[HN Gopher] Foreign hackers breached a US nuclear weapons plant ...
___________________________________________________________________
Foreign hackers breached a US nuclear weapons plant via SharePoint
flaws
Author : zdw
Score : 294 points
Date : 2025-10-21 15:51 UTC (7 hours ago)
(HTM) web link (www.csoonline.com)
(TXT) w3m dump (www.csoonline.com)
| gnabgib wrote:
| .. still 3 months ago _CVE-2025-53770_
|
| (809 points, 447 comments)
| https://news.ycombinator.com/item?id=44629710
|
| _US Nuclear Weapons Agency Breached in Microsoft SharePoint
| Hack_ (18 points) https://news.ycombinator.com/item?id=44654869
| reenorap wrote:
| There needs to be a law that all nuclear and nuclear-adjacent
| facilities have no connection to the Internet. The fact it's
| allowed is unbelievable.
| fujigawa wrote:
| It's believable when the industry has pivoted to pushing SaaS
| garbage in every place imaginable to the point that on-prem
| solutions don't exist anymore. Do you expect them to not use
| email either?
|
| Remember, the industry told us we're in a 'zero trust' world
| now. The network perimeter is an anachronism.
|
| OTOH you know damn well they keep the important stuff
| airgapped, in which case the title (and your predictable
| reaction) is just fanning the flames. It could very well be
| they 'breached' the receptionist's PC she uses to browse
| Facebook to pass the time.
| IAmBroom wrote:
| I have some sad news for you, about the realities of
| "airgapped security" IRL.
|
| It starts with military officers using the hallway
| photocopiers for secure documents, and ends with TS docs
| stored in a Florida hotel's restroom.
| tcoff91 wrote:
| Wasn't the internet literally created by the military for
| military comms? The decentralized routing was in part to ensure
| that comms could survive some areas being taken out by nuclear
| weapons.
| SoftTalker wrote:
| As the effect of yesterday's AWS event demonstrates, the
| major Amazon, Microsoft, and Google data centers are surely
| top tier targets in every adversary's war plans.
|
| The decentralized internet is less of a reality today than it
| was years ago.
| diggan wrote:
| Don't we have more internet submarine cables and less
| single points of failure in our internet infrastructure
| today than years ago? If so, shouldn't that make it easier
| to route around failures?
|
| The web though I agree isn't very decentralized.
| SoftTalker wrote:
| Maybe yes in that regard. But in the past, most
| organizations ran their own mail and web servers.
| Software supporting the business ran on-prem. Now they
| use Google or Azure or AWS. So business and civilian
| usage, at least, seem more vulnerable now.
| HippyTed wrote:
| We sacrificed resillience for effeciency. Now things are
| much more fragile and liable to exploitation.
| Root_Denied wrote:
| Considering that the AWS outage took out a lot of lines
| of communication (email, video, chat systems) for both
| commercial and government entities, I'd say that US-
| East-1 is a pretty big single point of failure. Even if
| it didn't result in infrastructure impact directly, if
| there was some kind of infrastructure issue and you had
| delayed or unavailable communications, how would you
| know? How quickly could a response be mounted? There's
| some parts of the infrastructure that could damage
| themselves irreparably in the time it would take to to
| fix the outage or get comms routed through a backup
| channel - like parts of the electrical grid or water
| treatment plants.
|
| An attacker (read: nation-state actor) wouldn't even need
| to take down US-East-1, it could just take advantage of
| the outage.
|
| I assume (hope?) there's some kind of backup comms plan
| or infra in place for critical events, but I don't
| actually know.
| philipallstar wrote:
| The very very earliest form of some of the protocols involved
| it were, yes. But not really now at all. That "internet"
| would not be worth using.
| 1718627440 wrote:
| That's fine, when all the nodes run autonomously and the
| internet is only used for real information sharing. What we
| now have is that the nodes are display control servers and
| all the computation and storage happens externally. That is
| not how it was designed by the military.
| azalemeth wrote:
| While we're at it "and not use Microsoft products". Literally
| every time a story like this surfaces...
| dimitrios1 wrote:
| That's more of a form of survivorship bias. Microsoft
| continued to maintain its lockdown on government IT and
| infrastructure through the decades, over the alternatives.
| Razengan wrote:
| I don't think any Microsoft Surfaces were involved in this..
| BeetleB wrote:
| > While we're at it "and not use Microsoft products".
|
| I'm not sure if Oracle would be better.
| KaiserPro wrote:
| I mean there were also rules about non-sanctioned network
| connections in the pentagon, or using only sanctioned apps to
| discuss secrets, but thats not really been enforced recently.
| jayd16 wrote:
| You mean its a bad idea to slap a Starlink dish in the same
| building as the nuclear football?
| boringg wrote:
| Which breach was that again?
| JumpCrisscross wrote:
| > _needs to be a law that all nuclear and nuclear-adjacent
| facilities have no connection to the Internet_
|
| Why the special treatment for nuclear? Do you really think
| redlining a dam or storm-levee system would be less damaging?
|
| Also, turning off internet connections means less-capable
| remote shut shut-off. Less-responsive power plants. Fewer eyes
| on telemetry.
|
| We should be mindful of what is and isn't connected to the
| internet, and how it's firewalled and--if necessary--air
| gapped. That doesn't mean sprinting straight for the end zone.
| doublerabbit wrote:
| > Also, turning off internet connections means less-capable
| remote shut shut-off.
|
| Why does it have to be remote what's wrong with it being in-
| house? Besides a shut-off should never be able to be
| triggered remotely.
|
| The same goes for digital emergency shut off buttons; all
| should be physical.
|
| > Less-responsive power plants.
|
| What? How is remote any more responsive than physical workers
| being in-house?
|
| If power-plants operated efficiently back in the 50's without
| internet, they should be able to now without internet.
| JumpCrisscross wrote:
| > _Why does it have to be remote what 's wrong with it
| being in-house?_
|
| Nothing _wrong_ with it being in house. But having a back-
| up is never bad.
|
| > _How is remote any more responsive than physical workers
| being in-house?_
|
| If the on-site workers are incapacitated. It's a remote
| (hehe) risk. But so is foreign hackers doing anything with
| our nukes.
