- In an interview with TechCruch, somebody said the MS engineer incident happened due to session token theft, aka phishing. Could MS engineers not use phishing resistant solutions they sell to customers, such as FIDO2?
- Should there be disclosure requirements on cloud services, to avoid cloud providers routinely covering up breaches?
- Should there be a commonly accepted database of cloud vulnerabilities, so that providers can’t hide behind not issuing CVEs and wordsmithing.
Another one - Microsoft sell a HSM service to customers. Could they use it for their own services, maybe? https://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/overview
@f7d0478e they DO use HSMs
for their WINDOWS and XBOX signing keys
@1889f834 yeah, not sure this - and MSA is pretty important
@f7d0478e the real wtf would be if they'd used something stupid like a sentinel HASP protection dongle as an "HSM" for encryption at rest but not in-memory
@1889f834 let’s just say they should investigate HSM solutions they sell 🤣
@f7d0478e I don’t have all the context, but session token theft doesn’t necessarily mean they interacted with a phishing website. Could have been endpoint malware that stole it from browser.