| ▲ | Arainach 7 hours ago |
| It's not a matter of "immune" - larger organizations generally have more resources to allocate to things like this. That doesn't mean they get it right 100% of the time, but they are at least able to try, while small teams or volunteer projects often simply don't have the hours to spend on things like this. |
|
| ▲ | technion 5 hours ago | parent | next [-] |
| I've sat in some pretty large orgs and my own experience was the "resources allocated" went to the PR team. I can assure you that they would have had a more boring, corporate sounding announcement with multiple references to their legal team and the actions they would have taken, alongside some useless information about being PCI compliant or something. I'm not convinced the practical output is any better. |
|
| ▲ | hsbauauvhabzb 5 hours ago | parent | prev | next [-] |
| lol larger organizations don’t spend money on this, they add some useless ‘secops’ tools to their CI and call it a day. They are certainly not doing things like reproducible builds, lol half of them don’t deploy signature verification. |
|
| ▲ | calvinmorrison 7 hours ago | parent | prev | next [-] |
| and unlike GPL software, there is typical an army of lawyers, an expressed warranty, legal liability, etc. |
| |
|
| ▲ | its_ubuntu 7 hours ago | parent | prev [-] |
| [flagged] |
| |
| ▲ | shaboinkin 6 hours ago | parent | next [-] | | Anecdotally, my company has a device driver posted on Windows Update. I inherited the project and was digging through Microsoft’s hardware dashboard trying to find information on the stability of the driver.
I ended up finding that our driver was crashing rather frequently. Looking closer, the name of the driver shown was curious as it contained the name of our driver as defined in the inf file, and appended at the end was “(WeTest)”.
I looked through all source code looking for a reference to this string with no avail. Eventually I googled “WeTest” and find out WeTest is something owned by Tencent.
I double checked all drivers that were ever posted to the server from our account and found no reference to “WeTest” in any of the driver packages uploaded.
I emailed our Microsoft contact and got no answers as to where this driver came from and why it was visible from our account.
After a few months, this driver finally was removed from our dashboard and our administrator for the account had to submit government documents to Microsoft to show he worked at where he said he did.
I won’t give specifics on who’s or what’s, and anyone is more than welcome to dismiss what I’m saying without evidence. But your comment, “when Microsoft’s update servers get compromised..”, made me want to share this experience.
Maybe it was some terrible software bug on Microsoft’s end that managed to combine information from two different entities, but we were never given an explanation as to how this happened. | | | |
| ▲ | marcosdumay 6 hours ago | parent | prev [-] | | Hum... We keep pretending the Solar Winds scandal never happened? | | |
| ▲ | hellzbellz123 4 hours ago | parent | next [-] | | that wasnt really microsoft massive though. | |
| ▲ | hsbauauvhabzb 4 hours ago | parent | prev [-] | | That didn’t cause tangible pain for the everyday person, even if it did cause non tangible long standing damage. Every windows PC ransomwaring at the same time worldwide would cause mr robot level chaos. |
|
|
