It’s kind of wild how we end up here over and over, a big government breach, angry headlines, but the tech never seems to change (imo).
If you work in IT, this whole SharePoint story is probably a deja vu,
A few real-world points that stood out to me:
- SharePoint (and a lot of other MS stuff) didn’t win because it was bulletproof, just because it was bundled “FREE” and nobody got fired for rolling it out in the 2000s. Once you’re deep into the Microsoft ecosystem, the cost and pain of replaccing is huge!
- Security honestly feels like a service for a lot of giants. When someone asks if it’s the number one priority, the answer from experiencem, is “no.”
Cost, compliance available support, and how easy it is to blame a vendor if things fail tend to matter more.
- When people say Linux would be more secure in these environments, maybe. But if Linux or Red Hat took over everywhere, you can bet it would become the juiciest target immediately. Right now, Windows gets a lot of attention because it’s everywhere. And obviously, attackers like to go where the odds of a big payoff are highest.
- A lot of giants aren’t making decisions based only on security or technical merit. It’s about familiarity, employee training costs, consulting partners, and “safe” bets. If you pick Microsoft and get breached, it’s an industry problem. If you pick something niche and get breached... it’s 100% your fault.
- Resistance to change is real. Swapping out platforms isn’t just a technical lift. Management, end users, even IT staff get pretty set in their ways.
Honestly, unless there’s enough public backlash or a relgulation hammer, I don’t see the inertia breaking any time soon. For most companies, “patch and carry on” still beats “burn it all down and start fresh.”
Something to understand here is that Sharepoint is not Windows. Sure it runs on Windows, but the vulnerability here was the application. Are we going to argue that applications that run on Linux cannot have security vulnerabilities? Especially large archaic enterprisey things like this?
I bet Oracle and SAP have similar types of things happen to their application suites but no one runs public websites on Oracle eApplications (yeah, plenty of companies have that exposed to the internet, but it's not The Company's Website)
While I agree with you on most points, security is never the number one priority. If it were we'd all destroy our computers, never write anything down, and simply accept the collapse of society. Security is always weighed against many other priorities such as authorised users being able to access data, and ease of use. A unique 128 character password for each document would have high security, but be widely considered unacceptable even in a system handling classified material.
This is the crux of the issue. The CIA triad (confidentiality, integrity and availability) are the root of all security. However, those goals are often self-contradictory.
There will always, for example, be a conflict between availability and confidentiality. Ultimate confidentiality might require that the data be stored in an inaccessible bunker with no outside access. Ultimate availability might involve hosting sensitive data on a publicly accessible server with no access controls.
In the real world we must always balance these needs carefully, and triage available resources to achieve an "ideal" outcome. This means that security will never, and can never, be a solved problem.
> If it were we'd all destroy our computers, never write anything down, and simply accept the collapse of society.
No, this is the same sort of defeatism that prevents us from making progress on security. We could engineer usable systems where actual security is a priority, and not just security theater. We don't because nobody in a position to change anything actually gives a shit.
You’re implying any real system can have a single top priority, which is equally false. There are always multiple priorities, and the one sitting at the top changes based on the context
> We could engineer usable systems where actual security is a priority,
Security is a priority. But it's not the only priority.
It would be difficult engineering even if it was the only priority, but given that there's little point to security for a system you never deploy, it's not likely to ever completely monopolize focus, either for users or implementers.
At this point i don't think security is a priority at all for companies like MS. Marketing themselves has having security is a priority. Doing the bare minimum to avoid lawsuits is their priority.
Ultimately though, they know that no matter how many times their failure to invest in security results in their customer's data being compromised or destroyed they'll keep making money.
Their customers are corporations who have insurance to cover their expenses when Microsoft's failure to make security a priority inevitably leads to a breech and those corporations are able to avoid all accountability for their decision to use Microsoft products no matter who else gets hurt as a result.
Dealing with yet another security issue caused by Microsoft is just another cost of doing business. It's still cheaper and/or easier for the corporations to keep MS and deal with the endless vulnerability/patch cycle than it is to move to something else and pay people who know what they're doing to manage those new systems so nothing changes.