|
| > _If power-plants operated efficiently back in the 50 's
| without internet, they should be able to now without
| internet_
|
| If you're fine paying 50s power prices again, sure, I'm
| sure a power company would happily run their plants retro
| style.
| IAmBroom wrote:
| > But having a back-up is never bad.
|
| It is always an increase in risk, in a security sense.
| tehjoker wrote:
| good argument against having nukes
| HippyTed wrote:
| The one exception I can think of is remote shutdown in the
| face of a rapid natural disaster. Like how the japanese
| train network is set to shut down rapidly when a high power
| quake is detected.
|
| But that is very geography dependant.
| ferguess_k wrote:
| I heard that once you put up a website on the public internet,
| it would immediately gets attacked by all kinds of scanners or
| other worse things. Not sure if it's true as I'm not a web guy.
| SoftTalker wrote:
| Every public IPv4 address is port scanned multiple times a
| day.
| ta1243 wrote:
| Which really isn't a problem, unless you're being scanned
| so much your bandwidth is being overwhelmed. Certainly not
| the case for me, despite having port 80 and 443 open
| tgv wrote:
| I have a server that has a slow (5s) response to unknown
| pages, returns it as 200, and makes the next failing
| request even slower (for unauthenticated users). That
| seems to keep the number of requests limited. Perhaps I
| should just drop the connection after a certain number of
| requests.
|
| BTW, quite a few of these port scanners are companies
| that offer to scan your ports for vulnerabilities. Temu
| pen testing, so to speak.
| eks391 wrote:
| Do you configure this in your firewall? How can I
| replicate this?
| pdntspa wrote:
| Watching my website's firewall and ssh logs show all the
| various hacking attempts is calming in the same way that
| watching waves crash on to the shore is.
| diggan wrote:
| More like looking a thin net preventing mosquitoes from
| biting your skin, as there is some intention behind it,
| not just physics.
| 1718627440 wrote:
| Per day? per minute or second.
| pdntspa wrote:
| Back in the day, I made the mistake of hooking up a fresh
| Windows XP (at least I think it was; pre-SP2) install
| directly to the internet. There was no firewall or NAT to
| protect me. The machine got pwned almost immediately.
| rtldg wrote:
| All IPv4 addresses, domains (maybe more so for recently-
| registered ones), and subdomains from Certificate
| Transparency Logs (for HTTPS certs) are all constantly
| checked and poked.
| aerostable_slug wrote:
| IIRC Carnegie Mellon did a study years ago which showed that
| you could not unbox a new Windows machine, connect it
| "directly" to the Internet, and get it fully patched before
| it was pwned.
| 1970-01-01 wrote:
| Wasn't it literally designed for that specific task? As a
| robust C&C system during nuclear war? The fact that we're doing
| it wrong doesn't mean we need to pull the plug on everything.
| How else do you survive WWIII?
|
| https://ieeexplore.ieee.org/document/5432117
| groby_b wrote:
| You don't. Internet or not.
| 1718627440 wrote:
| That only works, if the nodes still operate just fine,
| without the Internet.
| hypeatei wrote:
| > needs to be a law that all nuclear and nuclear-adjacent
| facilities have no connection to the Internet
|
| You want to make _everything_ about a nuclear facility bespoke
| and subject to air-gapped drift? What about the guard booth
| that verifies peoples access, the receptionist who schedules
| meetings, and the janitor who wants to watch YouTube on his
| break? It seems unrealistic to lump _everything_ that goes on
| at a nuclear facility under this umbrella.
| reenorap wrote:
| Opening up the internet to a nuclear facility so that the
| janitor can watch Youtube seems preposterous. People can
| afford to do things slower for the sake of security. Having
| things typed out, verifying security via phone calls, etc
| like it's the 1970s seems reasonable to me. Does it really
| matter if things aren't fully optimized for speed and
| convenience in nuclear facilities?
| hypeatei wrote:
| > really matter if things aren't fully optimized for speed
| and convenience in nuclear facilities
|
| For hiring and retaining people, yes. It's understood that
| the "guts" of what's happening at these facilities needs to
| be locked down to the max. But, for supporting roles you
| need to be able to bring people in off the street without
| 1) a bunch of specialized training on your bespoke way of
| doing things, and 2) making your employees less attractive
| on the job market.
|
| Just my opinion, though. Maybe I'm completely off base but
| it doesn't seem like a good idea to me long-term.
| aerostable_slug wrote:
| IRL the way we do it is separating the business network
| (Youtube, finance people, HR, etc.) from the operational
| network (relays and sensors). You use data diodes to send
| business-critical data from the operational network to the
| business network.
|
| Also, the Kansas City Plant is like a watchmaker's factory,
| not a power plant. They make widgets and gewgaws, not
| literally split atoms.
| 0_____0 wrote:
| Being airgapped didn't help Iran avoid Stuxnet.
| sgjohnson wrote:
| That also had a HUMINT element.
| aspenmayer wrote:
| It's possible that the (un)timely demise of the individual
| involved also had a HUMINT element as well.
|
| https://en.wikipedia.org/wiki/Operation_Olympic_Games#Histo
| r...
|
| > Dutch engineer Erik van Sabben allegedly infiltrated the
| Natanz nuclear facility on behalf of Dutch intelligence and
| installed equipment infected with Stuxnet. He died two
| weeks after the Stuxnet attack at age 36 in an apparent
| single-vehicle motorcycle accident in Dubai.
|
| https://en.wikipedia.org/wiki/Erik_van_Sabben
| bell-cot wrote:
| No, but it made the attacker's job 10000X more difficult.
| the_af wrote:
| Defense in depth is still valuable.
| aspenmayer wrote:
| To be fair, it didn't help the rest of us avoid Stuxnet,
| either.
|
| https://en.wikipedia.org/wiki/Operation_Olympic_Games#Histor.
| ..
|
| > A programming error later caused the worm to spread to
| computers outside of Natanz. When an engineer "left Natanz
| and connected [his] computer to the Internet, the American-
| and Israeli-made bug failed to recognize that its environment
| had changed." The code replicated on the Internet and was
| subsequently exposed for public dissemination. IT security
| firms Symantec and Kaspersky Lab have since examined Stuxnet.
| It is unclear whether the United States or Israel introduced
| the programming error.
|
| Also bearing mention is Flame, which is often left out when
| Stuxnet comes up, but which was allegedly part of the wider
| operation.
