Microsoft said it lost weeks of security logs for its customers' cloud products

If you use Azure in any realistic production environments, then it's on you. Even with $100k in free credits, they couldn't convince me to use it for more than a month. It is expensive, the interface is highly user unfriendly and most important of all, their products don't at all seem reliable for production workloads because of stuff like this. Sorry Microsoft, I think you can do much better.

I was laughing recently when at some place they started to install MS software on all Linux machines to integrate them into Azure. At that point you should just stop and think for a while about it. Didn’t you go for Linux because you wanted to have a reliable system?

The MS security software (for better or worse), is better than any open-source linux solution, and can follow attackers as they move laterally through the network, instead of linux servers being a big black hole were adversaries can do as they please.

All security software from any vendor is going to have issues, and often you just have to go with whatever the company is running for the whole environment and not compromising security because of some jokes from the 90s

>I think you can do much better.

Not to be a troll, but I really think they cannot. The last "good" product they made was SQL-Server/Exchange/Windows2000, and that was a long time ago.

>and can follow attackers as they move laterally through the network,

That i wanna see ;)))

> and can follow attackers as they move laterally through the network

... which does not stop them from disrupting production and stealing your data. Your defenses are at the wrong place.

It does stop them, actually. It's not perfect, but it does work.

The joke from the 90s is the fact that people still use MS products and think they aren't compromising security. MS have had disastrous outcome after disastrous outcome with an uncountable amount of security holes. There's been an astronomical toll on the economy from their crappy software with no end in sight.

It really depends on what type of business you run and who will be building and maintaining the system. Azure gives the business the ability to integrate with other MS systems and has good sales teams who will hold your hand. If you are an ISV then it is not that important to you, instead you need specific SLAs, region support and an easy path for the integration. Overall nobody cares about small teams that count every penny and spend up to XXk a month on infra because they could spin up their openstack cluster at any moment and leave.

I agree there is room for improvement but your arguments are weak. The user interface (whoever is using it?) is questionable in AWS and in GCP as well, IMO it is because of the underlying complexity in all clouds. Reliability statement should be backed by the existing SLA, or is it some complaint that MS does not provide four/five 9s for every service? The bit about it being expensive depends on what you compare it with, AWS is notorious as well, every time you need something to build you do not know if that will cost 1k or 10k per month.

I am not some sort of Azure fanboi and love AWS but there are things MS is good at as well, however people hate that.

portal.azure.com developers are _proud_ to claim that they have the largest SPA in the world[0]. I hated every moment of using it.

[0] https://learn.microsoft.com/en-us/shows/visual-studio-visual...

When you come from other cloud providers, working with Azure has so many dark-orange flags. It feels totally inconsistent and patched together. This makes it hard for me to believe that anybody can properly audit it for security.

The most uncomfortable part is their log in. The amount of re-directs and glitches there are insane. Its hard to believe that it works as intended.

As an example, for some reason I could not download the BAA because trying to download it lead to a login loop on their trust website, while I was still able to see the Azure console ok in the same browser.

When I signed out of my Azure account to try if a fresh login helped, it did not trigger my 2FA at the next login. In my mind, if I actively logged out from a browser window, I withdraw my trust in that device. So not being triggered for 2FA is a massive red flag.

(no I still could not download the BAA, nor file a ticket for it, but somehow a colleague could download it ok.)

Just judging by the deteriorating state of the Windows OS...

I know these are different divisions, but it does say something about the culture. Windows has always been a dumpster fire, but when it was built by nerds and not managers, it felt more, uh, tolerable.

> It feels totally inconsistent and patched together.

I believe that multiple article, e.g. on The Register, has mentioned that people who have left the Azure team has routinely complained that the pace was to high, and that everything is pretty much duct taped together. This was years ago, so it may have changed.

While I can think of a few other, dotnet and Visual Studio, I think that you're generally correct.