> When people say Linux would be more secure in these environments, maybe. But if Linux or Red Hat took over everywhere, you can bet it would become the juiciest target immediately.
I do not think that is the only difference between Windows and Linux though.
For one thing Linux has multiple distros, some very varied. Its less of a monoculture. If Linux was more widely used it would also get grater usage for BSDs because a lot of things that run on Linux will run on them too.
Linux IS very widely used on servers, and on Chromebooks, and embedded. The kernel and a few other bits are widely used on phones too.
Android was designed from day one specifically to be a leaky sieve that funnels as much of your personal and private data to Google and their partners as possible. They're left with the impossible task of making it harder for third parties to gain access to the data they're collecting without making it too hard for them to collect it for themselves.
> In what world has SharePoint Server and SharePoint Standard + Enterprise User CALs ever been "FREE"?
Yeah.. I think people say "bundled FREE" when they really referring to MS enterprise packages. It's similar to how Comcast will sell you TV for $100, land line for $20, internet for $100, but you can get a TV/land line package for $90? or a TV/internet for $130. You can "bundle FREE" phone on your TV/internet package for an extra $5. (And yes, I heard support before tell me "For $10 more a month, you get a free upgrade to 1Gbps". ???? How is that free? They will say "It's the same package, but one level up for $10 more. It comes with free 1Gbps upgrade. what doesn't make sense?"
We need more Red Hat and less Microsoft in the on-prem enterprise business. These exploitable vulnerabilities are unacceptable when your customers are the likes of DoD.
No one considers Google anything less than an impenetrable fortress, but when it's some government entity responsible for keeping American lives safe it's like "ah yeah they probably have a vulnerable on-prem Sharepoint that could easily be pwned."
So why is this? Why do Microsoft products enjoy a monopoly on the server in these sectors when more secure (Linux-based) options are far cheaper and widely deployed already? Isn't security the number one priority in those spaces?
"Why do Microsoft products enjoy a monopoly on the server ...?"
They don't. There's plenty, even a majority, of non-Windows servers in gov (I know, some depts are true MS shops).
Sharepoint is one of those things that snuck in via the desktop. It was touted by MS as an evolution of shared folders with "Intranet" features included. If you already ran a Windows Server for fileshares, Sharepoint was "free".
The initial few implementations were of extremely poor quality, even by MS standards, but SP was positioned in the MS channel as the future of MS server side application development. So all of the consultancy/sales channel jumped on the SP wagon for any custom server projects.
For developers, it was a nightmare. Underneat the platform was a frankensteinian horror of bits and pieces of resurected code from many departments and projects across MS crudely bolted together with chewing gum scraped of a park bench and bits of string recovered from old fish guts. Lists (SP's core structure for file directories with exposed metadata properties) could not work reliably, the system fell over under even light load, latency was totaly unaceptable even for basic operations, files did not rountrip through the server unchanged ...
Over the years MS cut it down from "the future platform for custom backoffice apps" to "out of the box Intranet with mainly cosmetic configuration options" to "cloud hosted office 365 shared folders".
" Isn't security the number one priority in those spaces?"
No. It's exacly like every other IT environment of comparable size. Security is considered important, but does not drive sales. Features and cost, but also available expertise from the supplier/channel partners dominates the choice. Security is covered by promises and certifications, but more often than not left to operations to patch up.
I was involved in a software startup that was aligned with MSFT 18 or so years ago. We built the web app side of our tool in Sharepoint precisely to be a good team player, and make ourselves more attractive to Redmond, even though it gave us no real benefits.
The support problems were INSANE. We ended up spending an entire release cycle pulling the web app out of Sharepoint and just doing a proper stand-alone web site. Support calls plummeted.
Sharepoint is something only a marketer could love.
Sharepoint’s problem, as parent alluded to, is that it’s three kids in a trenchcoat pretending to be an adult.
At no time did MS seem to say “Here’s our vision for Sharepoint as a complete product.”
Instead, you got coming on 25 years of random big customer feature asks + a home for lost MS product bits.
