Stefan Baur 8 * 💉2d ago
Brian Greenberg 

I teach cybersecurity. And I genuinely don't know what to tell my students after this one. Federal reviewers spent years trying to get basic encryption documentation from Microsoft for its GCC High government cloud. They couldn't get it. One reviewer called the system a "pile of spaghetti pies," with data traveling from point A to point B the way you'd get from Chicago to New York: a bus to St. Louis, a ferry to Pittsburgh, and a flight to Newark. Each leg is a potential hijacking. They knew this. They said this out loud in writing. Then they approved it anyway in December 2024, because too many agencies were already using it. 🔐 That's not a security review. That's a hostage negotiation. Two things in this story should make every CISO and CIO uncomfortable:

🧩 Microsoft built its federal cloud on top of decades of legacy code that it apparently can't fully document itself
👮 "Digital escorts" often ex-military with minimal software engineering backgrounds are the firewall between Chinese engineers working on the system and classified U.S. networks 🤦🏻‍♂️

The scariest line in the whole ProPublica investigation isn't the "pile of shit" quote. It's this: FedRAMP determined that refusing authorization wasn't feasible because agencies were already using the product. Read that again. The security review process reached a conclusion based on sunk cost, not risk. Ex Post Facto Fallacy

If that logic holds, the compliance framework is just documentation theater. And right now, CISA is being hollowed out, so there are fewer people left to even run the theater.

https://arstechnica.com/information-technology/2026/03/federal-cyber-experts-called-microsofts-cloud-a-pile-of-shit-approved-it-anyway/
#Cybersecurity #Microsoft #FedRAMP #Leadership #RiskManagement #security #privacy #cloud #infosec

Federal cyber experts called Microsoft's cloud a "pile of shit," approved it anyway

One Microsoft product was approved despite years of concerns about its security.

Ars Technica
Mar 29 at 11:52pmWeb
Show threadnoplasticshower2d ago
@brian_greenberg the government has always been years behind in defense and right at the edge in offense. Guess what's easier?
Show thread"Nurture-boy" Ric Flair2d ago
@brian_greenberg
Critical support to Microsoft for undermining the US gov!
Show threadAlexander The 1st2d ago
@brian_greenberg Satya Nadella is getting prime usage out of the documents Bill Gates have him about Trump in the Epstein Files, I presume. I presume Bill Gates gave them those documents in an "In case of emergency, break glass" way, but instead...he's using it to get the U.S. government to say "It's not the best choice, but we can't *not* use it.".
Show threadAlexander The 1st2d ago

@brian_greenberg Alternatively, seeing this:

"FedRAMP’s ruling—which included a kind of “buyer beware” notice to any federal agency considering GCC High—helped Microsoft expand a government business empire worth billions of dollars."

...That makes me think that we're about to find out that they "Put the warnings after the spells.".

Show threadTael 🔜 AC262d ago
@brian_greenberg AI-written post
Show threadTael 🔜 AC262d ago
@brian_greenberg you do not have, like, any of your own voice in this post at all. you just shat this out with Claude or whatever. you should feel embarrassed trying to get other people to read this
Show threadAires1d ago
@tael @brian_greenberg It's a repost of the original ProPublica article by Renee Dudley https://www.propublica.org/article/microsoft-cloud-fedramp-cybersecurity-government
Federal Cyber Experts Thought Microsoft’s Cloud Was “a Pile of Shit.” They Approved It Anyway.

A federal program created to protect the government against cyber threats authorized a sprawling Microsoft cloud product, despite the company’s inability to fully explain how it protects sensitive data.

ProPublica
Show threadTael 🔜 AC261d ago
@aires I'm referring to OP's commentary over the link to the article, which is written by AI.
Show threadAires1d ago
@tael Ah, nevermind then. Sorry!
Show threadKevin Karhan 1d ago

@tael @brian_greenberg how do you come to the conclusing it's " #AI "?

  • Emoji useage?? 
Show threadTael 🔜 AC261d ago
@kkarhan How do you not?
Show threadKevin Karhan 1d ago
@tael no seriously, Emoji useage is not a clear indicator on it's own.
Show threadTael 🔜 AC261d ago
@kkarhan You're the one assuming it is based on emoji usage.
Show threadKevin Karhan 1d ago
@tael and how did you came to the conclusion it's #AIslop?
Show threadRihards Olups2d ago
@tael Hey @brian_greenberg , any comment on that?
Show threadBrian Greenberg 1d ago

@richlv @tael .. what? that I like emojis 🙃

... and who doesn't use AI to assist in writing, whether it's Grammarly, Claude, or spell-check?