|
| https://en.wikipedia.org/wiki/Operation_Olympic_Games#Signif.
| ..
|
| > The Washington Post reported that Flame malware was also
| part of Olympic Games.
|
| https://www.washingtonpost.com/world/national-security/us-
| is... | https://web.archive.org/web/20220322045917/https://ww
| w.washi... | https://archive.is/6hRl7
|
| > "We are now 100 percent sure that the Stuxnet and Flame
| groups worked together," said Roel Schouwenberg, a Boston-
| based senior researcher with Kaspersky Lab.
|
| > The firm also determined that the Flame malware predates
| Stuxnet. "It looks like the Flame platform was used as a
| kickstarter of sorts to get the Stuxnet project going,"
| Schouwenberg said.
|
| https://en.wikipedia.org/wiki/Flame_(malware)
| apstls wrote:
| There is likely a small number of people who could
| collectively list out the events it _did_ help Iran avoid.
| wslh wrote:
| Microsoft could have been sold this with a special "nuclear
| license".
| porridgeraisin wrote:
| Fine, keep it on the internet. But _SharePoint_ , seriously? A
| 15 year old version of nginx pointed to the ~/.ssh folder is
| more secure.
| bink wrote:
| From the article:
|
| > OT cybersecurity specialists interviewed by CSO say that
| KCNSC's production systems are likely air-gapped or otherwise
| isolated from corporate IT networks, significantly reducing the
| risk of direct crossover. Nevertheless, they caution against
| assuming such isolation guarantees safety.
|
| This was also not a nuclear facility, however. The article says
| it makes "non-nuclear components".
|
| In my experience auditing critical infrastructure, most
| facilities are "air gapped". I put that in quotes because while
| you can't browse the Internet from the control network(s),
| there are ways to exfiltrate data. The managers, engineers,
| regulators, and vendors need to know what is going on in real-
| time. Back in the day this could've been a serial port
| connecting two systems for a one-way feed. Now I imagine it's
| something far more sophisticated and probably more susceptible
| to abuse.
|
| As an example, you might have a collection of turbines
| manufactured by GE and GE needs to have real-time data coming
| from them for safety monitoring and maintenance. The turbines
| might have one connection for control traffic and another for
| monitoring. How to secure these vendor connections was always a
| debate.
|
| Btw, there are strong cybersecurity regulations around critical
| infrastructure. CIP-005-07 covers security perimeters. You can
| view them here:
| https://www.nerc.com/pa/Stand/Reliability%20Standards%20Comp...
| Veserv wrote:
| Ah yes, " _likely_ air-gapped ", what a high-confidence
| statement. Any competently designed air-gap must be precisely
| auditable and demonstrably, positively air-gapped.
|
| The only world where "likely" is a reasonable word is in
| reference to possible physical taps or a precise enumeration
| of physical access points that went unaudited, but have
| reliably followed safe access control/configuration
| procedures. Anything else is plain incompetence.
| nathanmcrae wrote:
| How do you go about positively demonstrating such a system
| is air-gapped?
| fintler wrote:
| Speaking from past experience with the DoE (I'm happy I
| don't need to deal with security like this anymore),
| there were constant and randomized checks to make sure
| fiber cables (they were all fiber to make it harder to
| tamper with and to avoid accidental RF) were fully
| visible (e.g. not hidden under a desk or something) and
| not tampered with. Also, lots of locks and doors, both
| electrical and mechanical. The guy at the front desk with
| a big gun probably helped too.
| fintler wrote:
| They have multiple networks. One of them is definitely
| airgapped (red for RD). The medium security one is
| protected by annoyingly strict network ACLs (yellow for
| ITAR). Then there's a low security one for stuff like
| sharepoint (green).
|
| This article is full of nonsense and speculation.
| Veserv wrote:
| The standard you linked literally talks about: "High
| Impact BES Cyber Systems with External Routable
| Connectivity" and "Remote Access Management" for "High
| Impact BES Cyber Systems". That explicitly indicates non-
| airgapped critical systems. Furthermore, the proscribed
| auditing specifically spells out "network diagrams or
| architecture documents" as good evidence. Obviously, that
| is a high level document, but I see nothing to indicate
| robustness against state-level actors which are a
| expected threat.
| philipallstar wrote:
| > Anything else is plain incompetence.
|
| It's an answer from talking heads, not from people from the
| facility.
| jcrawfordor wrote:
| KCNSC is a large organization that will have hundreds of
| distinct networks at different risk and control levels.
| Every variation of "public internet" to "single-site air-
| gapped network" probably exists there, including many
| levels in between like multi-site secure networks and
| networks with limited internet connectivity. Many networks
| air airgapped, this sometimes means that they consist of a
| small number of assets in a single room, and it sometimes
| means that they have connectivity to airgapped enclaves of
| AWS and hundreds of other military, government, and
| contractor sites. All of these controls will have been
| determined by a combination of risk scoring, compliance
| policies, legal requirements, office politics, and
| happenstance. Multiple contracting authorities will
| periodically audit many of these networks against various
| standards, which may or may not allow connectivity to
| specific other networks depending on risk levels.
| Connectivity between networks is sometimes controlled by
| NSA accredited cross-domain solutions and multi-level
| security systems that enforce complex policy, in other
| cases it's controlled by an administrative assistant with a
| DVD burner. There will be case-by-case risk analysis
| decisions made for specific systems, ultimately signed off
| by a government official who may or may not have read them.
| Inevitably some of these will appear reasonable and
| cautious in retrospect and others will not.
|
| The root fault with this article, and the resulting
| discussion, is the extent to which it generalizes over one
| of the larger organizations in a very complex part of the
| defense industrial complex. Many parts of KCNSC's
| operations are absolutely not exposed by this incident.
| Other parts absolutely are. Determining which fall into
| which category, and to what extent that is acceptable,
| keeps quite a few people employed.
| dylan604 wrote:
| It is funny to read this kind of comment knowing at the same
| time this kind of stuff was happening while the launch codes
| were 0000000 or some such non-secure code. At same time, the
| computers in the nuclear launch facilities were still using
| 5.25" floppies. I did wonder how often they were loading
| updates from those, if ever.
| HippyTed wrote:
| Just wait until these places get flooded with vibe coded stuff
| that even those deploying it have little understanding. What
| could go wrong!?