It would surprise no one that performance of that has been atrocious for most of its life (for those not old enough, think non-functional search and 20s page loads for on-prem instances), salvaged only semi-recently via the cloud managed version (that I’d guess runs on a ground-up backend reimplementation).
>> The initial few implementations were of extremely poor quality, even by MS standards, but SP was positioned in the MS channel as the future of MS server side application development. So all of the consultancy/sales channel jumped on the SP wagon for any custom server projects.
The gaslighting around this matter was intense. It destroyed any remaining trust I had at that point.
It all started with Novell Netware. It was a great product and companies would buy it to have centralized management. Microsoft noticed this and decided to use their power position to drive Novell out of the market by offering a similar service and have it built in in their server product line. Novell tried to fight but it didn't last long.
The protocol was proprietary and an open source implementation in Samba was very slow at catching up. If you decided to host a domain controller using it, you newer knew if a random disconnect was a network issue or the controller or the client.
And here we are. Active directory, or Entra or however they call it these days, is basically a standard way to manage users everywhere. And until a strong entity (EU?) comes up with strong backup towards an alternative solutions (we have plenty of them now), the situation will not change.
> Active directory, or Entra or however they call it these days, is basically a standard way to manage users everywhere. And until a strong entity (EU?) comes up with strong backup towards an alternative solutions (we have plenty of them now), the situation will not change.
You still have Active Directory on premise and now you have EntraID (formerly Azure AD) in the Azure cloud.
For Windows devices, it is the only mechanism supported to have a centralized management system.
For other systems, such as MacOS, you have alternatives that don't require any centralized user database.
Most cloud-native companies today rely on Okta or Amazon Cognito for their applications. Google Workspace supports this too, but it is incredibly basic at what it can do.
I don't think there's nothing that anyone can do to make this different.
And just to nitpick a little, it's like saying the smartphone reduced the camera market because of its dominant position. It didn't, it just provided convenience when there was none (a phone, a camera, a video recorder...).
I do wonder if the fact that these vulnerabilities get exploited so often is because the customers are the likes of DoD. If DoD used Red Hat, maybe we'd see more large-scale linux/freedesktop exploits being discovered.
I think there's certainly an element of tall poppy syndrome here. Windows, for example, used to be targeted because its security was a complete joke until quite late in the XP era (SP3 IIRC). But there's always been, and still is, and element that it's targeted because it's a big, juicy target.
A huge portion of the desktop and server market are running Windows. It used to be almost all Windows, at least on the desktop. Nowadays mobile computing has become far more important so Windows doesn't have the end user dominance it once did, but there are still a huge portion of end user devices running Windows.
Same on the back end: it's just a big juicy target, and the bang for buck that hackers get from it is huge given how prevalent it remains in corporate and government environments.
I hate Microsoft products as much as the next person, but I don’t think your statement is entirely fair:
SharePoint isn’t Windows. It’s a Microsoft product that’s only available for Windows Server. But it’s not Windows.
The reason I make that distinction is because if you widen the scope of services available on Linux then you might come a lot closer to the same volume of issues.
For example, take a look at how frequently CVEs are raised against popular CMSs.
Sure, I get the point, a more apt comparison might actually be RedHat though, since they're doing E2E packaging for a product suite.
I mean, Linux isn't even Linux - At the risk of invoking a meme: Linux is actually GNU + Linux; and even then there's a web-server on top, and software that it runs.
So, a working comparison might be Wikipedia? As far as I understand it; that's the largest CMS on the planet.
The closest comparison to SharePoint is probably a combination of Zoho Connect, Zoho WorkDrive, and Zoho Flow. Zoho's office suite also integrates with WorkDrive and has collaborative editing. They even have a desktop app for Writer.
Even then, SharePoint is more of a platform. You can build SharePoint apps and extend it.
There isn't a comparison for SharePoint Server. There really isn't any single thing like it for on-premise.
ok, nginx+linux power nearly every website, is that close enough of a sizable target?
As mentioned, even if we exclude websites, Linux is a pretty enormous target. Much more enormous than microsoft - by an order of magnitude or more, yet: we don’t seem to have these kind of issues. Curious, don’t you think?