Show threadRihards Olups1d ago

@brian_greenberg @tael Who doesn't use AI to write? Most people I respect, I guess :)

Spellcheck is not "AI".

Show threadunboundcelestial2d ago
@brian_greenberg You are supposed to disclose AI-generated content.
Show threadCrazypedia won't Comply2d ago
@brian_greenberg I am going to be sooooo mad if we have to bring it all back in house... Well, my workplace probably won't. But yikes 🫠 I am afraid of how cooked our infrastructure is 😵
Show threadChagrins2d ago
@brian_greenberg Social engineering is the ultimate tool to break any security.
Show threadDjango2d ago
@brian_greenberg I call it: https://media3.giphy.com/media/v1.Y2lkPTZjMDliOTUydG5jcWVjNGdhbzd3dWJzYTBtMGtoMW01enAwNW9zbXJxa3luejJhNSZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw/R9cQo06nQBpRe/giphy.gif
jurassic park deal with it GIF - Find & Share on GIPHY

Discover & share this jurassic park deal with it GIF with everyone you know. GIPHY is how you search, share, discover, and create GIFs.

Show threadBob Young2d ago
@brian_greenberg THANK YOU for saying this out loud and explaining it so clearly.
Show threadDavid, a Bostonian in Tokyo.2d ago

@brian_greenberg

It''l be OK. They're replacing those decades of badly understood, flaky legacy code with gobs and gobs of vibecoded AI slop....

Show threadkaaswe2d ago
@brian_greenberg
Continue to teach your students that security review is not based on others usage but the evidence of proof.
Don’t put sensitive data in the hands of someone else outside of your control
Show threadRoadskater, Ph.D.2d ago
@brian_greenberg I'm hardly surprised. I'm forced to use MS Outlook for my .gov e-mail account, and I'd call it the worst piece of software I've ever used except that I sometimes have to also use MS Teams. And every time I curse Outlook, I think, how does the agency even try to migrate to another platform when the contract expires?
Show threadderptron2d ago

@brian_greenberg "“BOOM SHAKA LAKA,” Richard Wakeman, one of the company’s chief security architects, boasted in an online forum"

"Oh tell me about your portfolio...oh yes yes..."

"What do I do now?"

"Old style? You roll over and go to sleep. New style, you go out to get pizza and I never see you again."

Show threadInterpipes 💙2d ago
@brian_greenberg @revk refreshing to see some honesty at last in the whole "certification" space in general
Show threadSneezy2d ago

@brian_greenberg

could it be intentional?

that is, the cover of incompetence to ensure the systems are intentionally weak, enabling easier surveillance by the usual agencies?

Show threadEric Likness1d ago

@brian_greenberg

Quoting the adoption level as being the "reason" for the approval. Yeah here's another one, "Deciding not to use turn signals or wear safety belts while operating motor vehicles is the new rule 'cuz all the other .gov agencies have adopted it".

Show threadThomas Depierre1d ago

@brian_greenberg yes? Welcome to Compliance?

I mean, you really believe it was useful? Go ask most Software Engineers or Safety Specialists... we could have told you so. There is unending research on this. Most Compliance stuff does not work that well.

Note that I am not saying we should not regulate. But yeah. Welcome to reality I guess.

Show threadPaul_IPv61d ago

@brian_greenberg

it's no different in private/large companies. we'd all like to think FEDRAMP is more rigorous but the reality is that it's merely more specialized and cumbersome in the qualification and bid process. results aren't noticably better.

the old saw "no one ever got fired for buying IBM" still applies. it's just a different list of vendors, including microsoft.

one root cause is the MBA philosophy of "cost reduction over all", apparently even over competent risk mitigation or domain expertise advice. add in the widely held belief that you can't build software to meet your needs cheaper than microsoft or google. while centralization has made that somewhat true, we need to stop blindly just accepting that.

Show threadKevin Karhan 1d ago

@brian_greenberg Yet people call me "paranoid" for rightfully pointing out that #Microsoft can't comply with #GDPR & #BDSG because that would necessitate them being able & willing to violate #CloudAct.

Show threadJona Joachim1d ago
@kkarhan @brian_greenberg @bsi @EUCommission @Bundesregierung It's the same in Europe as in the US, everybody knows that they can't comply but no legislator has the courage to say it out loud because everybody started using it through the Office suite and now it's everywhere
Show threadKevin Karhan 1d ago
@jaj @brian_greenberg @bsi @EUCommission @Bundesregierung that doesn't make it less wrong tho!
Show threadJona Joachim1d ago
@brian_greenberg Maybe we shouldn't put our healthcare data on there.
#france #healthdatahub