|
| Sleep well.
| ubermonkey wrote:
| A flaw? In Sharepoint?
|
| I'm shocked. Shocked, I tell you.
| synapsomorphy wrote:
| Sharepoint is one of the worst, most bug-ridden softwares I've
| worked with.
|
| It has a bug with Solidworks (3D design suite) that sporadically
| makes files completely un-openable unless you go in and change
| some metadata. They are aware of this, doesn't seem to be any
| limitation preventing them from fixing it, and it has sat unfixed
| for years.
|
| Microsoft's cloud storage as a whole is an insane tangle where
| you never know where you'll find something you're looking for or
| whether it will work. Some things work only in browser, some only
| in the app, zero enumeration of these things anywhere.
|
| Completely unsurprised and I'm sure there are many more
| vulnerabilities ripe for the picking.
| bArray wrote:
| Microsoft Word online deletes text in Firefox Linux (maybe
| others too) for at least two years now [1]. The one thing you
| want a text editor to do is be able to write text into a
| document, and somehow this bug goes unfixed. You would think it
| would be priority #1 for paying customers of Business Office
| 365 - and yet nothing.
|
| It ended up being easier just to switch to paid Overleaf and
| teach our non-tech members how to write LaTeX and/or use the
| built-in editor. The documents are beautiful, Overleaf doesn't
| miss a beat and we are very happy with their solution.
|
| Microsoft should be ashamed - I don't know how _anybody_ would
| ever consider using them for any serious production work.
|
| [1] https://learn.microsoft.com/en-
| us/answers/questions/5216132/...
| rs186 wrote:
| Not defending Microsoft in any way but my guess of what's
| happening:
|
| * Too few people use Firefox to access Office online, they
| don't care
|
| * Your organization is too small for them to care
| bee_rider wrote:
| Firefox is the only browser other than Chrome (and
| derivatives) on their OS. The web is supposed to be multi-
| platform. I guess it isn't that surprising that modern MS
| is happy to just live in Google's ecosystem though.
| luckylion wrote:
| if they will lose data when you're on a rarely used
| browser, can you really trust them not to lose data in
| general?
|
| "yes, your car exploded, but you were driving on a dirt
| drive way. it works just fine on the highway"
| jmm5 wrote:
| I am a social worker and SharePoint is unfortunately widely
| used by nonprofit agencies for storing client records. It's a
| real shame, but they can't afford anything better.
| nairboon wrote:
| That bug has been around for years. I always wondered if that
| was deliberate. I guess that Microsoft support answer settles
| the question...
|
| >Sorry for that we may have no enough resources about the
| Linux environment.
| VladVladikoff wrote:
| Every time I need to touch anything made my Microsoft lately I
| am met with multiple levels of glitchyness, straight up bugs,
| most frustratingly it's so excruciatingly slow.
|
| Recently I tried to configure a new subdomain to handle mail on
| 365 and even finding their DKIM configuration section was a
| mission. Once finding it, I learned that their DNS check fails
| to properly handle subdomains for email, so you have to put
| their DKIM keys against your root domain. Genius!
| curvaturearth wrote:
| But wait! 35% of Microsoft's code is now written by AI so
| surely it will get better
| aidos wrote:
| We sync content to MS hosted Sharepoint using rsync. When the
| file arrives, they change the internal metadata inside the
| file, which changes the checksum, which causes rsync to think
| the content is different and needs syncing again.
|
| Edit to say: this is for MS files like Excel docs
| elygre wrote:
| Is that a supported method?
| crmd wrote:
| Supported by who? Microsoft?
|
| If a file server breaks basic Unix tools it should be
| unplugged and put in the garbage.
| soupfordummies wrote:
| It's such a critical backbone to so many of their services but
| they treat it like a forgotten stepchild for the most part
| throwforfeds wrote:
| I'm working on a gov contract right now and they're forcing
| everyone to migrate off of Slack and into Teams. I somehow have
| managed to avoid MS corporate products for the better part of
| two decades. People's tolerance to UX pain seems to be
| boundless in corporate/fed worlds.
| ThinkBeat wrote:
| How large are the files?
| synapsomorphy wrote:
| Kilobytes or single digit megabytes. It happens because
| Sharepoint sporadically alters created/edited metadata for
| any (?) file it stores. Most programs don't care about that
| but Solidworks does.
| downrightmike wrote:
| Developed and maintained in China by Chinese nationals, with
| untechnical escorts overseeing their work.
| eterm wrote:
| They've managed to mess up sharepoint even worse lately.
|
| I went there to try to find where company meetings got recorded
| to.
|
| I went to my sharepoint bookmark, which weirdly is
| www.office.com after some previous nightmare rebrand.
|
| Except what used to be the way into your sharepoint files, is
| now just a full page copilot screen with no hint of where the
| fuck your files are.
|
| Even though you've been visiting this bookmark for years, to
| get to your sharepoint files.
|
| Ok, so you search bing sign into sharepoint.
|
| Top result is office.com . You ignore it.
|
| Next result is:
|
| https://support.microsoft.com/en-gb/office/sign-in-to-sharep...
|
| This links you to https://m365.cloud.microsoft/
|
| Ok great. Nope! Redirects you back to copilot.
|
| I do NOT want to ask copilot to dig out my files every time you
| want a file. I want to get back to the directory listing so I
| can find the directory listing to find the company meeting
| recording.
|
| How does MS not understand that replacing all UX with copilot
| is not an improvement, and is not helping sell copilot.
| OutOfHere wrote:
| Whoever puts a nuclear fission facility on the internet should be
| put behind bars.
| zelphirkalt wrote:
| Hahaha, how stupid must anyone be to deploy SharePoint anywhere
| near anything of national security relevance! How can it still be
| a thing, that anyone entrusted with such sensitive matter dates
| to even touch MS products of the kind of SharePoint? That
| includes the complete MS Office 365 disaster suite, MS Teams and
| Edge.
|
| Sounds like they need to seriously redesign their security
| policies.
| givemeethekeys wrote:
| But, look at everything we get for free! /s
| count wrote:
| I have some reaallllly bad news for you on that front.
| belter wrote:
| Wait until you hear about the guy storing Top Secret Nuclear
| documents in the public toilet of his resort....
