Posted on 07/12/2023 7:59:45 AM PDT by Right Wing Vegan
At this point you can assume that China and Russia have people working at the big tech companies and the data is being pipelined along with the NSA.
At what point will Microsoft be viewed as the national security risk that it is? What would have to happen? (Haven’t such things already happened?)
A POTUS should make an executive order instructing all U.S. agencies to move all government cyber operations and data off of private companies cloud systems, establish and protect their own.
Bkmk
No,that makes too much sense.
**U.S. government safeguards** identified an intrusion in Microsoft’s cloud security.
Yeah that’s the ticket the Chinese did it.
As long as one is using the Internet, stolen credentials will ALWAYS be an issue, no matter who manages security.
The issue is packets going through routers and connections between third parties that cannot be managed by first parties.
There are no systems using TCPIP on the internet that doesn’t use credentials (user-name, password, and alternate measures-phone, text, call, secret questions, whatever). While these systems are better than just username/password, they can be spoofed.
https://www.computer.org/publications/tech-news/trends/what-is-modern-authentication
Cloud-based systems are better for security—they have more, not less protection, 24/7 HUMAN monitoring of systems and expert groups of thousands that can mitigate and stop attacks.
Having been in the military for 22 years doing cyber security and communications system (Univac, PDP/Vax Ultrix, TCPIP) worked on DDN, then MilNet, and Internet I can tell you there are very few at the working DOD level who do better security—unless the systems are unplugged. I then spent the next 26 years as an MCT and CompTIA instructor.
The problem with unplugged (meaning non-routed communications cut off from Internet TCPIP processing) is the need so many have—even government—to connect to third party customers, clients, data sources and even the public citizen.
The government has separately routed systems that use TCPIP but are not connected to the public Internet for classified communications/processing. But I have seen people put a SIPRNet connection on a server plugged in to the public network. Only a government worker (or contractor at a gov facility) can do this level of FUBAR.
“As long as one is using the Internet, stolen credentials will ALWAYS be an issue, no matter who manages security.”
I worked for a major global corporation, consulting for/with them. Everything internal was behind a firewall on their own systems inside what is called an Intranet - use of everything that can be done “Internet” style, but dedicated on a closed corporate system.
Outside access to the “world wide web” was restrticted first based on a users security and then the user had to log out of their Intranet and go through their coporate VPN to use a restricted dedicated “outside-the-company” access using communications lines walled off from everything inside the company. The later method was constanly being tested by their global cyber security experts to detect holes in the “outside” connectability that could let intruders come in via that route. Our government agencies can all do the same thing, they most often need a secure Intranet more than the “world wide web” and with a firewall between the two they can monitor and prevent “back door” cyber access. In some situations more than one agency (like the DOJ and its FPI dept, or Treassury and IRS) could share an Intranet system.
That was my point, as this is exactly what the big cloud vendors are doing, but on a massive scale.
Not just a few, or even a dozen global security experts, but thousands. No other single company has more of these experts than Microsoft--as much as people hate them, they're real specialty is business services.
But do understand how packets work. They still hit the firewall, and can be wrapped in http/https/smtp and other normally allowed protocols. The point of compromise is those allowed packets. They can then be used to authenticate a compromised account or simply inject code or stop normal service.
There is no foolproof firewall on the Internet. The only way to completely protect is to unplug it.
And don't trust big government. More than half of the attacks going on at any moment are being committed by big governments.
“That was my point, as this is exactly what the big cloud vendors are doing, but on a massive scale.”
I don’t trust them and I want govt to host its own systems and to fire folks when they fail to keep it secure.
“But do understand how packets work. They still hit the firewall, and can be wrapped in http/https/smtp and other normally allowed protocols. “
We understood that and no packets passed accross the Internet-Intranet barriers without being “unwrapped” and deconstructed contents inspected in multiple ways.
“There is no foolproof firewall on the Internet. The only way to completely protect is to unplug it.”
Yes. And that is why they ran totally separate VPN comm lines, globally, for the Intranet and Internet access and the “bridge” between them, anywhwre in the company, comprised 90% of the cyber security effort. Also, having the Inranet and restricted Internet access minimized that traffic as well.
Good. Again, these are services and practice that are always applied to you by the cloud vendor.
We’re not really disagree on the actual way the stuff works, just who has the most resources to provide it.
The Air Force doesn’t make its own airplanes, those are contracted out to vendors. Same with all manner of government data and communications systems.
For getting you critical and sensitive communications OFF the internet, you can also use ExpressRoute with Azure.
ExpressRoute enables you to extend your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider. This connection is private. Traffic doesn’t go over the internet. With ExpressRoute, you can establish connections to Microsoft cloud services, such as Microsoft Azure, Microsoft 365, and Dynamics 365.
This is NOT a routed (using TCPIP) connection. It relies on a third party—through a commercial communications provider—usually fiber from a business’s demarcation point to Microsoft’s physical internal network.
https://learn.microsoft.com/en-us/azure/expressroute/expressroute-introduction
We don't even fire--or punish--high-ranking FBI government employees when they deliberately lie on a FISA court warrant, commit provable election fraud, or lie about gain-of-function experiments and duplicity with Enemy China that killed millions of people globally...
Do not trust the government, and less so than even a woke company.
“The Air Force doesn’t make its own airplanes, those are contracted out to vendors. Same with all manner of government data and communications systems.”
We always divide the ideas of buying things we can use from “services”. and our philosphy on services is - especially if you are the government - you can buy the equipment you need AND you can HIRE the talent to run the equipment, and that combination allows you to control and secure the security of that equipment yourself.
The idea that the “cloud” is inherently bigger and therefor can afford and perform services “better” than the U.S. government misunderstands (1) how massive the federal government is and (2) once you reach a certain internal scale of things “outside” is not more affordable than inside.
Having been part of that massive federal government, I can say... Not so. I do not misunderstand them, but rather understand them too well.
The scales have fallen off my eyes. I still love my country, but not the bureaucrats and politicians currently running its government.
It's been a real hard pill to swallow, given how much of my life I dedicated to it.
Let's agree to disagree.
...and then there are those Sandy Burger types.
A short time ago, Bill Gates was in China. Now we are learning the Microsoft Cloud has been compromised. Does anyone else not believe in coincidences.
Anyone thinking cloud based data is safe has their head in a cloud.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.