62 comments

[ 1.7 ms ] story [ 73.8 ms ] thread
(comment deleted)
(comment deleted)
There needs to be a law that all nuclear and nuclear-adjacent facilities have no connection to the Internet. The fact it's allowed is unbelievable.
Just wait until these places get flooded with vibe coded stuff that even those deploying it have little understanding. What could go wrong!?

Sleep well.

The nuclear systems are air-gapped. So this is already the case.
A flaw? In Sharepoint?

I'm shocked. Shocked, I tell you.

Sharepoint is one of the worst, most bug-ridden softwares I've worked with.

It has a bug with Solidworks (3D design suite) that sporadically makes files completely un-openable unless you go in and change some metadata. They are aware of this, doesn't seem to be any limitation preventing them from fixing it, and it has sat unfixed for years.

Microsoft's cloud storage as a whole is an insane tangle where you never know where you'll find something you're looking for or whether it will work. Some things work only in browser, some only in the app, zero enumeration of these things anywhere.

Completely unsurprised and I'm sure there are many more vulnerabilities ripe for the picking.

Whoever puts a nuclear fission facility on the internet should be put behind bars.
(comment deleted)
It is not a nuclear fission facility, it is "a plant that produces the vast majority of critical non-nuclear components for US nuclear weapons".

The also targeted the IT side, not the operational side, which, according to the article is likely to be airgapped. Even sensitive production facilities need some internet access, people work there and like everyone else, they need food, office supplies, toilet paper, etc... they can't be cut off the rest of the world completely.

Hahaha, how stupid must anyone be to deploy SharePoint anywhere near anything of national security relevance! How can it still be a thing, that anyone entrusted with such sensitive matter dates to even touch MS products of the kind of SharePoint? That includes the complete MS Office 365 disaster suite, MS Teams and Edge.

Sounds like they need to seriously redesign their security policies.

As a company that supports OT systems we hate seeing level 5 in the Purdue model with direct write access to level 1 and 0.
The timeline here is interesting. Microsoft releases info and instructions for mitigation on July 19, and a more complete report on July 22nd, here's a copy of that:

https://archive.ph/plNZU

Then according to this report, 'sometime in August' the exploit is used against the Honeywell-managed nuclear facility, since it wasn't patched, if I read correctly? So it really could have been anyone, and it's hardly just Russia and China who have a record of conducting nuclear espionage in the USA using their nation-state cybercapabilities (Israel?). As the article notes:

> "The transition from zero-day to N-day status, they say, opened a window for secondary actors to exploit systems that had not yet applied the patches."

Also this sounds like basically everything that goes into modern nuclear weapons, including the design blueprints. Incredible levels of incompetence here.

> "Located in Missouri, the KCNSC manufactures non-nuclear mechanical, electronic, and engineered material components used in US nuclear defense systems."

Does this kind of thing happen to China + Russia?

I don't see news about that much - but to be fair, I am not looking for it.

When I try to access sharepoint files in my browser, the site goes through 37 redirects (thanks single sign on) shows all the files, then despite me very obviously being fully authenticated, it pops up a modal that says "sign in to see files", and I click "Cancel" and then I get to actually interact with the files.

What?

Gee, who would have guessed this isn't secure.

That guy who jumped the office chair will be the end of us all
The jump was amazing though! At his age.
As usual with all these types of posts, people go "HA HA, MICRO$OFT SUCKS" without understanding business practices that keep them afloat.

Don't use Exchange? Cool, what should we use instead? Does it support 15 people all the way up to 150000 people? I used to run Exchange cluster for 70k people, is there other mail software out there complete with non-shared disk redundancy? Where the users connect to single endpoint and software figures it out from there?

Sharepoint with another 2 RCEs. Not shocked, the software is terrible. However, it's only software that will stand up under load and let us shard it easily. All open-source software is one of those, runs fine in Homelab, likely falls down under load. Few Open Source Developers want to work on this stuff which I get because it's tedious work interfacing with computer illiterate end users. I'd rather chug sewage then do this work for free.