| timeon wrote:
| Or the one that invites journalist to Signal group during
| combat mission.
| belter wrote:
| Down voting like it never happened... https://upload.wikimedi
| a.org/wikipedia/commons/5/52/Classifi...
| bcrosby95 wrote:
| In general you'll get downvoted if you're talking about any
| politician or political party. You are allowed to shit on
| (or advocate for) the government doing stuff tho.
| jahewson wrote:
| What would you recommend instead?
| baobun wrote:
| For security-critical or sensitive situations, auditability
| should be a requirement. That implies access to source code
| and capabilty to build it.
|
| Decisions like these need to be done from first principles.
| SharePoint shouldn't even have been a contender here if
| looked at seriously. Do your own homework.
| LoganDark wrote:
| Doesn't Microsoft have government programs that grant
| source code access for products like Windows and (probably)
| SharePoint?
| bhewes wrote:
| As a company that supports OT systems we hate seeing level 5 in
| the Purdue model with direct write access to level 1 and 0.
| cj wrote:
| Link describing the acronyms in the above comment:
|
| https://www.paloaltonetworks.com/cyberpedia/what-is-the-purd...
| bhewes wrote:
| Thanks CJ, I live with that chart, but forget maybe most
| don't. And to add 4 to level 2-0 can also be an attack
| vector, but seeing straight 5 to 1-0 happens more then people
| want to admit even with the "firewalls"
| photochemsyn wrote:
| The timeline here is interesting. Microsoft releases info and
| instructions for mitigation on July 19, and a more complete
| report on July 22nd, here's a copy of that:
|
| https://archive.ph/plNZU
|
| Then according to this report, 'sometime in August' the exploit
| is used against the Honeywell-managed nuclear facility, since it
| wasn't patched, if I read correctly? So it really could have been
| anyone, and it's hardly just Russia and China who have a record
| of conducting nuclear espionage in the USA using their nation-
| state cybercapabilities (Israel?). As the article notes:
|
| > "The transition from zero-day to N-day status, they say, opened
| a window for secondary actors to exploit systems that had not yet
| applied the patches."
|
| Also this sounds like basically everything that goes into modern
| nuclear weapons, including the design blueprints. Incredible
| levels of incompetence here.
|
| > "Located in Missouri, the KCNSC manufactures non-nuclear
| mechanical, electronic, and engineered material components used
| in US nuclear defense systems."
| AJRF wrote:
| Does this kind of thing happen to China + Russia?
|
| I don't see news about that much - but to be fair, I am not
| looking for it.
| enkonta wrote:
| They may also be less likely to admit it or allow any reporting
| on it
| ThinkBeat wrote:
| yes. but it doesn't get covered by western media. much like how
| NATO airplanes violating Russian airspace is not reported about
| either.
| tryauuum wrote:
| Yes, recently some russian airline was hacked, they also used
| microsoft mail servers
| nakamoto_damacy wrote:
| Microsoft is a national security threat but no one cares because
| they automate genocide.
| mrguyorama wrote:
| When I try to access sharepoint files in my browser, the site
| goes through 37 redirects (thanks single sign on) shows all the
| files, then despite me very obviously being fully authenticated,
| it pops up a modal that says "sign in to see files", and I click
| "Cancel" and then I get to actually interact with the files.
|
| What?
|
| Gee, who would have guessed this isn't secure.
| darepublic wrote:
| That guy who jumped the office chair will be the end of us all
| zkmon wrote:
| The jump was amazing though! At his age.
| stackskipton wrote:
| As usual with all these types of posts, people go "HA HA,
| MICRO$OFT SUCKS" without understanding business practices that
| keep them afloat.
|
| Don't use Exchange? Cool, what should we use instead? Does it
| support 15 people all the way up to 150000 people? I used to run
| Exchange cluster for 70k people, is there other mail software out
| there complete with non-shared disk redundancy? Where the users
| connect to single endpoint and software figures it out from
| there?
|
| Sharepoint with another 2 RCEs. Not shocked, the software is
| terrible. However, it's only software that will stand up under
| load and let us shard it easily. All open-source software is one
| of those, runs fine in Homelab, likely falls down under load. Few
| Open Source Developers want to work on this stuff which I get
| because it's tedious work interfacing with computer illiterate
| end users. I'd rather chug sewage then do this work for free.
|
| Finally, it's somewhat backwards compatible. Most businesses are
| filled with ancient software that no one has worked on in 20
| years. That Excel document with Macros from 1997. With some
| registry changes degrading security posture, still works. I doubt
| you will find Office software with level of backwards
| compatibility unless they are using Microsoft Office level of
| compatibility.
|
| Microsoft has real gordian knot here and few solutions besides
| "Backwards compatibility is OVER. Upgrade to modern or GTFO".
| Meanwhile, I get hit up by $ThreeJobsAgo over some Exchange Web
| Services solution I slapped together for them in Python they
| wanted me to upgrade to GraphAPI since Microsoft turned off
| Exchange Web Services in Office365.
| bad_haircut72 wrote:
| I mean this is nuclear wepons were talking about, who cares
| about features vs security? They could run the department on
| snail mail if they tried
| nerdponx wrote:
| > Few Open Source Developers want to work on this stuff which I
| get because it's tedious work interfacing with computer
| illiterate end users. I'd rather chug sewage then do this work
| for free.
|
| Or the government could pay people to work on said open source
| software, providing a benefit to the public along the way. The
| US government started something like this called "18F" under
| the Obama administration. It was so effective at making
| software that was useful to the American public that Trump
| promptly shut it down 2 months into his second term, in no
| small part because they had the temerity to develop free-to-use
| tax filing software.
|
| See
|
| https://handbook.tts.gsa.gov/18f/history-and-values/
| https://web.archive.org/web/20250000000000*/https://handbook...
| https://archive.is/CIXG1
|
| and
|
| https://www.lawfaremedia.org/article/learning-from-the-legac...
| https://web.archive.org/web/20250000000000*/https://www.lawf...
| https://archive.is/fmaf6
| BeetleB wrote:
| How oh how did these nuclear weapons facilities manage to
| function in the days before Exchange and Sharepoint?
| stackskipton wrote:
| Just like everyone else before invention of Email and
| Document sharing? However, like every other business, no one
| is willing to slow down velocity for security reasons so now
| we are here. Unless you have a fix for "Line must go up",
| market pressures will always cause this.
