Oddbean new post about | logout
Kevin Beaumont | 1 years ago (raw) | root | parent | reply | flag 
 - In an interview with TechCruch, somebody said the MS engineer incident happened due to session token theft, aka phishing. Could MS engineers not use phishing resistant solutions they sell to customers, such as FIDO2? 

- Should there be disclosure requirements on cloud services, to avoid cloud providers routinely covering up breaches?

- Should there be a commonly accepted database of cloud vulnerabilities, so that providers can’t hide behind not issuing CVEs and wordsmithing.
Kevin Beaumont | 1 years ago (raw) | root | parent | reply | flag 
 Another one - Microsoft sell a HSM service to customers. Could they use it for their own services, maybe? https://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/overview
e9c2496e | 1 years ago (raw) | root | parent | reply | flag 
 @f7d0478e they DO use HSMs

for their WINDOWS and XBOX signing keys
Kevin Beaumont | 1 years ago (raw) | root | parent | reply | flag 
 @1889f834 yeah, not sure this - and MSA is pretty important
e9c2496e | 1 years ago (raw) | root | parent | reply | flag 
 @f7d0478e the real wtf would be if they'd used something stupid like a sentinel HASP protection dongle as an "HSM" for encryption at rest but not in-memory
Kevin Beaumont | 1 years ago (raw) | root | parent | reply | flag 
 @1889f834 let’s just say they should investigate HSM solutions they sell 🤣
bbf233de | 1 years ago (raw) | root | parent | reply | flag 
 @f7d0478e I don’t have all the context, but session token theft doesn’t necessarily mean they interacted with a phishing website. Could have been endpoint malware that stole it from browser.