Microsoft, Google and others, have created a culture that are no longer able to produce high quality solutions, because they can't focus on a single vision for their products. Or in some cases the vision does not align with creating good products.

SQL Server is a really good example, it's highly focused, it exists outside the current hype bobble, there's no advertising, no subscription, just a database server and it's a really good product. Exchange sucks, because it been pulled in to new subscription based world, and it's going to suffer for it.

>> Windows has always been a dumpster fire..

It was always a dumpster fire for security, but it did have a pretty good UI and functionality at say XP-SP3, but now the UX had been thrown on the fire too.

I remember enjoying using Windows 2000/XP but I feel like that's my nostalgia talking. I was customizing a new installation for days, messing with registry keys and obscure settings dialogs. It was never that user-friendly to begin with. After having used MacOS for the last few years, I do not miss the hassle.

To be fair, not a lot of things were user-friendly back then, and Windows was the standard consumer OS for a good reason. It was solidly OKAY.

Using the latest versions of Windows, however, is just infuriating even without any complicated setup.

Maybe it looks like a black hole to you - but there are open source operating systems with far better security practices than anything that came out of Redmond.

Absolutely not your nostalgia talking.

I’m as OS agnostic as they come and Win2k was the last true great desktop OS.

I now use FreeBSD almost exclusively, with miscellaneous VM guests.

dotnet is a mixed bag of good and bad.

VSCode catch on, but i would rather have Atom instead.

Exchange have beth broken before migrating to cod

> If you use Azure in any realistic production environments, then it's on you

its unfortunately decided by the higher ups, who just follows the hype train.

Please give us details, because this seems unbelievable.

Narrator: It hasn't.

This is wrong take on Microsoft. In their entire existence they couldn't do better and they will never be able to do so.

There is no incentive, as long as monopoly money from captures audience keeps rolling in.

> The joke from the 90s is the fact that people still use MS products and think they aren't compromising security.

Well, it's not like there are that many alternatives. macOS is out of the price range for public service and most large companies, in addition to a lot of specialist software not being available for macOS.

Linux has it even worse regarding application compatibility on desktop - and no, WINE is not an option, because the kind of software used in public services comes with strict stipulations where you can run it, sometimes down to minor versions, and if you violate that, the vendor can and will refuse support. For a lot of FOSS software, there isn't even commercial support available so it gets automatically off the list because companies actually want to pay people so that they have someone to talk to when they get issues. And that's before you hit the cost wall that is employee (re)training.

IMHO, it would have been the role of our governments to mandate MS get their shit together first before diving into AI and advertising crap.

I have had similar issues. And I know a fair amount about these systems, and still cant figure what the backend mess looks like that results in these problems. I found a reproducible login bug on Teams and spent a while trying to figure out who to report it to and gave up

I read that recently after their security breaches

All the Linux shops I know not using MS security are doing just fine and probably better given the current headline you’re commenting under

> but when it was built by nerds and not managers, it felt more, uh, tolerable.

The 'WIN32_LEAN_AND_MEAN' era. Ye. Way more relatable than todays malware riddled joke of an OS. It is too bad since the Windows 7 foundation seems OK.

You seemed to have missed my point entirely.

If your organization is running a chosen enterprise security solution, often fragmentation is not better, whatever your reasoning.

Yes, everything works better in a vaccum. You're not the first person to notice this.

The point is, that if your organization has chosen an enterprise security platform, you don't make exceptions because of ideology.

Mostly it’s the other way around: attackers follow MS „security software“ to get deep into your systems.

For a long time they were the leader in confidential computing and a few other specific things.

This is wrong. What you see as fragments are security boundaries for others.

The ideology here is „enterprise security platform“. This is marketing brainwash.

It's just basic EDR .. you have events that are flagged .. so on linux, let's say someone does something like setuid or setgid on a system file. Innocuous but potentially dangerous actions like this get flagged in the system.

