Microsoft rewarded for security failures with another US Government contract

Too big to fail sets us all up for failure.

This headline BADLY buries the lede! The real scary stuff is the massive future costs of the blatant vendor lock-in that ALL the big tech firms, including Microsoft, are banking on with “free to the government for a year, undisclosed terms for later” contracts.

Just one more massive breach and Satya wins a mountain bike.

Why must the government and almost every corporation continue to reward Microsoft for their horseshit?

Microsoft is the new Boeing.

This is kinda the same for big enterprises too. They start off with really great deals, then every other part is "only a cheap addon, much cheaper than competing product XYZ". Then when you're completely stuck in the M365 swamp, that's when they turn the thumbscrews when the contract renegotiation comes up.

As an A erican Dynamics 365 developer, I wonder if I qualify for these jobs, or is it only spies willing to do it for extremely low pay that get the job? Tbf, My boss charges $165 an hour for my time. Freelancers charge even more, of course.

>Microsoft rewarded for security failures

It was the government's security failure and not Microsoft's. Microsoft was up front about what was happening and the government could have pushed back if they did not approve of the digital escort system.

Instead, the government should fund competition to lower prices. It seems like Office is still the default for everyone and it’s not really possible for anyone to hire thousands of engineers for a decade or two to compete with them. There’s no functioning competition for a product like this.

Google, Apple, and various, other open and closed sourced alternatives exist for nearly everything in Office. Many of them have been under development for decades by companies that are similar in magnitude to Microsoft.

Lack of competition is definitely a problem in the pricing of some things, but I don’t think this is one of them, people just prefer what Microsoft offers and are willing to pay for it.

Which one was?

Maybe it's just me, but I do not get your point. Would you mind clearing it up?

LibreOffice, in the most primordial form, has been developed since 1985. It's older than Linux.

To be honest though, would I use it for my business? No. Broken formatting (for either my side or a client's side) isn't acceptable; the UI is two decades behind; LibreOffice Calc is still too incomplete; and who knows what's in a C++ codebase that old and that large (100,000+ files, 10M+ LoC) - it's basically security by obscurity. Microsoft Office getting hacked and fixed, is better than a target too small to matter until a government adopts it.

Emm, they don't, but the price to switching is too high.

If everyone in their formative years would use Linux, then it would be a different story. But... they don't, so it requires reeducation. I think Mexico attempted it and I hope they were successful.

Boeing isn't "too big to fail". That was used to describe the big banks at the middle of the Great Recession.

Boeing is "the only game in town". All other big-aircraft manufacturers are foreign.

Compared to this one? Biden, Obama, W Bush, Clinton, H W Bush, Reagan, Carter, etc, etc.

I can think of lots of unpunished security failures from all of these. This is one of the very few areas in which it seems like business as usual.

Executives don’t like to punish their own people because it makes them look bad. They’ll scapegoat people when necessary of course.

sounds like a great reason to break them up

Microsoft is rewarded for security, privacy and reliability failures each time a consumer buys another Windows PC.

And, to be fair, so is every other software project with an imperfect track record, that continues to have users, whether FOSS or closed source.

Being the "only game in town" grants them special status as a US defense contractor given that many agencies are required to source their materiel domestically.

So, to me, the "too big to fail" set absolutely includes "only game in town." It's really just a special case of it.

I like LibreOffice... but the people who think LibreOffice is even remotely a competitor to Office 365 have no clue what Office 365 does or why enterprises use it.

Nobody who cares about security uses Microsoft or Windows.

Because a top-down management structure has advantages in delivery accountability, regulatory alignment, and scoping of risk.

A successful software implementation requires a lot more than just software.

Tearing out all MS software at any large organization would involve quite a bit of compromise and many opportunities for failure.

In a narrow view, this is true, but from a wider viewpoint Microsoft has few competitors in the "one stop shop for your big business needs" sense.

Google has made some progress here, but doesn't seem interested in a bunch of important spaces (e.g. they have Docs, but don't have anything like Active Directory or Sharepoint that I know of).

Microsoft is also often the default vendor, since virtually every big company has contracts with them for Windows and Office (at least) already.

Do you think any other large software vendor is pure as the driven snow?

Oracle?

Google?

Broadcom?

They could use Linux and Libre Office. The government doesn't actually require anything fancier than that.

A lot of the dependencies on advanced features are artificial. The government creates unnecessary rules/bureaucracy for itself such that only specific providers are able to meet those rules. Bureaucracy and regulations are designed to be anti-competitive and benefit large companies who fund the political campaigns.

