Share this page!

Corey Quinn Profile picture
Twitter logo
Jun 15 8 tweets 6 min read
And now, the most horrifying security vulnerability I've seen in ages, staring @Microsoft @Azure.

A thread...
So @orcasec found a vulnerability in @azure and reported it to Microsoft back in January. @Azure's response was to go out and buy a booth for @RSAConference, then get back to Orca six short weeks later.

A speedy month and a half later, Azure releases a patch.

I AM NOT DONE.
Orca was able to BYPASS THE PATCH. @Azure security swung into action and expanded the size of their #RSAC booth, while paying @orcasec a $60K bug bounty. (This remains the only thing Azure got right in this entire debacle.)
Orca reached out to @Azure with an "oh, by the way, the security certificate we exfiltrated and reported to you have not been revoked."

Azure's security team met with Orca a few days later, presumably to ask @orcasec which flavor of crayon was the most delicious.
After that, @Azure finally understood what @orcasec was saying, and deployed a second patch.

Three days later ORCA BYPASSED THE NEW PATCH.

@Azure installed a 60 foot banner above their #rsac booth, and deployed a third patch. This one seems to have worked?
This is not a story about an @Azure security failure. This is a story about a complete lack of security culture apparent anywhere in this story.

If I were an Azure customer, I would seek to change that immediately after reading @orcasec's blog post.
orca.security/resources/blog…
I would dearly love @Azure to expound upon this. Tell me, how does "an attacker has access to and can run code within customer environments" not catapult "minimizing customer disruption" into the next county?! In a statement, company officials wrote: "We are deeply
Engineering mistakes happen, and I’m not one to shame people for making them. But this lack of responsiveness to reports of serious security issues is just wild to me.

I’ve seen their larger competitor patch issues far less severe within two days globally.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Corey Quinn

Corey Quinn Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @QuinnyPig

Corey Quinn Profile picture
Jun 14
Well a whole bunch of my @tailscale keys apparently expire today and the user experience is uh...

Not Great(tm).
I'm an old-school believer in things like finding out about things like this from an email. "Hey, your keys are going to expire in five days" style.

Not as happened today, which is "DNS suddenly stopped working."
"Extend certificate" in the web UI is great. Now I've got another half hour.

`sudo tailscale up` returns silently. The countdown continues.
Read 6 tweets
Corey Quinn Profile picture
Jun 14
Gartner's Magic Quadrant for Application Performance Monitoring and Observability is out, and it's time for a readalong thread, in the style you've come to expect from the @LastWeekinAWS newsletter / "brand."
First, my scores. Like golf, lower is better because the numbers are "how many mandatory fields to download the report."

@honeycombio: 3
@InstanaHQ: 0
@newrelic: 5
@Dynatrace: 6
@datadoghq: 6
@awscloud: ragequit because they didn't win and slapped the board off the table
Here we have the actual quadrant, which makes @solarwinds and their decision to rebrand as an observability company uh... questionable, at best. Lots to unpack here.
Read 25 tweets
Corey Quinn Profile picture
Jun 7
Having spent an hour or so walking the floor of @RSAConference, it's rather clear that #RSAC's not about security learning, but rather about selling security in a box. As @mattstratton famously said in a talk once, "you can't buy DevOps but I sure would like to sell it to you."
Here @SentinelOne teaches us that the tree of security must be refreshed from time to time with the logo of @hashicorp. #RSAC
Here we see that Angry Twitter is making its presence known at #RSAC.
Read 24 tweets
Corey Quinn Profile picture
Jun 7
And now I go to #RSAC2022 in the hopes that someone, anyone, will be able to sell me a firewall.
To be a diamond sponsor of @rsaconference you must be a company whose best days are clearly behind it.
Or be the RSA conference, as an additional qualifier .
Read 7 tweets
Corey Quinn Profile picture
Jun 6
If you're speaking at or attending a three day conference, and the single not-dude on the agenda is giving a talk on "Why 10% of Women in the Conference Program Does Not Mean Gender Quotas," perhaps consider whether you really want to be involved at all with TrashGoblinCon.
...of course ESR is keynoting. Why wouldn't he be?
By my count, of 38 speakers named: 1 woman, 37 dudes.

I thought these Linux bros were supposed to be good at math or something?
Read 4 tweets
Corey Quinn Profile picture
Jun 4
I went to Google Cloud Next
and I spent a bit of time
I've been challenged to report on it
Entirely in rhyme.
I had some conversations there
And I probably should confess
Every engineer to whom I spoke
Was also on AWS
This happened several years ago
And Googlers were abuzz
About their new thing "Anthos"
Though they could not say quite what it was
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(