Very curious. Just based on the incidents we see, and analyze over time, almost all of them are compromised Windows systems. When I say "almost", I'll provide these stats: ~4500 Windows incidents over 5 years, vs. two Linux incidents.
Similarly, looking at vulnerability counts by vendor doesn't paint a rosy picture of our largest vendor Microsoft, either. But it pales in comparison to the incident statistics, which speak for themselves.
To Microsoft's credit, they've managed to turn their weaknesses into a secondary industry, wherein they now no longer sell just the disease, they also sell the cure. "Oh, your Windows systems have security problems? Have we told you about our expansive security solutions? They're only an additional $your_budget_doubled per year!"
Microsoft’s back office suite is massive. So you’re talking about Nginx + a CMS + online office suite + video conferencing + identity providers and so on and so forth.
There isn’t really a direct comparison in the FOSS world. It’s either smaller in scope or smaller in terms of high profile organisation adoption.
This is why I think it’s easier to ignore the “Linux” part. Not because Linux is technically a kernel, but because there isn’t a directly comparable solution that targets Linux / GNU or whatever other base OS moniker you want to use. Same is true for BSD, Darwin and so on.
The alternatives to Microsoft’s dominance are typically more narrow in scope and usually proprietary too (eg Okta for identities, Google Docs for O365, etc)
Does this mean that Microsoft products are secure? Not really. It just means we cannot make a fair comparison against FOSS when it comes to these specific types of attacks.
If every car in your neighborhood that gets broken into is manufactured by a single manufacturer, it is in your interest in asking why that is, and perhaps considering that fact when shopping for a new car.
That does happen though. Cars worth more are stolen while cards worth less are not.
The common factor there isn’t that 40 year old hatchbacks have better security. It’s that the risk vs reward isn’t there compared to the brand new luxury cars with higher resale value on the black market.
This isn’t something I’ve just made up either. This is what the police told us when my neighbours Merc was stolen while my Skoda, which was accidentally left unlocked, was not.
Thieves target the expensive cars because they’re worth more. It’s really that simple.
> Thieves target the expensive cars because they’re worth more. It’s really that simple.
They don't target the expensive cars. The most stolen cars in the US are cheap Hyundais And Kias. Before they claimed the top spot on the list of cars taken most often the winner was pick up trucks and old Toyotas.
Thieves target what's easy to take and easy to chop up and sell, not luxury cars with high resale value.
If every car in your neighborhood that gets broken into is manufactured by Ford, but some people keep saying that their sneakers never get broken into, why don't you just walk everywhere, also they've never driven a car and don't really believe anyone else drives a car and keep implying it's just a status symbol...
and then they say "okay what if we consider everyone's sneakers all together, and how rarely they get stolen compared to cars" as if they've come up with a sensible comparison in complexity...
and then someone suggests "RedHat Linux" as an alternative to your car. Apparently they don't know what section of the world a car fits into, to suggest an alternative - but they're still convinced that you don't need a car and they are genuinely puzzled why more people aren't using "RedHat Linux" instead of cars...
... also only Ford make cars and the only real alternative is something completely different and then pay consultants to customise it and retrain your entire workforce at great cost and upheaval for little to no return, except hoping for an increase in security but not being able to prove same, or even clearly nail down what that means precisely.
One should be wary of anyone selling you a solution to your problems they know nothing about. Naturally, the only way to be entirely secure is to shutdown all the applications and decommission all the computers, a solution which the business side tends to finds unreasonable. Thus the tender balance between business needs and business risk emerges as the deciding principle.
But the numbers are the numbers in heterogenous environments, regarding security problems by platform. And if it rains perpetual Windows-based incidents on your security staff, and you don't consider the numbers when evaluating what you will and will not do, compute/services-wise, then you are statistically likely to see the same rate of incidents, at whatever cost that comes to the business, indefinitely.
> "a solution which the business side tends to finds unreasonable"
Isn't it odd that "unreasonable" solutions keep being suggested in threads started by people who first push Linux, and second ask what the thing even does anyway.
> "Thus the tender balance between business needs and business risk emerges as the deciding principle."