The government really is oppressing one set of people to benefit another set of people. It has always been like this. Nothing changed fundamentally in the past 300 years except which group of people is being oppressed and which group is doing the oppressing.

IMO, the government should force major social media companies to allocate a portion of their ad space to the government for campaigns. So that anyone can run for office and can get enough attention in the media to build momentum, starting from nothing.

Anyway, the problem is deep and sits alongside a whole bunch of other problems. All greatly exacerbated by the design of the monetary system which gives the government access to unlimited money.

Yeah I hate Microsoft as much as the next guy but every product has security vulnerabilities. If the product is popular enough, then hackers spend time discovering those vulnerabilities.

> but from a wider viewpoint Microsoft has few competitors in the "one stop shop for your big business needs" sense.

This is the big thing that keeps Microsoft lock-in alive. No where else are you going to get: Full office suite, both online & desktop apps, hosted exchange/email, Identity w/ MFA & Conditional Access, EDR, file storage, chat/collab, AI chatbot w/ your Microsoft data as context, and MDM all for $22/user/month (if you have less than 300 users, otherwise you're looking in the range of $35-$50/user/month which is still dirt cheap for what you get). Not to mention all the data protection (purview)/e-discovery stuff also included.

Google Workspace is the next best thing, and doesn't offer all of what MS does for the price.

MS (365) is the only game in town where you can get everything you need for 1 price/subscription.

Microsoft's services are rarely the best at anything, but they are all "good enough", well integrated and will check any and all compliance/regulatory checkboxes you want them to check, and you can generally hammer any of their offerings into whatever you want. Similar to Windows in a way, it wasn't the best at anything in particular, but had everything you needed, and could be made to do whatever with some effort with the benefit of integration into all of MS's enterprisey stuff by default.

I don't use Linux as my primary OS anymore. However the default protections of the Linux desktop is worse than Windows's which is rather sad. For "root" level operations Windows has several layers to protect the system itself. The newer Appx packages are have scoped security protections around them.

On Linux, yes you can spend months modifying Flatpaks, or writing SELinux rules or apparmor profiles but nobody does that. The out-of-the-box Linux user distros are quite a bit lacking and it is only a matter of time that malware that steal secrets from home directory to arrive to Linux too.

I'm about to say goodbye to Windows forever -- and it has nothing to do with their security vulnerabilities. It has to do with 1) the incredibly shitty software they produce (Windows 11) and 2) their lack of ethics in regards to pretty much everything. I'm about to go all in on Linux - I've been using both OSes for years now but Linux to me today is the superior choice and I see 0 reason why anyone would want to touch Windows (and I hope to god many developers follow me) -- Windows is an absolute atrocity.

I’ve been chatting with my cofounders about plotting a course out of Microsoft 365 and Azure AD/Entra ID.

Current working strategy is to first move everything using Entra SSO to our own hosted IdP, and then everything else. From there we’re thinking we move SharePoint/OneDrive, and replace the Office apps with LibreOffice (maybe Collabora?), and eventually replacing email with Fastmail, which we already resell.

We’re a managed hosting firm with a few technologists, and we have no external MS365 collaborators, so we’re a good fit for that kind of setup.

> Similar to Windows in a way, it wasn't the best at anything in particular, but had everything you needed, and could be made to do whatever with some effort with the benefit of integration into all of MS's enterprisey stuff by default.

macOS could be better looking and more well-rounded consumer OS but Windows is definitely the best when it comes to providing the most functionally complete APIs. It is also the best when it comes to well-designed future-proof APIs. The backwards compatibility isn't just keeping the functions untouched. It is designing data structures and APIs that can be seamlessly upgraded.

Linux can have DBus etc. but it doesn't go anywhere close to the unified feeling that Win32 and COM APIs provide. Each type of hardware under Linux requires some completely different style (some more functional, some more async, some subsystems are more object-oriented, some APIs are pure text-based the others are IOCtl minefields).

There is a reason CAD software is often Windows-only while many buyers have always been able to buy Macs too (Power, x86 or ARM).

> I like LibreOffice... but the people who think LibreOffice is even remotely a competitor to Office 365 have no clue what Office 365 does or why enterprises use it.

I don't think it is even a good competitor if you're actually creating bigger, slightly more professional looking documents / spreadsheets or want some quick working UI as a normal consumer. LibreOffice still cannot do live element updates which has been introduced with Office 2007!

But again, others could make these things. Google, Zoho, etc have.

If a company is winning simply because they’re able to prevent meaningful competition (such as Google buying up default search) that’s a failure of regulators.

