributed money to the construction of Cox’s Bazar’s first submarine base, the BNS Sheikh Hasina, which will have the capacity to house six submarines and eight warships. Bangladesh has purchased two Ming-class submarines from China and is likely to purchase more naval vessels from the nation, so China has provided funding for the project.
The Bangladeshi government’s” Forces Goal 2030″ includes the transformation of the Bangladesh Navy into a ‘3D force, as well as the construction of the base and the acquisition of submarines. This is crucial to ensuring Bangladesh’s maritime security, and it is again no threat to India because of both Bangladesh’s hostile intentions toward any of its neighbors and India’s significantly larger submarine fleet.
The Chinese People’s Liberation Army- Navy ( PLA- N ) will not be able to enter the base, despite China having funded the construction of the base. Moreover, Bangladesh opted for Chinese submarines because of their low price. Bangladesh reportedly had negotiated with India and Russia for the acquisition of submarines before engaging in negotiations with China.
Interestingly, India did not sell submarines to Bangladesh but later sold a Kilo- class submarine to Myanmar. Therefore, Bangladesh’s purchase of Chinese submarines and China’s financing of a Bangladeshi submarine base are purely commercial transactions unrelated to India.
Finally, the potential Sino-Bangladesh joint military exercise is a logical extension of the two states ‘ already-existing defense partnership and does not pose any real threat to India. It is its sovereign prerogative to conduct similar exercises with China and regularly participates in joint military exercises with India, the US, and the UK.
Last but not least, the Indian media has implied that Bangladesh’s positions on Tibet, Taiwan and the South China Sea is a result of Chinese coercion. Nothing is further from the truth, however.
It is illogical to suggest that Bangladesh does the same owing to Chinese coercion since Tibet itself recognizes Tibet as a part of China and adheres to the” One China” policy. Bangladesh does not have a significant stake in the disputed region in terms of the disputes in the South China Sea. Accordingly, its Indo- Pacific Outlook suggests ensuring peace and prosperity throughout the region.
Dhaka’s foreign policy is examined carefully and objectively to determine whether it intends to achieve its goals of maximizing its internal development through foreign policy initiatives while preserving its sovereignty and independence from external influences.
Dhaka, as always, has no intention or interest in provoking any other state, not least one that is close to India. Instead of embracing the dragon and the elephant, Bangladesh is open to developing and maintaining positive relationships with both.
Md Himel Rahman is a freelance analyst with a focus on international and strategic affairs based in Dhaka. His articles have been published in The Interpreter, The Diplomat, South Asian Voices, The Geopolitics, Eurasia Review, The Daily Star, The Daily Observer, Dhaka Tribune, and other platforms.
European dairy, pork producers wary of Chinese retaliation for EV tariffs
” If you have more trade barriers, it could lead to the reshuffling of global areas,” said Kimberly Crewther, senior director of the official figure Dairy Companies Association of New Zealand. The cheese industry’s top exporter in the world is New Zealand, which also serves as a hub for foreignContinue Reading