The aftermath to the recent Microsoft Azure hack by suspected PRC actors.
What is the solution to this? Make sure cloud services are open source so they can be independently vetted? If government and corporate entities chose to use open source solutions, most are presented “as is” with no warranty.
Recently I was doing some Azure integration work, with OAuth, Teams and Outlook. At one point I noticed that logging in with a MS account causes my browser to do ~10 redirects between different services while downloading over 30 MB of Javascript and thought “Huh, this looks like decades of technical debt. Either MS devs are waaay smarter than me or this is a pile of garbage”. I guess both could be true.
They have no choice but to be smarter than us on account of the pile of garbage they’ve been given.
Or they simply hope, that the pile of garbage is smarter than the attackers.
I’ve done some contracts there and yeah, while they are incredibly smart, there’s so much bloated corpo overhead that they are restricted by red tape. I’m not surprised a simple login takes 30 redirects at all.
All their services are like that! Redirects for days. It’s an absolute gong show believe me. It’s way worse than the public knows.