If a company is winning because people like their product better and they’ve spent a lot in R&D to make it better so it would cost a lot to catch up to, and it has several competitors who just might not be as good, that’s exactly what you hope for.

It’s been awhile since I’ve compared, but their office apps mostly are the best at everything. Windows is/was the best at many things.

When someone has that level of success they’re the best at many things, they just may not be the things you appreciate.

The thing is: Where is the competition though? Considering that most IT departments don't want to spend an extra dime to do consumer-grade software engineering to do any extra integration there is no significant competition to Microsoft 365 and Active Directory.

Google Workspace is the closest but it isn't even in the same playing field when comes into advanced integration. Microsoft killed all of its competition in 90s and early 00s. Nobody stopped them. Nobody applied antitrust law. Now they have at least a decade ahead of everybody else.

Any competition should have to spend quite a bit extra money to just move all the integrated apps (SAP, Salesforce, CAD software, Exchange extensions) to their environment. To repeat my point, most IT departments want to spend a whole 0 on developing / engineering integrated solutions and developing those require some millions per year at least. Microsoft sells these stuff as low as €20 per user depending on the contract.

> On Linux, yes you can spend months modifying Flatpaks, or writing SELinux rules or apparmor profiles but nobody does that.

For what it's worth, RHEL and to some degree Fedora do give you those SELinux rules for most of their packages. That OOB for anything you would install with rpm.

> it is only a matter of time that malware that steal secrets from home directory to arrive to Linux too.

No need to wait? Most of the malware distributed over npm/pypi has supported Linux and sometimes MacOS for a long time.

I'm with you 100%.

I'm typing this on a computer that came with Windows 11. I booted it a few times, and reserved a terabyte of my (8TB) SSD for it, but I never use it at all. I've got some Windows VMs, from XP through 10 that I rarely use, but I use them when needed for things that require those platforms.

I got an email from Intuit two weeks ago informing me that they weren't going to support Windows 10 anymore, so I guess I'll be deleting my Windows 10 VM soon, but I have no intention of ever creating or running a Windows 11 VM, or installing anything important on the soon-to-be-deleted Windows 11 partition I have, so I guess I'll quit using TurboTax after 40 years of using it.

I looked into the possibility of running TurboTax with Wine (or CrossOver, for which I have an eternal license), but apparently it doesn't run at all there.

Leave Boeing alone. The way they're going, they'll break themselves up eventually.

Windows has AppContainers which is for the most part a wrapper around the Windows Kernel Mandatory Integrity Level (MIL) feature.[1][2] MIL restricts certain API calls of processes depending on the integrity level of the current process vs. integrity level of a target process for the API call. The idea being a process with a low integrity level wouldn't be able to read or write via IPC to a process with a high integrity level. The process with a high integrity level would instead need to read or write via IPC to the process with a low integrity level.[3]

Because there are obvious architectural limitations of having a linear scale of privilege levels which one places all processes on, Windows has tried implementing "Windows Sandbox" as an alternative sandboxing mechanism that executes a process in a Hyper-V virtual machine that has restrictions placed on the interfaces exposed into the virtual machine.

I believe Windows Kernel still doesn't have any similar functionality to Linux's namespaces that are much more capable and flexible with sandboxing applications. The reason I recall is Windows' GDI subsystem (painting/drawing) being implemented within the Windows Kernel, not a userspace process as you see with Wayland compositors on Linux systems. This GDI subsystem I believe was the main problem holding back the Windows Kernel from implementing Linux-like namespace and sandboxing functionality.

Linux and common desktop environments such as Gnome also offer sandboxing out-of-the-box in more ways than a typical Windows installation, including as examples:

- very granular seccomp filters implemented for system processes (typically via the simple and accessible method of systemd service configuration) to only permit a process to make certain syscalls or access only specific system resources (files, network interfaces, etc)

- seccomp filters for revoking permissions on processes once they've started up and no longer need certain permissions. See for example OpenSSH and how it forks into less privileged processes once ports have been opened, keyfiles read, etc.

- Use of multi-process application architectures where each process is individually sandboxed, where a Windows equivalent would be a monolithic application. See for example use of "glycin" in Gnome applications for parsing and loading images in separate sandboxed processes from other parts of the application[4], or "tracker" again in Gnome applications which sandboxes the processes for metadata extraction from each file.

[1] https://learn.microsoft.com/en-us/windows/security/book/appl...

[2] https://learn.microsoft.com/en-us/windows/apps/windows-app-s...

[3] https://learn.microsoft.com/en-us/previous-versions/dotnet/a...