These events are correlated against other actions that might have happened on the same system or other systems that the user had logged onto prior to this one.

Even if it's not the same user, the events are still correlated and alerted upon if suspicous. (both individually and holistically)

If users are using microsoft authentication for access, the accounts will be flagged and locked out, generally forcing users to fully authenticate with MFA and forcing a password change.

However: Micro$oft deserves _massive_ credit for biting the bullet and systematically improving their security posture post like IE7.

*nix started from a better _initial_ posture as it was multi-user, permissioned, and network-aware from the start (vs. corporate MS-DOS => single user => GUI => networked), but MS really doubled down on systematic improvements that Linux is only now going through.

See the recent CUPS fiasco, C-code from 1999 running as root, and the "stuck in the mud" mentality that Linux has because there isn't the appetite for consistent investment and wholesale overhauls.

It has to do with "activation energy" and "local maxima". Linux feels like it's reached the local maxima, and it's a pretty tall peak to start from, so we can't get over the hump to make a step-change or drop back to a hypothetical "POSIX 0.5" so we can pivot to a "POSIX 2.0" (eg: take the loss for a decade or so in reduced functionality to end up on a more sane "other side" with better security principles and systematic depreciation of inefficient or insecure API-types).

There was a LWN article which talked about "permissions should be managed at the mount level, not the file level", and honestly that makes so much more sense, but it "loses" POSIX, and no one person is willing to "break linux" to admit to that mistake. Tons of other examples (eg: file race conditions, unprivileged by default, more protections on /usr than /home, etc)

Azure Blob storage is considerably cheaper than S3 or Google, for example. (Not cheaper than Cloudflare, but that one doesn't have a supported FUSE driver). I've been trying hard to find instances where they lost data and could not.

Them offering the ~same product but cheaper is good.

I disagree this is "hype train" trails that lead to Azure. Management and their legal departments navigate in different ways.

> The MS security software (for better or worse), is better than any open-source linux solution

is it able to detect ransomware ?

Seeing MS and security in the same sentence makes me suspicious.

> The point is, that if your organization has chosen an enterprise security platform, you don't make exceptions because of ideology

You're right. MS can always blame state actors when something fails. /s

> Mostly it’s the other way around: attackers follow MS „security software“ to get deep into your systems.

Don't tell them. They just forgot about this with the new Win 11 24H2.

> but MS really doubled down on systematic improvements

Doesn't seem to have really worked for MS though, as evidenced by their many significant security lapses over the last several years.

The US Gov even officially called them out on it a few months ago, specifically singling out MS for their atrocious repeated security fuck ups.

> If users are using microsoft authentication for access, the accounts will be flagged and locked out, generally forcing users to fully authenticate with MFA and forcing a password change.

Last i heard the "state actors" had access to AD master credentials.

Correct that's why for example the Root-DNS servers run Linux,FreeBSD and Windows.

iirc Blob Storage is tied to a "storage account" that has throughput limits that can't easily be changed so it has a performance ceiling

> [...] is their log in.

On every first try, I cannot log in into Azure Portal. I chlick "try again", it works. And it's like that for months, if not years.

IMHO it says a lot of your culture if every first interaction of your customers with your product end with an error - and you simply don't care to fix it.

Microsoft isn't the only company to provide a service like this, and the others are cross platform.

The UI, retail pricing, and reliability reputation are not primary factors for large enterprise IT infrastructure and cloud decision makers. They look at:

1. Executive Support - can you assure me that MSFT will have my back when (not if) the shit hits the fan? Can I count on Satya or Jason Zander calling my CEO to reassure them if we’re working through a catastrophic issue? Because as an executive my career at this company is over otherwise when that happens.

2. Industry and analyst landscape - Which of my competitors / peers use your technology? I won’t be first in the pool. What does Gartner tell me about your company behind closed doors?

3. Competitive - Do any of your divisions compete directly with any of ours? Because I’ll be fired at the next board meeting if they read in the WSJ that we’re funding an adversary.

