Most active commenters
  • stackskipton(9)
  • (5)
  • necovek(4)

←back to thread

Foreign hackers breached a US nuclear weapons plant via SharePoint flaws

(www.csoonline.com)
433 points zdw | 51 comments | 21 Oct 25 15:51 UTC | HN request time: 0.798s | source | bottom
1. stackskipton ◴[21 Oct 25 19:17 UTC] No.45660335[source]
As usual with all these types of posts, people go "HA HA, MICRO$OFT SUCKS" without understanding business practices that keep them afloat.

Don't use Exchange? Cool, what should we use instead? Does it support 15 people all the way up to 150000 people? I used to run Exchange cluster for 70k people, is there other mail software out there complete with non-shared disk redundancy? Where the users connect to single endpoint and software figures it out from there?

Sharepoint with another 2 RCEs. Not shocked, the software is terrible. However, it's only software that will stand up under load and let us shard it easily. All open-source software is one of those, runs fine in Homelab, likely falls down under load. Few Open Source Developers want to work on this stuff which I get because it's tedious work interfacing with computer illiterate end users. I'd rather chug sewage then do this work for free.

Finally, it's somewhat backwards compatible. Most businesses are filled with ancient software that no one has worked on in 20 years. That Excel document with Macros from 1997. With some registry changes degrading security posture, still works. I doubt you will find Office software with level of backwards compatibility unless they are using Microsoft Office level of compatibility.

Microsoft has real gordian knot here and few solutions besides "Backwards compatibility is OVER. Upgrade to modern or GTFO". Meanwhile, I get hit up by $ThreeJobsAgo over some Exchange Web Services solution I slapped together for them in Python they wanted me to upgrade to GraphAPI since Microsoft turned off Exchange Web Services in Office365.

replies(13): >>45660418 #>>45660587 #>>45660597 #>>45660667 #>>45660671 #>>45660681 #>>45660723 #>>45660777 #>>45660784 #>>45661246 #>>45663047 #>>45663124 #>>45665208 #
2. bad_haircut72 ◴[21 Oct 25 19:23 UTC] No.45660418[source]
I mean this is nuclear wepons were talking about, who cares about features vs security? They could run the department on snail mail if they tried
3. nerdponx ◴[21 Oct 25 19:34 UTC] No.45660587[source]
> Few Open Source Developers want to work on this stuff which I get because it's tedious work interfacing with computer illiterate end users. I'd rather chug sewage then do this work for free.

Or the government could pay people to work on said open source software, providing a benefit to the public along the way. The US government started something like this called "18F" under the Obama administration. It was so effective at making software that was useful to the American public that Trump promptly shut it down 2 months into his second term, in no small part because they had the temerity to develop free-to-use tax filing software.

See

https://handbook.tts.gsa.gov/18f/history-and-values/ https://web.archive.org/web/20250000000000*/https://handbook... https://archive.is/CIXG1

and

https://www.lawfaremedia.org/article/learning-from-the-legac... https://web.archive.org/web/20250000000000*/https://www.lawf... https://archive.is/fmaf6

4. BeetleB ◴[21 Oct 25 19:35 UTC] No.45660597[source]
How oh how did these nuclear weapons facilities manage to function in the days before Exchange and Sharepoint?
replies(3): >>45660834 #>>45661519 #>>45666506 #
5. necovek ◴[21 Oct 25 19:41 UTC] No.45660667[source]
I see you build a case for traditional MS product in Exchange, yet this issue is about Sharepoint.

Just like with Windows, Microsoft has built a moat with Exchange, but the question is why do all the companies buy into their full ecosystem, especially for anything relating to web technologies (you even bring up Exchange Web Services), because this they do really badly, and Sharepoint seems to be the worst.

However, I am certain there are big Postfix/Dovecot installations scaling easily to 150k people, but we probably wouldn't know about them. Eg. here a couple of accounts of people doing that: https://www.reddit.com/r/linuxadmin/comments/32fq67/how_woul...