| awesome_dude wrote:
| Um, email was invented, like in the last millenium, well
| before Microsoft was a thing (only slightly sarky)
| dlgeek wrote:
| Microsoft was a thing before email.
|
| Microsoft was founded in 1975. The standard for SMTP
| wasn't published in 1981. Most early predecessors were
| the late 70s.
| awesome_dude wrote:
| https://en.wikipedia.org/wiki/History_of_email
|
| In 1971 Ray Tomlinson sent the first mail message between
| two computers on the ARPANET, introducing the now-
| familiar address syntax with the '@' symbol designating
| the user's system address.[2][3][4][5] Over a series of
| RFCs, conventions were refined for sending mail messages
| over the File Transfer Protocol. Several other email
| networks developed in the 1970s and expanded
| subsequently.
|
| Proprietary electronic mail systems began to emerge in
| the 1970s and early 1980s. IBM developed a primitive in-
| house solution for office automation over the period
| 1970-1972, and replaced it with OFS (Office System),
| providing mail transfer between individuals, in 1974.
| BeetleB wrote:
| > market pressures will always cause this.
|
| Market pressures dominate nuclear weapons development?
| stackskipton wrote:
| Sure, all the "Let's run government like a business"
| types. Cut IT budget and outsource to contractors who
| want maximum profit.
| wombatpm wrote:
| Novell or Lotus Notes
| necovek wrote:
| I see you build a case for traditional MS product in Exchange,
| yet this issue is about Sharepoint.
|
| Just like with Windows, Microsoft has built a moat with
| Exchange, but the question is why do all the companies buy into
| their _full_ ecosystem, especially for anything relating to web
| technologies (you even bring up Exchange Web Services), because
| this they do really badly, and Sharepoint seems to be the
| worst.
|
| However, I am certain there are big Postfix/Dovecot
| installations scaling easily to 150k people, but we probably
| wouldn't know about them. Eg. here a couple of accounts of
| people doing that:
| https://www.reddit.com/r/linuxadmin/comments/32fq67/how_woul...
| elevation wrote:
| Not sure the total number, but a university near me serves
| 50K active students and hundreds of thousands of alums with
| Postfix/Dovecot.
| inopinatus wrote:
| I was running millions of accounts using Postfix/Dovecot on
| shared-nothing storage with a single MUA-facing endpoint and
| complex policy options, and that was over a decade ago.
|
| Fastmail today would be much bigger again, and they're on CMU
| Cyrus.
|
| 150k is rookie numbers. Perhaps that was meant ironically to
| satirise mediocre enterprise thinking?
| Spooky23 wrote:
| Cool. I did that with qmail in 1998 on a couple of Ultra
| 5s.
|
| Try managing a calendar or booking resources.
| inopinatus wrote:
| Integrated CalDAV is also available. Not in qmail,
| however. The patch for that would be large.
| stackskipton wrote:
| I used Exchange because it was what I most familiar with.
| SharePoint operates in similar matter with all sharding
| (though backend is still MSSQL with it's sharding last I
| checked)
|
| Sure, PostFix/DoveCot will scale if you are doing just email.
| Once you add GroupWare requirements, PostFix/Dovecot are no
| longer in same boat.
| MisterTea wrote:
| > but the question is why do all the companies buy into their
| full ecosystem,
|
| Old manager I had one told me: "I wish Microsoft made all the
| software in the world because it works so well together!" He
| was the guy who bought our company a one-way ticket to O365.
| He was also woefully tech ignorant and could barley drive
| software outside of office programs.
| Staniel wrote:
| Why is this comment glowing? \s
| vlovich123 wrote:
| You can use hosted versions of Google Workplace or Office365 if
| you can't figure out how to secure software (places like this
| typically can't clearly). Additionally it enforces a separation
| of concerns where a compromise of your email server doesn't
| lead to a compromise of the plant itself (again - clearly IT
| didn't know how to partition the network into different parts).
| stackskipton wrote:
| Sure, this business should have converted to either of those
| and let someone else take over administration since they were
| clearly negligent. This is stuff that FedRAMP or it's
| replacement was supposed to fix but didn't.
| vlovich123 wrote:
| FedRAMP is only for hosted software for the federal
| government afaik, not on-prem and not private companies
| (nuclear reactors afaik are operated by grids/private
| operators and the federal gov is responsible for auditing
| and regulating)
| elevation wrote:
| How many organizations on the planet require their Exchange
| server to support 150k users? I doubt most manufacturing plants
| fall into this category.
| stackskipton wrote:
| They don't but whole point is massive Enterprises use the
| software, people get accustomed to it and want it in their
| smaller business. So, Microsoft Small Business Server is
| developed until O365 came along.
| dudeinjapan wrote:
| Sharepoint is enterprisey and all but how about "less
| software/surface area is more" when it comes to nuclear silos?
| MikeNotThePope wrote:
| Reminds me of https://howfuckedismydatabase.com/mssql/.
| crmd wrote:
| One of the first things I do after getting an inquiry from a
| recruiter or friend referral is lookup the MX record for the
| company's email domain. It is an anonymous one-command check to
| see if they're a Microsoft shop.
|
| If they are, it's enormous personal red flag. MSFT is very
| popular so I'm only speaking about my own experience, but I have
| learned over the course of 20 years that an MSFT IT stack is
| highly correlated with me hating the engineering culture of an
| organization.
|
| I know I am excluding a lot of companies with great engineering
| culture where I would thrive and who just happen to use
| Outlook/Sharepoint/Teams, etc. but it has had such better
| predictive power of rotten tech culture than any line of
| questioning I have come up with during interviews that I still
| use it.
|
| I don't mean any disrespect to MSFT-centric engineers out there -
| it's not you it's me.
| unethical_ban wrote:
| Companies that don't use Outlook? All five of them?
|
| I've seen companies with varying levels of MS product
| integration but Outlook is pretty foundational.
|
| Now, if a company says they use SharePoint or Teams to store
| their documentation, run to the hills. Wikis or bust.
| nneonneo wrote:
| God, Teams is absolutely miserable. Video calling on Teams
| makes you appreciate just how well Zoom works.
|
| Teams macOS client? Crashes on startup, even after clearing
| all of my user data.
