BrianKrebsJul 15, 2025

And from the WTAF dept, quite a bombshell from ProPublica today:

"Microsoft is using engineers in China to help maintain the Defense Department’s computer systems — with minimal supervision by U.S. personnel — leaving some of the nation’s most sensitive data vulnerable to hacking from its leading cyber adversary, a ProPublica investigation has found."

"The arrangement, which was critical to Microsoft winning the federal government’s cloud computing business a decade ago, relies on U.S. citizens with security clearances to oversee the work and serve as a barrier against espionage and sabotage."

"But these workers, known as “digital escorts,” often lack the technical expertise to police foreign engineers with far more advanced skills, ProPublica found. Some are former military personnel with little coding experience who are paid barely more than minimum wage for the work."

https://www.propublica.org/article/microsoft-digital-escorts-pentagon-defense-department-china-hackers?utm_source=bluesky&utm_medium=social&utm_campaign=propublica-bsky&utm_content=7-15

A Little-Known Microsoft Program Could Expose the Defense Department to Chinese Hackers

The Pentagon bans foreign citizens from accessing highly sensitive data, but Microsoft bypasses this by using engineers in China and elsewhere to remotely instruct American “escorts” who may lack expertise to identify malicious code.

ProPublica
Show threadMartin SeegerJul 15, 2025
@briankrebs And we thought the "Sovereign Digital Solution" would be typical German problem 🤪 🤪 🤪
Show threadAndreas KJul 15, 2025

@masek
No it's a capitalist/neo-liberal problem.

In any sane world the government would operate security sensitive infrastructure with its own expertise internally.

And concerning Microsoft, at the latest after the embarrassing email incidents that demonstrated that MS is not capable to maintain a secure environment, there should have been consequences for any security related contracts/tenders.
@briankrebs

Show threadMartin SeegerJul 15, 2025
@yacc143 The word "sane" is bearing a lot of load in that sentence 😄 @briankrebs
Show threadAndreas KJul 15, 2025

@masek @briankrebs No it's the recognition, that when it comes to certain things like security (or bodily safety, or especially national security), it's not something that you can outsource, and rely on civil law to enforce the contract.

Simply because the court cannot make you whole again. It's a perfect example for “imminent danger”. Where you would ask a court to act before anything bad can happen.

Show threadAndreas KJul 15, 2025

So yes, if a government outsources security critical infrastructure to an external provider, what are they going to do, if the provider fucks up? In practice, nothing.

And think about, even a “non-classified email system” is actually highly security relevant, due to its nature, that indirect stuff goes over it.

Show threadAndreas KJul 15, 2025

And my personal evergreen are all these cool "management" systems (I call them mentally "commercial" RAT and C&C servers services, with a nice legal contract, and prepayment and no need to buy bitcoins).

Even if everything works as advertised, you are running something that quacks like more or less impressive ransomware, but this time they sent a phishing email to your CIO/CISO, not some unsuspecting users. And used a nice presentation as payload, how it helps to lower costs.

Show threadAndreas K

Accountability, against approximating quickly $$ e^[-n} $$ for n against infinity.

Ask the CIOs that signed contracts with CrowdStrike, how that worked out for them. Caused two digit billions of damage, "damages" that Crowdstrike is willing to 'pay" are $80 millions of product credit.

(Are there projects how much damage $80m of CrowdStrike software can do?)

And CrowdStrike insists in the Delta lawsuit, that even if it's legal, and they lose, their contract limits them to single digit millions

Jul 15, 2025 at 5:47pmElk
Show threadAndreas KJul 15, 2025

in damages. Delta had damages of $550m.

Whets your appetite for outsourcing critical functions to some shiny 3rd party, doesn't it?

Please note, that all these "management" systems tend to run their local agent as "administrator/system" or "root" (or even kernel level module), and because these companies cannot resist from bragging: "Be bagged 100 of the Fortune 500", they are basically advertising themselves as interesting entry points for advanced threats

Show threadAndreas KJul 15, 2025

e.g. state level ones, that can afford to send in sleepers for 2-3 years, who then gain access to whole fleets of internal systems at a sizeable chunk of the Fortune-N selection, plus 1000s other companies.

And practically all these no matter how clever the architecture is, the cryptography is, etc, trust implicitly closed source updates done by people we know nothing about.

Show threadAndreas KJul 15, 2025

Oh right, we just found out, MS uses very trustworthy Chinese nationals as engineers for the US government cloud that are supervised by even more trustworthy Americans, but who sadly often have absolutely no idea about IT. 👍

That's very friendly of MS, saves Chinese intelligence all the bothersome work of planting Western looking sleeper agents.