[Video] Lies From Microsoft, Systemic Failure, and Cover-up by the Media
Video download link | md5sum 9db7b3b9e75038cc723e4138b8b5a756
Things Microsofters Do and Say
Creative Commons Attribution-No Derivative Works 4.0
TODAY'S video covers a mixture or a range of issues, some of which I can reflect upon based on personal and direct experience (company gone astray after about 6-7 years since I joined; I resigned almost 12 years later and the matter remains far from settled).
The video speaks about "Microsofters" in the workplace and what they can do to fellow tenants and peers, in essence breaking what always worked (before they came and interfered). In the case of a government agency, it can become a Microsoft cult. In the case a business, it'll likely fail very fast (but the capital it once had will be passed to Microsoft; heck, the people who do this might be working for Microsoft but on another company's paywall). In the case of state/national/local "universities", it seems they will "add as many small barriers to teaching and research as they can get away with," to quote a friend. "That's on top of the fraudulent time management system which wastes over 16 hours per employee per month on a task which used to be < 1 hour per employee per month with the paper-based model."
That happened where I worked too. There's no practical benefit. Everyone hated that. Everyone. The management who decided on it exempted itself from it, i.e. the nuisance was meant to make only "other staff" miserable.
Then there's the aspect of security. Data breaches often happen in 'Windows shops' or places that accommodate everything from Microsoft - a company notorious for working with the NSA against its so-called 'clients'.
Microsoft and security are opposites.
Some media outlets "seem to go out of their way to avoid naming Microsoft as a 'unindicted co-conspirator' in the world's ransomware mess," the friend said. This company "has cultivated the ransomware sector from a tidy cottage industry to a multi-billion dollar per year global behemoth. Eventually it will have enough spare resources to start to take on real operating systems, not that it will be easy but it will be possible to hunt weak/misconfigured/neglected outliers."
As I point out in the video, schools and such workplaces tend to hire some of the worst "IT" people, who could not find a job in "the industry". Due to their lack of skills they tend to just outsource almost everything to Google, Microsoft, and so on. At one stage Sirius did this too (Google outsourcing, even in Welsh education) despite "Open Source" in the company's site, name etc. Thank you, Mr. Kink, for insisting that "Google is your friend"...
In technical workplaces, such as the one where my wife and I worked for nearly 21 years combined (I had worked for universities before Sirius), there's a tendency to hire for "price" and then have nontechnical and unqualified people in decision-making roles (e.g. 3 sexual partners of Mr. Kink, people without background in computing assigned to highly technical roles). That's when Mantis or some other Free software gets replaced by proprietary junk, bloat like JIRA, and locally hosted code repository (such as Git; oh, that's too hard!!!) gets pushed aside because "GitHub!"
"Apropos earlier," my friend told me, "pytorch CI breach is not a 'supply chain' problem but a Microsoft GitHub problem. The problem lies with allowing Microsoft into the supply chain. That Microsoft has been breached is a given."
From our Daily Links:
-
New Class of CI/CD Attacks Could Have Led to PyTorch Supply Chain Compromise
In short, an attacker can use a fork pull request to become a contributor to a repository that has a self-hosted runner attached, and then be able to run any GitHub workflow on the runner. If the runner was configured using the default steps, it is non-ephemeral, enabling persistent access.
-
Playing with Fire – How We Executed a Critical Supply Chain Attack on PyTorch
Security tends to lag behind adoption, and AI/ML is no exception.
Four months ago, Adnan Khan and I exploited a critical CI/CD vulnerability in PyTorch, one of the world’s leading ML platforms. Used by titans like Google, Meta, Boeing, and Lockheed Martin, PyTorch is a major target for hackers and nation-states alike.
Thankfully, we exploited this vulnerability before the bad guys.
Here is how we did it.
The same narrative was parroted yesterday in LWN: (which really ought to know better)
As noted in the video, they recently blamed people uploading rogue packages to PyPi on "Linux" (how very common), making it seem or feel like GNU/Linux is at fault for merely running some malicious package downloaded without verification.Stawinski: How We Executed a Critical Supply Chain Attack on PyTorch
John Stawinski IV describes, in detail, how he and a partner were able to compromise the security of the heavily used PyTorch project.
"Maybe, or maybe not, related to the Microsoft vulnerability last week," my friend told me, "Microsoft Sharepoint is getting ripped a new one with an actively exploited set of holes."
"Microsoft munchkins will be working hard to distract from that," he added.
I did notice a sharp uptick in unfair security "news", naming phony issues in "Linux" when the real problem was bad password. Is that enough of a distraction? █