replies(6): >>45660796 #>>45660845 #>>45660876 #>>45660981 #>>45663661 #>>45665175 #
6. Staniel ◴[21 Oct 25 19:41 UTC] No.45660671[source]
Why is this comment glowing? \s
7. vlovich123 ◴[21 Oct 25 19:42 UTC] No.45660681[source]
You can use hosted versions of Google Workplace or Office365 if you can’t figure out how to secure software (places like this typically can’t clearly). Additionally it enforces a separation of concerns where a compromise of your email server doesn’t lead to a compromise of the plant itself (again - clearly IT didn’t know how to partition the network into different parts).
replies(1): >>45660915 #
8. ◴[21 Oct 25 19:45 UTC] No.45660723[source]
9. elevation ◴[21 Oct 25 19:48 UTC] No.45660777[source]
How many organizations on the planet require their Exchange server to support 150k users? I doubt most manufacturing plants fall into this category.
replies(1): >>45660792 #
10. dudeinjapan ◴[21 Oct 25 19:49 UTC] No.45660784[source]
Sharepoint is enterprisey and all but how about "less software/surface area is more" when it comes to nuclear silos?
11. stackskipton ◴[21 Oct 25 19:50 UTC] No.45660792[source]
They don't but whole point is massive Enterprises use the software, people get accustomed to it and want it in their smaller business. So, Microsoft Small Business Server is developed until O365 came along.
12. elevation ◴[21 Oct 25 19:50 UTC] No.45660796[source]
Not sure the total number, but a university near me serves 50K active students and hundreds of thousands of alums with Postfix/Dovecot.
13. stackskipton ◴[21 Oct 25 19:53 UTC] No.45660834[source]
Just like everyone else before invention of Email and Document sharing? However, like every other business, no one is willing to slow down velocity for security reasons so now we are here. Unless you have a fix for "Line must go up", market pressures will always cause this.
replies(2): >>45660929 #>>45661233 #
14. inopinatus ◴[21 Oct 25 19:53 UTC] No.45660845[source]
I was running millions of accounts using Postfix/Dovecot on shared-nothing storage with a single MUA-facing endpoint and complex policy options, and that was over a decade ago.

Fastmail today would be much bigger again, and they’re on CMU Cyrus.

150k is rookie numbers. Perhaps that was meant ironically to satirise mediocre enterprise thinking?

replies(3): >>45660911 #>>45661642 #>>45663234 #
15. stackskipton ◴[21 Oct 25 19:55 UTC] No.45660876[source]
I used Exchange because it was what I most familiar with. SharePoint operates in similar matter with all sharding (though backend is still MSSQL with it's sharding last I checked)

Sure, PostFix/DoveCot will scale if you are doing just email. Once you add GroupWare requirements, PostFix/Dovecot are no longer in same boat.

replies(1): >>45666835 #
16. stackskipton ◴[21 Oct 25 19:57 UTC] No.45660911{3}[source]
Cool, you got a blog article detailing how that works with Postfix/Dovecot? All clustering articles I'm seeing for those involved shared storage. Fastmail is not very specific how that works.

In any case, Exchange is not just email, it has Calendaring/Contacts stuff going on as well.

replies(1): >>45660934 #
17. stackskipton ◴[21 Oct 25 19:58 UTC] No.45660915[source]
Sure, this business should have converted to either of those and let someone else take over administration since they were clearly negligent. This is stuff that FedRAMP or it's replacement was supposed to fix but didn't.
replies(1): >>45660970 #
18. awesome_dude ◴[21 Oct 25 20:00 UTC] No.45660929{3}[source]
Um, email was invented, like in the last millenium, well before Microsoft was a thing (only slightly sarky)
replies(1): >>45661282 #
19. ◴[21 Oct 25 20:00 UTC] No.45660934{4}[source]
20. vlovich123 ◴[21 Oct 25 20:03 UTC] No.45660970{3}[source]
FedRAMP is only for hosted software for the federal government afaik, not on-prem and not private companies (nuclear reactors afaik are operated by grids/private operators and the federal gov is responsible for auditing and regulating)
21. MisterTea ◴[21 Oct 25 20:04 UTC] No.45660981[source]
> but the question is why do all the companies buy into their full ecosystem,

Old manager I had one told me: "I wish Microsoft made all the software in the world because it works so well together!" He was the guy who bought our company a one-way ticket to O365. He was also woefully tech ignorant and could barley drive software outside of office programs.

replies(1): >>45663255 #
22. BeetleB ◴[21 Oct 25 20:26 UTC] No.45661233{3}[source]
> market pressures will always cause this.

Market pressures dominate nuclear weapons development?

replies(1): >>45662552 #
23. ◴[21 Oct 25 20:27 UTC] No.45661246[source]
24. dlgeek ◴[21 Oct 25 20:30 UTC] No.45661282{4}[source]
Microsoft was a thing before email.