There is no tender balance and this is nothing like the deciding principle, and again it's illustrative that in a world where big organizations turn to poor quality software with poor UX for reasons like "nobody got fired for buying IBM" and "I look good on the Gartner report" and "the vendor will bend over backwards to make our auditors and legal team approve it" that Linux people go for the only thing they have going and try to suggest it's the most important thing, even though it's demonstrably an afterthought or a never-thought.
> "you are statistically likely to see the same rate of incidents, at whatever cost that comes to the business, indefinitely."
And you see this happening for literally 30 years and the "whatever cost" being written off as a business expense that has never changed anything, but you still call it "the deciding principle" when the evidence shows that the decision makers barel consider this at all?
> In the private sector, there's a slightly more direct link between job underperformance and being fired.
Not in my experience. Connections are most important than competence in big corporations. The bigger the company the most is works like the old Soviet Union.
In most big companies you don’t really get fired for bad performance (as long as you try to do your job).
In my experience you only really get fired when the command from top comes to cut X% of the workforce (sometimes this is yearly due to stack ranking systems) but even then the best way to keep your job is not doing a good job. In actuality it is connections (being good friends with your boss)
Remember a lot of large mulinational companies are larger than many small countries so if you have a very large multinational company you're gonna have the same type of corruption and inefficiency as in countries and governments. Of course if you have a small startup with 10 people and the owners are very involved in the day-to-day business they can probably spot when there is underperformance but in a multinational company where you can barely know who is responsible for what probably not.
And if your strategy fails, you (usually) can't raise taxes to make up for lost revenue. So there is an even more direct link between underperformance and losing money.
If your strategy fails the government bails you out, or you float away from the burning wreckage on your golden parachute until you land in a new job at another company which you can then ruin without meaningful consequences or you just retire with the millions you got in your severance package and live the rest of your life carefree.
I don't get such incomplete, selective, comparisons.
The country can't go bankrupt and you just found another one.
Yes, when a country messes up they have to actually fix things, there is no way around it. Except getting merged into another country - like my birth country, the GDR, ended up as West Germany's problem (but its people still had to do the work).
Also, if big enough companies (and banks) fail, it is the same. Not having a string government would not help either, in such cases the companies would be the government, as we saw in even wilder times of huge companies and much less state in the US some century or two ago.
At some point in the hierarchy you have to live with not having omniscience and accept that sometimes things don't work out, and that you can't just walk away from the consequences of those failures.
Oh boy. Haven't watched much US news since, like, Reagan, have we? Dumping the debt of your failures on future generations has become somewhat of a competitive sport in politics. Can't really do that in the private sector.
But nobody gets fired to spend money on stuff made by giants such as IBM, Oracle or Microsoft, regardless of the issues than can arise, while choosing a less known competitor is a liability for the decision maker, even if the impact is much smaller.
Nope. That correlation disappears completely for enterprises of larger size. I have more often than not seen the least (or even negative) productive climb the promotional ladder in those environments.
Exactly. I worked for both public and private sector clients. For departments/companies of the same size, there is no difference in attitudes and behaviour. People seem to percieve a difference, but that is mostly because they compare big gov depts to smaller private companies, not equivalently sized enterprises.
For small companies, they just look at the "winner"'s operation, not including the "waste" of the other 39 "losers" that failed.
Most enterprise PCs are Windows machines and integrate with Microsoft services easily. The only way Microsoft is going to lose the enterprise market is if enterprise PCs move away from Windows.
But, for enterprises, the only reasonable migration away from Windows is Mac. JAMF Pro for Mac can be hosted on-premise on Linux. The majority of enterprise software runs on Mac. However, Macs are expensive so it's unlikely to overtake Windows enterprise machine usage.
Hardware support for Linux PCs is poor and lacks the manageable of Windows PCs with Active Directory and GPO, or JAMF for Macs. Enterprise software usually doesn't support Linux. Linux PCs are uncommon for personal use and corporations don't want to train users how to use Linux.
"Hardware support for Linux PCs is poor and lacks the manageable of Windows PCs with Active Directory and GPO, or JAMF for Macs. Enterprise software usually doesn't support Linux. Linux PCs are uncommon for personal use and corporations don't want to train users how to use Linux."
