I think that was the entrypoint. But I think the ProPublica article wants more research into the weakness in Microsoft's default (at the time) Active Directory settings that allowed lateral movement, as described in
> The report triggered a House Homeland Security Committee hearing with Microsoft president Smith last month. Smith said the company was making security its top priority.
I've heard that one a few times from Microsoft over the years.
> But for reasons that experts say remain unclear, that never happened.
It's very clear why. Don't think for a second this is accidental, it's way, way to high profile for that.
It's damage control. Microsoft feels it's better for them to take the blame for not investing rather than exposing their awful or even sinister practices.
This is why "Adverse inference" is a thing in court. If you destroy or refuse produce evidence that the judge knows you have, the judge can rule based on what he thinks is in that evidence. That certainly won't be in your favour.
There's an alternative explanation. MSFT and the intelligence community were both aware of the flaw and keeping it's existence. Unfortunately, it was weaponized against them (as can happen in these situations).
To be clear: I am speculating for the sake of discussion.
"The policy also includes all vulnerabilities (hardware or software) that were “newly discovered and not publicly known,” regardless of whether they were discovered by the government or purchased on the grey markets, which sell to governments and other hacking groups. However, in a notable loophole, agencies did not have to submit vulnerabilities that were not “newly discovered.” That is, if the zero day was discovered prior to 2010, they could be retained with no subsequent review. Indeed, once a vulnerability went through the process and was retained there was no periodic review to see if the decision was still solid risk management. Also, this process would have excluded non-commercial vulnerabilities and probably those that were not made or used in the United States or by its allies. If the CIA or NSA were able to get their hands on a zero day in a Russian-made S-400 air defense missile system, they would not need DHS concurrence to keep it secret."
There are a few ways for feds to avoid disclosing zero-days they're aware of, but I don't think any of them apply in this instance. Maybe they have something equivalent to an ISOO notice to prevent news orgs from publishing classified information to prevent Microsoft, etc. from disclosing security vulnerabilities they're actively using?
If only this ad-hoc government board had done its job, China and Russia, two globally projecting military powers with double digit billion dollar CNE budgets, would never have been able to exploit software vulnerabilities in readily-available off-the-shelf commercial software.
It's no surprise Microsoft and Boeing get special treatment and never face scrutiny for their foul-ups that get people killed and harm America's security because PR and profits come first.
Security is an afterthought even for the White house. The more layers of management and bureaucracy you had to a decision chain, the less likely it will turn into action.
Speaking of sweeping things under the rug, it's really interesting how quickly this fell off the first page of HN. There wasn't even time for the comments to turn emo before poof...gone. Been noticing a lot of this lately. Pointless and useless stories with almost no comments will linger on the first page for half a day or more, but stories that matter are getting moderated away before they even elicit two digits of comments.
>Smith said the company was making security its top priority.
This is an outright lie and everyone knows it
Microsoft's actual top priority is growing market cap. More specifically, grow profitability relative to competitors in the sector, aka Apple, Meta etc...
If an increase in "security" (whatever that means) had a linear or directly positively correlated/causal relationship with profitability then they might actually do it
However we all know that security does not increase profitability - it's a cost center from the corporate CFO perspective because literally nobody is tracking "how many contracts did we lose because we didn't actually implement the best security"
The reality is that almost all IT security is theater because the foundational architecture and design of access control, IDAM, network monitoring and alerting, data collection, data segregation etc... all have easily exploitable holes and you only need to break one to bust the whole thing usually. MSFT builds in these holes often intentionally for NATSEC customers, so "security" is just a political ruse
That's why they play these games because almost nobody believes in IT security that also allows for functional and helpful tools - and if they were honest then everyone would be horrified.
At least I've never met anyone (outside of spooks) that takes it as seriously as ACTUALLY the top priority - because that would mean you have to design your stack for it.
This is always an idiotic response to issues of govt or corporate corruption.
First, no one cares that you "called it".
Second, these are specific details that are interesting and surprising whether they fit an overall pattern or not.
For example, I know Putin likes to kill civilians, but it's interesting when/how Putin actually does it and for what reason. It's not something to wave away with a "OK so Putin kills people, what's the news?"
Your comment isn't one that adds to discussion. It's just evidence that you misunderstand our interest in this story, you think we're clutching pearls, and you want to be smug about it.
There is a public sector version of the "broken windows" trope: pervasive incompetence and misfeasance serves as an enticement and breeding ground for actual grift and malfeasance.
The obvious reason not to do the probe is because they were ordered by someone else they hold more dear not to do that, or it was expedient to protect someone they hold more dear -- any arrests yet?
The UK's Russia dossier seemed to get buried by the then PM Alexander Boris de Pfeffle Johnson. Does USA have Putin collaborators in high places too?
