When I worked at Microsoft, I found a case internally where it appeared that a service was accepting expired certificates as a form of authentication for admin-level calls. I was fairly new, so I brought it to someone who had been at Microsoft for the better part of a decade. We didn't own the service in question, and he told me that, since it wasn't our service, I should just focus on continuing our work, and that it wasn't our responsibility to raise the security concern.
In the end, it turns out it was not accepting expired certs -- there was another auth method superseding the certs -- but the behaviour I saw in this case was not unusual to encounter.
Microsoft has many excellent engineers, even in security. But decades of culture rot take longer than a few years to fix, and a lot of old-timer Microsofties have this "not my problem" viewpoint that can lead to major security risks. No doubt, the way Microsoft has handled this year's layoffs -- staggered, leaving people in the lurch and in serious stress for months on end -- has wiped out much of the progress they've made under Satya.
tl;dr I'm not surprised by (a) Microsoft having breaches and (b) Microsoft not dealing with security issues in a timely manner.
Facebook had the same. First it was “nothing at facebook is somebody else’s problem”, but eventually it became “everything at Meta is somebody else’s problem”
Fascinating insight. This is not dissimilar from other megacorporations that become too bureaucratized over their lifetimes. When growing quickly, bureaucracy helps to organize people and hold a team accountable for their own mistakes. As time moves on, these different teams begin to act as independent entities who no longer successfully communicate or collaborate and the entire business becomes both fragile and ossified, hence that “not my problem” attitude.
In the end, it turns out it was not accepting expired certs -- there was another auth method superseding the certs -- but the behaviour I saw in this case was not unusual to encounter.
Microsoft has many excellent engineers, even in security. But decades of culture rot take longer than a few years to fix, and a lot of old-timer Microsofties have this "not my problem" viewpoint that can lead to major security risks. No doubt, the way Microsoft has handled this year's layoffs -- staggered, leaving people in the lurch and in serious stress for months on end -- has wiped out much of the progress they've made under Satya.
tl;dr I'm not surprised by (a) Microsoft having breaches and (b) Microsoft not dealing with security issues in a timely manner.