I would dispute the "hardware support" comment. Linux has pretty good hardware support nowadays. And "enterprise" software is a vague term here. For desktop Windows, of course Microsoft will have that covered every which way, but for things such as authentication, authorization and security, Linux has a place. A comment about adding "Redhat" to the mix is not talking about desktops (necessarily) but servers and security.
There are still plenty of issues with bluetooth, batteries, microphones, gpus, touchpads etc when doing a clean install of Ubuntu on any random laptop.
True. But larger orgs don't buy "random laptops". The trick is to just buy laptops where you know everything works, and the company making them has a commitment to Linux.
Buy your linux laptop fleet from Framework, System76, Starlabs etc and you won't have any problems like that. You might have OTHER problems, but not that one.
Do these companies support Net 30/60/90 payment? Do they provide enterprise support?
There’s a reason why corporations use HP and Dell machines. And there’s a reason why HP/Dell/etc don’t have Linux OSes on their corporate client machines. Well, they do, but companies don’t care to order them for the other reasons people have listed here.
I work for a company with 1000+ people in RnD doing software development. 80% of those use Ubuntu and have one desktop and one laptop (HP EliteBooks) and that works fine.
You are right that not all devices don't work perfectly, but the Bluetooth headsets, Bluetooth mouses, conference rooms etc. that the company supports are tested for compatibility before being bought by our IT department.
Canonical and Red Hat have certified hardware. Most corporate workers aren’t software developers. They just want their productivity suite for email, scheduling, messaging, documents, spreadsheets, and presentations.
This suggests that the main thing Linux needs, for broader enterprise adoption, is a much improved "log into something that quacks like Active Directory" solution. Not actual Active Directory, obviously that just contributes to the lock-in, but what else is even remotely as polished and well integrated? I suspect this is the true moat actually. Nearly every actual business has "log into our company managed authentication system and have our communication and basic productivity apps just work" woven throughout the core of onboarding.
Microsoft sure has a lot of warts, but even as a Linux enthusiast, I cannot deny that Outlook "Just Works" with a frankly shocking set of basic stuff. Login for the first time, check your email, hey there's your meeting with your manager on your calendar, and now we can add new events just by putting you in this group, etc etc. There's dozens of little integrations baked in here that a tech enthusiast could feasibly replace in isolation, all of which vanish the moment you turn off the Exchange server or whatever it is. It's way more complex under the hood than most people realize, which is why "ditching Microsoft" so often turns into "Adopting Google Apps", as they have a similar turnkey solution to most of the same problems.
Not meaning to be a big ball of negativity, but as I haven't really explored here... in the FOSS space, what is the equivalent? Which tools are the most polished, and what server backends could be hosted on-prem to gain the same basic integrations with login, email, calendar, chat, and video conferencing?
Amen .. and this has been the case for a very long time. I remember transitioning my startup employer to "small business server" (Active Directory+Exchange) over 20 years ago. Why? Email and calendaring, especially - remember this? - Blackberry integration.
Everyone above middle-manager level lives in meetings, which means that the calendar is a critical piece of productivity software for them, and they want the comforting familiarity of Outlook. Which means they get to impose that on a whole organization.
The company that should be doing this kind of integration is Red Hat, but they've never quite managed it.
The open source solution space is probably LDAP and CalDAV, but as you say, nowhere near as conveniently integrated.
AD integration and desktop management solutions rule the Windows desktop. But not Macs in an organization, which are an absolute pain to manage, and yet somehow persist.
Perhaps it's not enough for there to be a "push" to Open Source because you've been failed by a proprietary solution, there needs to be a "pull".
> Perhaps it's not enough for there to be a "push" to Open Source because you've been failed by a proprietary solution, there needs to be a "pull".
Absolutely. A company isn’t going to create a GitHub issue and wait around. You can’t make service agreements with FOSS. There needs to be market forces to sell this software to corporations and it’s a hard sell.
Even macOS has a ton of goofy workarounds and third-party products required to get that level of ease for logging in with a corporate identity and having everything "just work". It's only finally getting close in Tahoe with the new additions to Platform SSO, but close is not "feature parity" either.