Finally, it's somewhat backwards compatible. Most businesses are filled with ancient software that no one has worked on in 20 years. That Excel document with Macros from 1997. With some registry changes degrading security posture, still works. I doubt you will find Office software with level of backwards compatibility unless they are using Microsoft Office level of compatibility.

Microsoft has real gordian knot here and few solutions besides "Backwards compatibility is OVER. Upgrade to modern or GTFO". Meanwhile, I get hit up by $ThreeJobsAgo over some Exchange Web Services solution I slapped together for them in Python they wanted me to upgrade to GraphAPI since Microsoft turned off Exchange Web Services in Office365.

How many organizations on the planet require their Exchange server to support 150k users? I doubt most manufacturing plants fall into this category.
Sharepoint is enterprisey and all but how about "less software/surface area is more" when it comes to nuclear silos?
(comment deleted)
Exchange has valid arguments for it, but I don't think SharePoint has anything going for it other than "we already got a license for that as part of out package deal". As software in its own right, it's uniquely bad even for Microsoft.
> Sharepoint with another 2 RCEs. Not shocked, the software is terrible. However, it's only software that will stand up under load and let us shard it easily. All open-source software is one of those, runs fine in Homelab, likely falls down under load. Few Open Source Developers want to work on this stuff which I get because it's tedious work interfacing with computer illiterate end users. I'd rather chug sewage then do this work for free.

All just empty claims without showing any evidence. Did you ever set up a multi-client syncthing setup to test your theories about it falling over? Or do you have any references, pointing us to analysis, that shows, that any such tool doesn't hold water? What about some bit torrent setups? There are many options in this space, and one doesn't even have to lump synchronization and viewing in a web UI into one service. If one doesn't, then there are many tools that can accomplish the job better than Sharepoint.

And btw. paid MS Office doesn't even hold water for some 80 people, delivering me my e-mails some half an hour later, at a snail's pace, one or two a minute, while my 1 EUR per month free software using e-mail provider (posteo) manages to give me all my new e-mail almost instantly, the moment I open Thunderbird.

> Sharepoint with another 2 RCEs. Not shocked, the software is terrible. However, it's only software that will stand up under load and let us shard it easily. All open-source software is one of those, runs fine in Homelab, likely falls down under load. Few Open Source Developers want to work on this stuff which I get because it's tedious work interfacing with computer illiterate end users. I'd rather chug sewage then do this work for free.

Isn't sharepoint just a file share server? (Ive never used it)

I'm sure solutions like samba or an ftp server hold up fine under the load. Its really more a UI question.

One of the first things I do after getting an inquiry from a recruiter or friend referral is lookup the MX record for the company’s email domain. It is an anonymous one-command check to see if they’re a Microsoft shop.

If they are, it’s enormous personal red flag. MSFT is very popular so I’m only speaking about my own experience, but I have learned over the course of 20 years that an MSFT IT stack is highly correlated with me hating the engineering culture of an organization.

I know I am excluding a lot of companies with great engineering culture where I would thrive and who just happen to use Outlook/Sharepoint/Teams, etc. but it has had such better predictive power of rotten tech culture than any line of questioning I have come up with during interviews that I still use it.

I don’t mean any disrespect to MSFT-centric engineers out there - it’s not you it’s me.

Companies that don't use Outlook? All five of them?

I've seen companies with varying levels of MS product integration but Outlook is pretty foundational.

Now, if a company says they use SharePoint or Teams to store their documentation, run to the hills. Wikis or bust.

I'm gonna be honest, you sound like a problem employee.

The companies not using Microsoft, are using Google. Which in my experience is equally or measurably worse.

Just personal data points, but every avowed Microsoft hater I've ever worked with has been... difficult. Like a-drag-on-the-team-because-he-refuses-to-use-company-tools difficult.

Edit: How does an aged post on this site go from +4 to -1 in the span of a few minutes?

^^Microsoft may have its warts, but I don't know how someone can go from Excel to Google Sheets or Outlook to Gmail and think: this is just such a major upgrade I don't know how I existed in the past and I would never work someplace that uses Microsoft productivity tools.