|
| Teams iOS client? You can join a call by a link, but you
| can't see the call UI because it's behind the login window.
|
| Teams on Firefox? No video support for _years_ , and most
| recently just glitches out and shows an empty page when
| trying to join.
|
| Teams on Chrome? Tried joining a meeting, and was told by the
| organizers that they couldn't admit me because the button
| wasn't doing anything.
|
| I've had all four of these things happen _within the last
| month_ , and it's made me want to tear my hair out. I get
| that none of these are "Microsoft Edge/native Windows
| client", but they could at least pretend to care about other
| platforms...
| sigmoid10 wrote:
| Over the years I have used teams on Windows, Mac, iOS,
| Android and various Linux distros (where I was limited to
| Chrome and Firefox due to lack of an official client).
| While it is certainly not the greatest tool in the world, I
| have never encountered issues like these.
| thomasjudge wrote:
| The Teams mac client is so awful I completely gave up on it
| Spooky23 wrote:
| You're probably doing something cute with your network
| filtering or EDR.
| lenerdenator wrote:
| > Now, if a company says they use SharePoint or Teams to
| store their documentation, run to the hills. Wikis or bust.
|
| It's never just Teams or SharePoint or a wiki. It's almost
| always some abomination created by putting various bits of
| knowledge on all three. Also, corporate wikis suck because
| how your team classifies data is almost invariably different
| from how someone else wants to see it.
|
| SharePoint, for all of its flaws, typically gets used by the
| major announcement-and-policy makers at a company, because
| they just want to use MS stuff (primarily out of ignorance of
| alternatives), so at least it's _somewhat_ coherent for
| everyone in the company.
| _whiteCaps_ wrote:
| Wild to see the different experiences here. I haven't worked
| for a company that uses Outlook in 20+ years.
|
| Recently it's all been gmail/google workspaces.
| frumplestlatz wrote:
| Similar experience; I haven't had to use Outlook since the
| late 90s, and even then only for about a year.
|
| Every company I worked for before or since just used IMAP.
| AlotOfReading wrote:
| This varies widely by niche. _My_ experience is that a solid
| majority of West Coast tech companies / startups use Gmail
| or other non-MS hosted solutions. Outlook or MS365 are a good
| indicator that the codebase may be older than some of the
| people writing it.
| FreakLegion wrote:
| Silicon Valley in particular uses Google Workspace at a
| much higher rate than the rest of the world. If you count
| every one- or two-person startup as a company, Google
| probably does have a solid majority. If you count
| mailboxes, Microsoft still easily wins.
|
| Note that MX records are misleading here. They have no
| false positives, but are full of false negatives --- daisy-
| chaining MTAs is common, and since Microsoft owns the
| mailbox, it's invariably last in the chain. So the MX
| record will show something like Proofpoint (pphosted) or
| Mimecast or an internal company host, when really it's
| Microsoft in the end.
| esseph wrote:
| I've been at quite a few places that wouldn't touch the MS
| ecosystem with a twenty-foot pole, and history has proven
| that to be a wise decision on their part. It certainly has
| not cost them any business.
| NeutralCrane wrote:
| I've worked for six companies and only one of them uses
| Outlook. I think there is some availability bias by industry
| or job type. I know there are lots of companies that use
| Outlook, but you may be overestimating how many do,
| particularly among the companies more likely to be
| represented here (tech and/or startups).
| unethical_ban wrote:
| I tend to work at banks, multinationals and power.
|
| My direct employer uses GSuite (and Google docs as a source
| of record is as bad as a 2000s file share)
| bdangubic wrote:
| Large enterprises (1000+ employees): probably 70-80%+
|
| Mid-sized businesses (100-1000 employees): around 60-70%
|
| Small businesses: more variable, maybe 40-60%
|
| _this reply was written by "AI"_ :)
| pandemic_region wrote:
| How can you see from the MX record if it is Microsoft?
| janderson215 wrote:
| mxtoolbox.com
| adamcblodgett wrote:
| I love this tool so much. It makes so many difficult things
| easy, and it does it cheaply or free in almost every
| instance.
| kyrra wrote:
| The "dig" command can get them for you
|
| $ dig ycombinator.com mx ;; ANSWER SECTION:
| ycombinator.com. 300 IN MX 20 alt1.aspmx.l.google.com.
| ycombinator.com. 300 IN MX 10 aspmx.l.google.com.
| ycombinator.com. 300 IN MX 20 alt2.aspmx.l.google.com.
| ycombinator.com. 300 IN MX 30 aspmx4.googlemail.com.
| fujigawa wrote:
| I'm gonna be honest, you sound like a problem employee.
|
| The companies not using Microsoft, are using Google. Which in
| my experience is equally or measurably worse.
|
| Just personal data points, but every avowed Microsoft hater
| I've ever worked with has been... difficult. Like a-drag-on-
| the-team-because-he-refuses-to-use-company-tools difficult.
|
| Edit: How does an aged post on this site go from +4 to -1 in
| the span of a few minutes?
| Etheryte wrote:
| I don't know man, you're gonna have a very tough crowd if
| you're gonna try and convince anyone that Teams is as good as
| Google Meet.
| fujigawa wrote:
| They are all equally crap. I'm convinced the people
| designing collaboration tools don't have to use them on a
| daily basis.
| dieortin wrote:
| I'm sure the people who designed Teams and Meet use their
| own products on a daily basis. And if those are crap,
| what's a better alternative?
| NeutralCrane wrote:
| Zoom + Slack
| supportengineer wrote:
| The plague that is currently infesting our software
| industry is "Promo-Driven Culture". Employees are
| incentivized to get a promotion, not to make life better
| for anyone, except for their manager's promotion.
| bitmasher9 wrote:
| Doing research on a potential employer and filtering out
| opportunities based on preferred toolchains is a green flag
| not a red flag.
| Spooky23 wrote:
| Dev tools, sure. Self-selecting yourself out of the
| office/email toolset used by 90% of companies seems like a
| weird flex.
| philipallstar wrote:
| Teams is just so much more horrible than Slack and Zoom,
| and dev teams use Slack and/or Zoom.
| Spooky23 wrote:
| Most customers of both use O365.
|
| The zoom fascination is pretty weird. It's literally
| Webex 3.0 without Cisco bullshit.