Apple focussed on consumer and even shunned the enterprise.
MS for all its flaws, welcomed, targetted and tried to support scale operations in larger business environments (Imaging, AD, GP, SuS, bitlocker, ...).
Also, if your only fix a hardware problem option was to "visit the 'genious bar'" and wait 6 weeks for a machine to come back, vs the Dell/HP/... service of "same day onsite repair", what is IT going to prefer for client computers?
Apple has changed their tune, in so far as they probably need some level of identity management on the Mac, crypto-key escrow, restrictions, and so on. Their Device Management framework is quite capable.
For large enough businesses Apple will let you do your own self-service repairs too. On-site. Order the part and you're still in warranty.
I'm in the manufacturing sector, on the integration side of things now, but yes, change is always a battle. The way I see it, the problem is two-fold:
Side 1: the workers, especially the labor portion, are extremely resistant to learning new ways to do things unless you can prove, beyond the shadow of doubt, that the new way will be easier than the old way (aka, less to remember/think about) but also does not diminish the quality of their work or increase the perception that their coworkers might see them as having it easier than them.
Side 2: the people responsible for purchasing and resource allocation often do not know what they are buying. In any shop, if you say "we need new PC's for the office" the first thing the purchaser will do is ask a supplier for a deal on a fleet of Dells because that's just what they've always done. If the company is larger and has an actual IT department, they will just provide Windows PCs because that's what they were trained to support. The alternative, Linux, is never considered because they simply don't know anything about it and it's not being offered by their suppliers anyway, so why learn?
Going Mac in an enterprise environment is a stupid move. Apple is constantly changing how MDM works. One week they'll go all-in on some method of doing things, and tell everyone they must comply or GTFO. The next week they'll completely change their minds and gaslight you, saying that old way is stupid and nobody should have ever used it ever. Then they will put in blocks to prevent it from working. This means all the work and tooling that people poured into it are just dead.
It’s been pretty consistent with how macOS MDM works with device profiles. The software to manage provisioning of device profiles may have changed, but at the OS level it hasn’t.
Neither of those claims is true in my experience. MDM is par for the course for SOC2, which is increasingly popular these days, and managing MDM seems like one of many responsibilities of ops teams.
I've worked in two 5k-10k companies in the past 10 years with 80+% of MacBooks in the fleet, all managed through MDM and as an end-user I never experienced issues. Unsure how the IT folks felt about it but they managed it pretty well if I didn't experience any problems for so long.
I can assure you, the DoD isn't a bunch of windows servers hosting sharepoint for the public. Federal government IT in general is a RHEL shop, at least serverside.
Only because Microsoft offers “certified professional” badges and the MSCP’s are pushing the only thing they are certified for, and the corporations buy into the whole “certified” thing.
I have a ton of customers where the admins are constantly reminding everyone about the certifications they have, all while their basic security is below average.
> when more secure (Linux-based) options are far cheaper and widely deployed
Hold on, we are talking about SharePoint here. I don't know any software that could replace it, that is allowing office suite to collaborate in a way SharePoint Server does it (versioning, concurrent editing, online editing, workflows, customizations, OneDrive, IRM, compliance, search etc.)
Even in a windows environment. Can you name more secure, cheaper and widely deployed alternative?
This is SharePoint on-premise, so Google Workspace isn’t a good comparison?
Also, even if we do look at cloud: Workspace isn’t bad (exception: sheets vs Excel), but SharePoint is the center of Teams, Power Platform, PowerBI… to replace M365 with Workspace means a lot of research, setup and testing of 3rd party alternatives to the above.
If you’ve ever worked in a well configured Microsoft stack, nothing beats the integration.
There’s no reason to believe Workspace would be more secure if it had the same feature set/integration configured.
Unpopular opinion but I don't think this solves anything. The exploit wasn't an OS exploit but a userland app exploit (Sharepoint Server/App). These attacks will always be developed until we're able to write perfect exploitation free software.
If the government was running Red Hat with 'open source SharePoint alternative' the headline would be 'open source SharePoint on-prem solution exploited'.