Microsoft was founded in 1975. The standard for SMTP wasn't published in 1981. Most early predecessors were the late 70s.

replies(1): >>45662811 #
25. wombatpm ◴[21 Oct 25 20:50 UTC] No.45661519[source]
Novell or Lotus Notes
replies(1): >>45662683 #
26. Spooky23 ◴[21 Oct 25 21:00 UTC] No.45661642{3}[source]
Cool. I did that with qmail in 1998 on a couple of Ultra 5s.

Try managing a calendar or booking resources.

replies(2): >>45662023 #>>45662132 #
27. ◴[21 Oct 25 21:35 UTC] No.45662023{4}[source]
28. inopinatus ◴[21 Oct 25 21:46 UTC] No.45662132{4}[source]
Integrated CalDAV is also available. Not in qmail, however. The patch for that would be large.
replies(1): >>45681737 #
29. stackskipton ◴[21 Oct 25 22:30 UTC] No.45662552{4}[source]
Sure, all the “Let’s run government like a business” types. Cut IT budget and outsource to contractors who want maximum profit.
30. ◴[21 Oct 25 22:44 UTC] No.45662683{3}[source]
31. awesome_dude ◴[21 Oct 25 22:59 UTC] No.45662811{5}[source]
https://en.wikipedia.org/wiki/History_of_email

In 1971 Ray Tomlinson sent the first mail message between two computers on the ARPANET, introducing the now-familiar address syntax with the '@' symbol designating the user's system address.[2][3][4][5] Over a series of RFCs, conventions were refined for sending mail messages over the File Transfer Protocol. Several other email networks developed in the 1970s and expanded subsequently.

Proprietary electronic mail systems began to emerge in the 1970s and early 1980s. IBM developed a primitive in-house solution for office automation over the period 1970–1972, and replaced it with OFS (Office System), providing mail transfer between individuals, in 1974.

32. int_19h ◴[21 Oct 25 23:23 UTC] No.45663047[source]
Exchange has valid arguments for it, but I don't think SharePoint has anything going for it other than "we already got a license for that as part of out package deal". As software in its own right, it's uniquely bad even for Microsoft.
33. zelphirkalt ◴[21 Oct 25 23:33 UTC] No.45663124[source]
> Sharepoint with another 2 RCEs. Not shocked, the software is terrible. However, it's only software that will stand up under load and let us shard it easily. All open-source software is one of those, runs fine in Homelab, likely falls down under load. Few Open Source Developers want to work on this stuff which I get because it's tedious work interfacing with computer illiterate end users. I'd rather chug sewage then do this work for free.

All just empty claims without showing any evidence. Did you ever set up a multi-client syncthing setup to test your theories about it falling over? Or do you have any references, pointing us to analysis, that shows, that any such tool doesn't hold water? What about some bit torrent setups? There are many options in this space, and one doesn't even have to lump synchronization and viewing in a web UI into one service. If one doesn't, then there are many tools that can accomplish the job better than Sharepoint.

And btw. paid MS Office doesn't even hold water for some 80 people, delivering me my e-mails some half an hour later, at a snail's pace, one or two a minute, while my 1 EUR per month free software using e-mail provider (posteo) manages to give me all my new e-mail almost instantly, the moment I open Thunderbird.

replies(1): >>45663708 #
34. xxs ◴[21 Oct 25 23:47 UTC] No.45663234{3}[source]
>Perhaps that was meant ironically to satirise mediocre enterprise thinking?

It's a serious post, unfortunately.

replies(1): >>45663725 #
35. casey2 ◴[21 Oct 25 23:50 UTC] No.45663255{3}[source]
Yup, proves the old adage that you never let the tech fluent make tooling decisions for normal people. Nothing would kill a large orgs momentum faster than half their employees stuck reading man pages for trivial tasks. Microsoft is a good black and white, you can do this or you can't. Which works better organizationally than the "I bet I could hack this together in a few weeks" and have everyone wait around so one "10x dev" can feel like a special snowflake
replies(1): >>45671940 #
36. zenmac ◴[22 Oct 25 00:43 UTC] No.45663661[source]
Craigslist has also uses Haraka to scale their email.

https://haraka.github.io

There are plenty of open source email alternatives now days.

37. stackskipton ◴[22 Oct 25 00:51 UTC] No.45663708[source]
Your replacement for Sharepoint is BitTorrent or Syncthing?

Yes, there is other tools, none of them is as integrated as Microsoft suite except other cloud only options like Google Workspace and other cloudy software.