Cost is negotiable, what is a UI?, and sorry, I don’t care if all of the above is good but Azure isn’t the engineers’ favorite thing. Y’all work for me.

Famously, visual studio gets worse- not better, with time.

https://youtu.be/GC-0tCy4P1U

Having worked for many bosses like you, I think the solution is clear: tech needs more unions and co-ops.

I wonder if things like this are due to testing only on the vendor's own/preferred browser. In this case Edge?

Crowdstrike, for instance :^)

>Azure Blob storage is considerably cheaper than S3 or Google, for example

Really? I did a quick search and azure charges 2.08 cents per GB for "hot" storage compared to 2.3 cents for aws. That's not that big of a difference. Am I missing something?

Almost 0 chance.

It’s not. Their security has known massive issues and security holes, and they consciously do not fix them.

Look at the CVEs for azure, msal and Active Directory for some good laughs.

Now realise most governments, large companies and education works on this

No offense, but consider that there's a chance it's a problem on your end. I have never had this issue, and no one I know has had this issue.

And if you change some state, better refresh the page because updating the UI or two way data binding isn’t something they haven’t figured out yet at Microsoft apparently

I actually REALLY LIKE MacOS, especially workspace/window management when using Rectangles. So much so that I'm trying to recreate it on Linux (I don't want to buy a new Mac when I have a perfectly good gaming desktop to repurpose for dev work).

Downvotes accepted, I guess, but there was a step-change improvement. References:

https://www.itprotoday.com/attacks-breaches/the-story-behind...

https://www.microsoft.com/en-us/security/blog/2022/01/21/cel...

...while they may also (deservedly) be getting flack now, 20 years ago it was orders of magnitude worse.

Every login I've ever done into the Azure portal is like the upstream describes: an absurd number of redirections and refreshes that leave you wondering "is it supposed to work like that?"

I've also encountered strange bugs, like asking to log into tenant A and getting logged into, instead, tenant B. In a loop, effectively locking me out.

The exact quirks and bugs seem to come and go, I presume as the code is changed & updated.

Well, it gets better and worse, with a worsening trend. It's not monotonic, so one can easily point "hey, VS XX is better than VS YY for some XX > YY".

I’ve never used Azure, but my kid plays Minecraft (offline), and got forced into using a Microsoft account to login.

From what I can tell, they use it as proving ground for whatever crap they’re going to force on other applications.

After getting it to work on a raspberry pi, I decided I wouldn’t use any logged in Microsoft product in a professional setting.

Anyway, I’m sure they’ll eventually unify GitHub and LinkedIn login the same way they did with Minecraft. At that point, our industry will implode.

Hey, an outage is better than a hack...right?

Agree 100% with this.

One example is if you have multiple subscriptions and you want to select a particular subscription; the UI is so horrendous that even after using it everyday it’s so confusing. It’s such a simple thing that I am sure MSFT implemented it a million times but they just can’t do it in Azure.

It’s the worst of the three cloud providers.

The main reason they are second is because they have a sales org that sells well to naive cto’s.

The topic is good software and you mention Visual Studio?

When you come from bare metal, working with any of the cloud providers feels totally inconsistent and patched together.

Or open source - security onion is amazing!

> 3. Competitive - Do any of your divisions compete directly with any of ours? Because I’ll be fired at the next board meeting if they read in the WSJ that we’re funding an adversary.

This is a big point that others in this thread are missing. Amazon is increasingly competing in more and more spaces, and companies are rightly hesitant to get into bed with Amazon when they are a direct competitor. Azure is the only other serious choice, GCP isn't even going to be considered.

Silicon Valley might run on AWS but the rest of non-tech company corporate America runs on Azure (or on-prem still). The IT landscape looks a lot different outside of the SF Bay Area SaaS bubble.

A crashed machine is a secure machine.