Excel in particular, for any power user, sheets just doesn't hold a candle to its functionality. Outside of the valley Microsoft must still have a 10:1 ratio of corporate use, I never run across a customer that has made the switch.

I am not a Microsoft hater; in fact, I have been using Microsoft products since MS-DOS 3.3. But Outlook and its ecosystem are a horrible shit show and an indicator of terrible decision-making.

Google Workspace is an infinitely better productivity framework; there's no space for discussion here.

If a company provides a Mac laptop, that to me is a green flag, if it provides a Windows laptop, that is a red flag.

The best company I ever worked at, provided every software engineer both a Mac laptop and a Linux desktop as standard equipment.

Too bad Microsoft shops run the world. All the factories and shops, nearly every commercial backoffice runs windows, office/exchange and what not.
I’ve definitely noticed a correlation with low regard for labor (h1b abuse). But maybe that’s just a location thing, I’m in California where regard for labor, especially local talent, is non-existent. You know, move fast and break things like nascent tech worker unions and the state itself.
it's generally pretty remarkably bad. i think i agree. it sets a sort of psychological baseline culture that computers and their software should be shit, which is a pretty bad influence for people making software to be engaging with day in and day out.
My company uses a MSFT for domains, email, office work etc. but hands all the employees (not just engineers, HR as well) Macs. I don't know what kind of places you're working for but I'm not really interested in spending more time debugging your mattermost instance or email server instead of working on the core product I was hired to work on. I agree microsoft software is a plague but good luck convincing the people with the money to use something else lol
(comment deleted)
Hard agree. I've worked both kinds of places, I'm never working in an MS environment again for less than 7 figures.
I have to disagree here, that is such an enormous broad brush
So I once brought down an alerting system using Excel

(btw, this story is more about unintended consequences instead of MSFT)

- I own an alerting system

- For log based alerts, it looks for a keyword e.g. "alert_log"

- I make a spreadsheet to track data about alerts and call one of the sheets "alert_log"

- Alert system starts going crazy: using tons of CPU, number of alerts processed goes through the roof but not a lot of alerts generated

- Turns out that I was using the cloud version of Excel so any text entered transited the firewall

- Firewall logs store the text "alert_log"

- Alert system thinks it's an alert BUT it's not a real alert so triggers an alert processing alert

- That second alert contains the text from the firewall log and so cycle begins

In other words, systems can operate in weird ways and then cause things to happen you didn't anticipate. It's why things like audits, red teaming and defense in depth all matter.

Side gripe:

I'm sitting here with a very performant computer running its native web browser.

It's ridiculous that I kept losing my place in that article because the page kept getting shifted to fit yet another damn ad (there were at least three in-view at all times as I was looking at it) onto the screen.

Either make the ads fast and don't load the page until they're all there, or better yet, admit that online content isn't a way to make your private equity group even more obscenely rich, and cut back on the monetization that you put on it.

No, they did not breach anything through SharePoint. The flaw is that IDIOTS exposed these servers to the Internet. I am very pro holding vendors accountable but this is just stupid. "Pro-tip" btw. SharePoint installations often have the pw sharepoint, sharepoint123, sharepoint-123 and so on in various casing and delimiters.
(comment deleted)
they breached it* meaning that they had access to their "Welcome !" page in sharepoint lol.
Say it ain’t so. Another Microsoft security problem? Inconceivable!
If it is that bad why don’t we see it being exploited at scale? I work with many Fortune 500 companies and I would say 9/10 use SharePoint. Also some deployments are much better than others, so I would rather say many implementations of SharePoint are shit but if done right it’s actually pretty solid. There’s really no better alternative unless you want to maintain 5-10 separate tools owned by multiple vendors. I also don’t get the hate for Teams. I use Zoom, Slack even Discord for work and don’t have strong feelings for Teams. I can take calls, join meetings from my calendar, record them and summarize them with Copilot. I don’t need anything else and Teams does that just fine. I do like Discord ability to share multiple screens and jump into a channel to collaborate, particularly useful when debugging or pair programming.