|
| Slack is pretty awesome. It wouldn't factor in selecting
| an employer, but that's just me.
| cactusplant7374 wrote:
| In this economy? This sounds like a fantasy.
| numpad0 wrote:
| I think the point is that GP red flagging all MS shops,
| which is more or less just sorting companies by headcount
| and flagging all from top, implies incompetency at GP's
| side than at the company side.
|
| Like, if a fighter jet pilot came and told all American
| jets are equally weak and overcomplicated and ineffective,
| it probably tells more about that pilot than about the
| jets.
|
| I don't know if that's the case, but that would be the
| idea.
| supportengineer wrote:
| Windows _is_ a parasitic drag-on-the-team.
|
| Now, if Microsoft creates a Microsoft Linux desktop OS, that
| would be something.
| dpifke wrote:
| That's basically WSL.
|
| My work laptop is Windows, and the only native applications
| I run on it are a web browser, Zoom, and the company's VPN
| software. Everything else runs inside WSL.
|
| I greatly prefer Debian to Homebrew, so if I can't run
| actual Linux, this is (to me) superior to trying to develop
| on a Mac.
| illusive4080 wrote:
| I agree that Debian beats Homebrew. But wouldn't a
| persistent Debian container on Mac be better? WSL is
| nothing more than a container on the system, no?
|
| The Mac hardware is vastly superior to most Windows
| laptops, especially enterprise Windows laptops.
| dpifke wrote:
| With Windows 11, WSL has X and Wayland support, so you
| can run graphical applications as if they're native (e.g.
| share the same cut-and-paste buffer, switch between
| windows using alt+tab, and so on). It's also much easier
| to attach USB devices like Yubikeys to an already-running
| container than the last time I tried to do the same with
| Parallels. (That was quite a few years ago, so maybe it's
| gotten better.) You can also launch Windows applications
| from Linux, which is makes it trivial to control my
| (Windows-native) browser from within WSL.
|
| I strongly disagree about Mac hardware vs. Thinkpads or
| Framework, but to each their own.
| spankibalt wrote:
| > Windows is a parasitic drag-on-the-team.
|
| Not in my industry. And workstations, mobile or otherwise,
| on the clock? You work with what's certified and available.
| But to be fair, "Apple people", praise the Great Maker, are
| utterly irrelevant here. Hardware- _and_ software-wise.
| coolestguy wrote:
| "using the biggest software suite tailored for offices/IT
| environments is a red flag"
|
| honestly the things i read here sometimes hahaha
| erikerikson wrote:
| As someone who has been accepting of MS houses and worked at
| a few, the heuristic holds up in my admittedly anecdotal
| experience. The Mac houses are fine and Linux houses have
| been best.
| crmd wrote:
| The chairman of my last big company said I was "ungovernable"
| at one of our last board dinners, so I'm reluctantly inclined
| to agree with you.
| NeutralCrane wrote:
| Google is leaps and bounds preferable in my experience than
| Microsoft. I agree with the above. A Microsoft shop isn't a
| guarantee the company culture is bad, but it's correlated
| enough to be a flag.
| supportengineer wrote:
| If a company provides a Mac laptop, that to me is a green flag,
| if it provides a Windows laptop, that is a red flag.
|
| The best company I ever worked at, provided every software
| engineer both a Mac laptop and a Linux desktop as standard
| equipment.
| jojobas wrote:
| Too bad Microsoft shops run the world. All the factories and
| shops, nearly every commercial backoffice runs windows,
| office/exchange and what not.
| a-dub wrote:
| the software is so bad it's literally a national security
| risk.
| notmyjob wrote:
| I've definitely noticed a correlation with low regard for labor
| (h1b abuse). But maybe that's just a location thing, I'm in
| California where regard for labor, especially local talent, is
| non-existent. You know, move fast and break things like nascent
| tech worker unions and the state itself.
| a-dub wrote:
| it's generally pretty remarkably bad. i think i agree. it sets
| a sort of psychological baseline culture that computers and
| their software should be shit, which is a pretty bad influence
| for people making software to be engaging with day in and day
| out.
| alexpotato wrote:
| So I once brought down an alerting system using Excel
|
| (btw, this story is more about unintended consequences instead of
| MSFT)
|
| - I own an alerting system
|
| - For log based alerts, it looks for a keyword e.g. "alert_log"
|
| - I make a spreadsheet to track data about alerts and call one of
| the sheets "alert_log"
|
| - Alert system starts going crazy: using tons of CPU, number of
| alerts processed goes through the roof but not a lot of alerts
| generated
|
| - Turns out that I was using the cloud version of Excel so any
| text entered transited the firewall
|
| - Firewall logs store the text "alert_log"
|
| - Alert system thinks it's an alert BUT it's not a real alert so
| triggers an alert processing alert
|
| - That second alert contains the text from the firewall log and
| so cycle begins
|
| In other words, systems can operate in weird ways and then cause
| things to happen you didn't anticipate. It's why things like
| audits, red teaming and defense in depth all matter.
| unethical_ban wrote:
| As a firewall engineer I have to tell people to make sure to
| disable traffic logs for syslogs from the firewall for this
| reason.
| _whiteCaps_ wrote:
| Reminds me of the time I set up tcpdump to log network
| traffic on a troublesome server. To save disk space I sent it
| over SSH to my laptop. Oops!
| lenerdenator wrote:
| Side gripe:
|
| I'm sitting here with a very performant computer running its
| native web browser.
|
| It's ridiculous that I kept losing my place in that article
| because the page kept getting shifted to fit yet another damn ad
| (there were at least three in-view _at all times_ as I was
| looking at it) onto the screen.
|
| Either make the ads fast and don't load the page until they're
| all there, or better yet, admit that online content isn't a way
| to make your private equity group even more obscenely rich, and
| cut back on the monetization that you put on it.
| AtNightWeCode wrote:
| No, they did not breach anything through SharePoint. The flaw is
| that IDIOTS exposed these servers to the Internet. I am very pro
| holding vendors accountable but this is just stupid. "Pro-tip"
| btw. SharePoint installations often have the pw sharepoint,
| sharepoint123, sharepoint-123 and so on in various casing and
| delimiters.
___________________________________________________________________
(page generated 2025-10-21 23:00 UTC)