That’s what grampy used to say

Will add my anecdotal evidence: I've seen this across the board from Microsoft. I've been a customer for several decades, and it is a bit of a nightmare now.

Logins that redirect to odd places. Jolting issues because you changed a seemingly innocuous security setting (i.e. OneNote refuses to sync on specific versions of the app/software if you don't grant them full access). Or just inconveniences, like having to login multiple times across their own sites when I dive into Office settings management. Seemingly forced use of the Microsoft Authenticator app from time to time.

Multiple computers, multiple devices. I can usually work around it, but it is a pain.

MacOS is pretty good, can’t argue with you there.

Oh, if the devops (new tfs) interface redesign is a representative sample, it's easy to make the world's largest SPA when you convert simple form submits into 5 JS-loaded logical pages, with unreliable navigation and complex JS session data that is too large to transfer on a LAN.

I imagine they can beat any record with a simple single-table CRUD.

> *nix started from a better _initial_ posture as it was multi-user, permissioned, and network-aware from the start (vs. corporate MS-DOS => single user => GUI => networked)

Windows NT started as a multi-user, permissioned, and network-aware OS. The team that built NT came from DEC, not the MS-DOS team.

Windows Me was the last version of Windows that had any form of DOS underpinnings.

None taken.

It is probably my "fault" by using Safari (no extensions) and not the all-praised(tm) Edge.

I couldn't add a billing profile to my MPN account the other day - endless loading without any indicator of success. It did work in Chrome though, except the "save" action which resulted in endless loading too, but still saved everything as expected.

I would guess it is a problem with OP's account. Which is to say it is thoroughly a Microsoft problem, and probably one that could be fixed but would require weeks of back-and-forth until someone with direct access to some number of auth databases corrected the issue.

I will say, they made a change to the auth system recently that made log-in significantly worse. Now several times a day my session expires or something and I go through a 5-10 second redirect flow which visibly jumps between different login APIs to refresh my log in state. (And of course this happens at the start of the day.)

Even internally: "Not even LinkedIn is that keen on Microsoft's cloud: Shift to Azure abandoned"

https://www.theregister.com/2023/12/14/linkedin_abandons_mig...

At the moment I can trace every action of every user on every machine, all from one platform that alerts me if anything abnormal happens.

As an administrator of around 10,000 servers and devices, I have never had this ability before.

I am sure there are better products out there, but this is what the company purchased, and the visibility it has given us into our organization has been a game changer for us.

I apologize for not hating it just because it is Microsoft.

Yes. Their security products are not terrible outside the fact many are acquisitions that have been shoehorned poorly into InTune.

It’s the reason we are over in Azure. We compete somewhat with Amazon retail and our customers compete 100%.

To be comparatively fair, Google doesn't run almost any of it's public products on Google Cloud, either (nor many of the internal apps).

"Azure’s Security Vulnerabilities Are Out of Control" - https://www.lastweekinaws.com/blog/azures_vulnerabilities_ar...

If you can't boot it, they can't hack it.

Arguably, I'm not as concerned about "every action of every user on every machine" as I am the exceptions, and the usability issues the aforementioned "security platform" causes in terms of end user efficiency are probably not offset by the perceived security gains from your POV.

Fwiw, for as much rightful criticism as Google receives for things like killing consumer products and behaving badly with user data, its internal IT runs better than -- in my opinion as an ex-employee -- any other large enterprise in the world. And it's secure.

Microsoft just opened a new startup vertical: security services for security logs. If those startups use Azure to run their production workloads, the industry will quickly enter an infinite loop and skyrocket to $2 trillion/yr.

I grew up with an Apple II, then switched to Windows from 3.11 for Workgroups all the way up to Vista, at which point I switched to desktop Linux (variety of distros, but mostly ended up on Kubuntu in my house and Mint for family). Then it was 8 years of ChromeOS. The past couple of years I've been on MacBooks and, although there are quirks I don't really like, I can't argue with the fact that it mostly "just works", which is really the primary requirement of any operating system.

