It would help if there weren't all these employees and ex-employees stepping for...

tptacek · on June 13, 2024

I don't think anything is going to help here; it's just a message board fixity that companies like Microsoft are unserious about security.

bayindirh · on June 13, 2024

Same Microsoft got their master authentication secret stolen and they still don't know how that happened.

It's also turned out that it's impossible to revoke or cycle that secret. The whole issue is so hushed now, I don't know what happened at the end.

Same Microsoft one of their license golden keys on some installation media, too.

Even if they're serious about security, these events don't look good.

tptacek · on June 13, 2024

I don't know what "looks good" means. Every major tech company has had multiple bad things happen that would look very bad to people on message board.

bayindirh · on June 13, 2024

None of them got their two different, non-revocable master keys stolen, I may say.

pvg · on June 14, 2024

It's been a while now but at one point, just about every giant tech company simply make install'ed a key-material-leaking TLS bug on just about every endpoint they ran. The bug was introduced by, effectively, some guy on the internet. It implemented a feature statistically nobody was going to use.

It's trivial to re-frame all sorts of mishaps as evidence of unseriousness about security, especially if done selectively and in hindsight. It doesn't really tell you much of anything meaningful.

bayindirh · on June 15, 2024

I remember that incident.

I think there's a difference between compiling and installing a buggy software and developing the whole infrastructure yourself on top of the operating system that you solely develop and build.

But that's me.

sunshowers · on June 13, 2024

Microsoft isn't a single entity! Like any large corporation there are many teams and people doing great work, and they are many teams and people incentivized to downplay that work.