[4] https://gitlab.gnome.org/GNOME/glycin

edit: some references added

Just to add a bit of history--there was a little known software product, a name which I cannot remember or find, in the early 2000s for Windows NT based operating systems, which hooked API calls of Windows applications to implement seccomp-like filtering for random Windows applications. I recall it allowed users to restrict an application to not perform certain system actions, access certain folders/files, etc. It was well ahead of its time for early 2000s operating system hardening and I think may have been an inspiration arising from early 2000s rootkits.

It predated https://github.com/sandboxie-plus/Sandboxie but Sandboxie is an example (from 2004) of a similar project that has a longer development history. There have been other similar projects that have come and gone over the years too.

Windows has had namespace capabilities for ages, via Windows jobs, which are used on Windows containers infrastructure.

Nowadays serveral kernel services and drivers are virtualized, running inside Hyper-V instances.

Some of the Windows 11 hardware requirements is that all optional virtualization and sanboxing security features are no longer optional.

As Boeings tend to do.

> the UI is two decades behind;

Still better than the shitshow that is MS UI/UX.

Which iDP are you thinking?

Also how’s fastmail with calendar invites to companies on exchange? What would you use to replace teams? Zoom?

Amazon tried with its work suite - work mail, work drive and chime but failed miserably.

It’s now a Microsoft 365 user

"Job" objects allow some resource limits to be applied to groups of processes (including any children they spawn) but don't do much or anything for restricting the system resources accessible to process in a job.[1] Instead that is a feature called "silos"[2][3][4], as well as the accompanying use of Windows Brokering File System filter driver[5] (or is it UCIFS, or BFS+UCIFS...?[4]), as well as SeAccessCheck interception[6], and whatever else applied to a "silo" or processes.

Hardly anything about "silos" and seemingly nothing about BFS (for providing a virtual filesystem to a process) is documented publicly by Microsoft. Unless a Windows application developer has a particular interest in reverse engineering the Windows Kernel, they're probably not going to be using much of Windows Kernel sandboxing/isolation techniques beyond the simple interface that UWP exposes for GUI applications because it's just too hard otherwise.

For example, in the excellent description of this officially undocumented mess at [2] and [3], the author notes:

"What is interesting here is that there does not seem to be any general mechanisms for restricting access to syscalls globally, which means that the attack surface can be quite large. Indeed, even if it is possible for the Kernel to know if the execution comes from inside a Silo, each syscall must set up its checks (or not). In addition, some syscalls do not directly block access to Silos, but rather implement a different logic between a host and Silo context."

Another author at [4] finds all sorts of unexpected behaviours from this complex use of call interception, filter drivers, etc, such as endpoint security software not being aware of silos and use of filter drivers like BFS, etc, and not properly restricting or logging activities of "sandboxed" processes as developers and users of endpoint security software may expect.

Even if someone reverse engineered an adequate understanding of silos and whatever else Microsoft call "Process Isolation", they'd also potentially have to then learn the completely different Hyper-V isolation approach, as well as Mandatory Integrity Levels (MILs), as well as old school Windows ACL permissions, as well as the newish "Virtual Secure Mode" (VSM)[7]. It'd be like setting up a Linux system that has every Linux Security Module (LSM) enabled at once because SELinux is just too simple on its own.

[1] https://learn.microsoft.com/en-us/windows/win32/procthread/j...

[2] https://blog.quarkslab.com/reversing-windows-container-episo...

[3] https://blog.quarkslab.com/reversing-windows-container-part-...

[4] https://www.deepinstinct.com/blog/contain-yourself-staying-u...

[5] https://ht3labs.com/Brokering-File-System-January-2025-Patch...

[6] https://learn.microsoft.com/en-us/windows/win32/secauthz/imp...

[7] https://github.com/tpn/pdfs/blob/master/Battle%20of%20SKM%20...

Keycloak, most likely. We have experience with it.

Fastmail’s calendar invitation support is solid in my experience. And they support access via standard protocols. That is very quickly disappearing with Microsoft 365.

We never used Teams. Once we had the option to switch to non-Teams 365 licenses we did that almost immediately. We used to use Slack, but saw the writing on the wall when Salesforce acquired it, moved to Mattermost in Kubernetes, then Mattermost Cloud’s paid tier when it launched. When Mattermost evicted non-enterprise licenses from their cloud service we never replaced it. Turns out, we don’t really need an internal chat/conferencing app. We’re a few guys within a half hour of each other. If we need to, we hop on a call, send an email, or send a text to schedule a in-person meeting.

Can you elaborate slightly? Digital escorts is a tough keyword pairing to search for regardless of additional context.