38. stackskipton ◴[22 Oct 25 00:52 UTC] No.45663725{4}[source]
Yep, my point was “What is the alternative besides other enterprise cloud like GSuite and others?”
replies(1): >>45665303 #
39. lkjdsklf ◴[22 Oct 25 05:25 UTC] No.45665175[source]
Comparing postfix/dovecot to exchange is grossly misunderstanding what’s happening

If you’re using exchange/outlook, you’re using Active Directory.

The only real “altetnative” is the reimplementation in samba v4.. calling that an alternative is a bit of a stretch. And it barely scales to one user let alone millions like AD can

replies(1): >>45665262 #
40. bawolff ◴[22 Oct 25 05:33 UTC] No.45665208[source]
> Sharepoint with another 2 RCEs. Not shocked, the software is terrible. However, it's only software that will stand up under load and let us shard it easily. All open-source software is one of those, runs fine in Homelab, likely falls down under load. Few Open Source Developers want to work on this stuff which I get because it's tedious work interfacing with computer illiterate end users. I'd rather chug sewage then do this work for free.

Isn't sharepoint just a file share server? (Ive never used it)

I'm sure solutions like samba or an ftp server hold up fine under the load. Its really more a UI question.

replies(2): >>45665258 #>>45666848 #
41. swarnie ◴[22 Oct 25 05:42 UTC] No.45665258[source]
Find me an FTP server which integrates with your entire productivity, communication and collaboration suites easily enough that an admin can run a 50k person company off of it and equally Doris from accounts can manage to get some work done.

I hate SharePoint, but i use/administer it every day and it works, mostly.

Exposing it to the internet is a mistake. Why anyone would do that is beyond me.

replies(1): >>45665701 #
42. necovek ◴[22 Oct 25 05:42 UTC] No.45665262{3}[source]
You can trivially set up Postfix/Dovecot with LDAP.
replies(1): >>45668554 #
43. necovek ◴[22 Oct 25 05:48 UTC] No.45665303{5}[source]
FWIW, GSuite seems to do fewer things, but at least does them better (think nested groups and calendar invitations for parent groups: adding/removing people does not update future events with MS tools).

But at the same time, within an org of 150k people, we have separate people to support our Teams usge, our Outlook usage, our AD/Entra usage: with the same number of "sysadmins", could we do the same with open source stack?

I don't know, but I know the bugs I see with MS365.

44. bawolff ◴[22 Oct 25 06:55 UTC] No.45665701{3}[source]
Like i said, its a UI issue not a scalability issue.
45. azernik ◴[22 Oct 25 09:04 UTC] No.45666506[source]
They paid lots of secretaries lots of money and had a whole department called "the mailroom".

No one wants to go back to that.

replies(1): >>45668914 #
46. p_ing ◴[22 Oct 25 09:51 UTC] No.45666835{3}[source]
SharePoint does not use [SQL] sharding. Each Site Collection is contained within a single Content [SQL] database. However the blobs themselves can be stored elsewhere via a provider, out of the box a file system provider is available (in SPO they use Azure Blob Storage).
47. p_ing ◴[22 Oct 25 09:53 UTC] No.45666848[source]
No, but storing files is one of it's core functions. The wiki [0] has a decent outline of what it is (may or may not be out of date for on-prem).

[0] https://en.wikipedia.org/wiki/SharePoint

48. lkjdsklf ◴[22 Oct 25 13:09 UTC] No.45668554{4}[source]
There’s nothing trivial about running or scaling an ldap server.

Ldap is also not Active Directory. Ldap is one very small part of it

49. mikkupikku ◴[22 Oct 25 13:33 UTC] No.45668914{3}[source]
When they're managing nuclear bombs, I think some inefficiency shouldn't be a deal breaker.
50. necovek ◴[22 Oct 25 16:54 UTC] No.45671940{4}[source]
You are ignoring the fact that people are mostly complaining about Microsoft saying their software will do something, and then it not really working or falling apart (like with security incidents).
51. Woodi ◴[23 Oct 25 13:43 UTC] No.45681737{5}[source]
Why DAV should be integrated into any SMTPd ?? DAV is some protocol over HTTP - another service, another port. Why any architect want it in same binary or even deployed on same server ?? And even if some "cal" or "address" part is content in email that still processing it is totally different software layer then plain "sending mail" and storing it.

But no, people get self backdoored by using Exchange... Or clolud :) Or AI hosted by someone else...