> migrating to cod

cod? Call of Duty?

Still, I would say peak Win2k was faster, cleaner and more no nonsense than modern MacOS. I use macs as well, they are not at all as snappy as windows 2000 was.

I’m 100% pro union and not the guy you’re thinking of. Apologies if that wasn’t clear because of the first person writing in my comment.

I’m an engineer on the vendor side that begrudgingly got promoted into CTO role where I was helping get deals done with F100 c-levels. So I know how these people think. I hated it, left enterprise a few years ago and never looked back.

I worked on Windows 2000, thanks! But Windows 7 was better.

Sure, but Azure also exposes an extremely large array of knobs and buttons that put the tenant admin squarely in control of what "login" means in the first place: the kinds of authentication allowed or required, by whom, under what risk profiles, for which applications, etc. If you feel like it is screwed up there is, as likely as not, action that it is the tenant admin's — not MS's — responsibility to take, to fix it. I don't know what to tell you about refreshes, that's just how Oauth works mostly. I'm tempted to take a video of myself logging into the Azure portal right now just to ask what about it is so weird.

It's also possible your tenant admin updated Conditional Access rules for some locations or applications. Or maybe they screwed up the Hybrid AAD sync from the on-premise DC. As I've been trying to point out elsewhere, tenant admins have a much higher influence on these outcomes than people are willing to admit, and there are a lot of admins out there who can't be arsed to keep up. I've made some of those mistakes myself.

It's amazing Azure has 2-3x the market share of Google Cloud with a much worse service.

Is this because of corps using dotnet and Microsoft SQL?

I have a similar (yet different) experience. I rarely (e.g., once every few months) log into the portal and it dies with some impenetrable error if I use the same browser on which I last successfully logged in. So I often find myself firing up an incognito browser so I can log in.

My guess is that some change to the login process is not compatible with the cookies I have sitting around from the last time I logged in.

Really, have you used Google Cloud?

Big Enterprises need alot of bells and whistles and for the longest time, Google Cloud didn't have those bells and whistles. For example, App Engine for longest time didn't have internal IP only. It has it's now but whole point, most people have already evaluated their cloud and picked it.

Also, Google used to be or still is terrible at talking to customers. Big Enterprises require people at Google to actually talk to customers, something Google is notoriously terrible at.

Finally, Google Deprecation Policy has done them in. Many CTOs are scared to get into bed with Google due to it: https://steve-yegge.medium.com/dear-google-cloud-your-deprec...

When you promote a Windows server 2016 or higher) to a domain controller, you suddenly get error message when trying to open the network adapter through the "new" settings app. You must open through control.exe, everything else just throws an error.

I opened bug with the Microsoft Premier support and they told me that this works as intended.

So when Microsoft says, it works as intended, it can still be bugged to hell and back. They just don't care.

> Really, have you used Google Cloud?

Yes, for years.

Their dashboard is not great but way better than the competition. As for the cloud service itself, it has been reliable in my experience.

> Google used to be or still is terrible at talking to customers

Aren't all clouds like this unless you're a big org?

> Google Deprecation Policy has done them in

I'm sure some people feel this way but I doubt it's the majority.

I'm ignoring the dashboard because there are people who think Azure Dashboard sucks while I'm pretty used to it and think Subscription -> RG -> Resource is pretty logical but I'm sure others prefer GCP way of organizing.

>Aren't all clouds like this unless you're a big org?

Our spend is only 10k/mth and Microsoft talks to us. They are overworked but it's better than 1 million Spend/mth I had at $TwoJobs ago and getting anyone at GCP to pick up the phone was pulling teeth.

> The MS security software (for better or worse), is better than any open-source linux solution

[citation needed]

I would like to retro-actively remove my categorization of Visual Studio. That was an absolutely enjoyable rant and demonstration.