Microsoft invested in making integrated Windows-based business software and a big closed-source ecosystem and/or bought other tech companies that previously developed similar tech. Some of them older than Red Hat even Microsoft.
Where is the equivalent tech on the Linux side that Red Hat developed? They simply didn't have a competitive enough alternative. Usually anything outside of cloud/web server space, you'd find alternative open-source projects rotting with non-clear ownership and year old last commits. Red Hat and Linux world weren't interested in developing those things. They weren't interested in making competitive user friendly alternatives that enabled non-programmer users. It is hard, thankless, soul crushing work that nobody does anymore since Microsoft bought or eliminated them. There are simply no equivalent alternatives in the open source world because competing with Microsoft requires accepting significant losses as a company for a long time. Google Workspace is a thing only because Google can finance its developers with ad money.
Just having Linux is no golden key to security either. You need to put the exact amount of barriers in front of your on-prem servers regardless of the OS.
The whole security mess is just the symptom of capitalist economy. Most companies give 0 fucks about it because caring about security is costly and time consuming. With the race to the bottom for first-to-market, caring about security is a risk, it is a distraction. They ignore it until they establish a position and maybe their misdeeds become a liability. However, no company got actually severely punished for not caring about security. So it is still seen as cost by many.
Most government IT is using RHEL. You are correct, it is because of the thankless work they put into long term enterprise support. Microsoft doesn't do anything like that.
Red Hat were interested. They funded desktop Linux heavily for a long time. It didn't work because the (non-capitalist!) ideology of Linux is incompatible with success, and Red Hat always tied down by the community they chained themselves to. Desktop platforms have far more hardware and software heterogeneity than server platforms do, the pace of innovation is much faster, and they require the ability to ship closed source software, closed source drivers, to innovate and then for people to capture some of the value to fund all that.
For the longest time desktop Linux simply tried to clone Windows/macOS. Eventually Red Hat came to dominate GNOME enough that it developed a bit of its own personality, but the kernel and software distribution approach always held it back from even matching its competitors in usability, which wasn't even close to enough. Apple have executed excellently for decades and even they only made progress in the pure consumer space, the enterprise space is one they never tried to attack despite having the money needed to do so.
Capitalism isn't the problem here. Communist software isn't exactly famous for being impenetrable, in fact it's more famous for hardly existing at all. Google and Apple are highly capitalist, and their security stance is much better. The problems at MS are deeper.
Probably because most Linux users aren’t looking to share (or even use) office documents. Linux collaboration happens on wikis, message boards, and Git.
> Why do Microsoft products enjoy a monopoly on the server in these sectors when more secure (Linux-based) options are far cheaper and widely deployed already?
Because there is no FOSS solution even coming close to the level of out-of-the-box integration of Office 365. Thunderbird has zero integration with LibreOffice, LibreOffice has zero integration with Owncloud (or whatever else one might use), neither has integration with a softphone software, much less a backend like Asterisk. And some software like Sharepoint or MS Access doesn't have anything on the FOSS side.
The problem is, decision-makers will not go for the "secure" way, they want a solution out of "one mold" - and so do users. It is a common complaint when trying to set up a FOSS solution, users complain that they have to learn and memorize different ways of doing the same thing across different application... and made worse by many FOSS projects not having UI/UX designers at all that care about consistency even in the scope of the application itself.
And on top of that, many data exchange formats are not just "old", they're "fossil" and don't even come close to meeting the demands that people have come to expect.
In every single company I have been working in the last 15 years, information was spread across so many different tools that integration was a moot point: Office365, Jira, Confluence, a separate ticketing tool, some mkdocs or single markdown files in repositories, spreadsheets, dedicated HR web portal, intranet, internal blog/comm/social media... Even within Office365 information is stored randomly as office files in sharepoint, teams channels, personnal onedrive, emails, copy/paste in teams, teams channel onedrive synched drivees, onenotes...[1] Also RBAC makes sure that whenever you came across one doc containing link to other stuff, you end up having no access to half of the links
Bottom line the tightest integration doesn't reduce any friction because there is not a single toolsuite that fits every use case and people end up making a mess of everything. You never know where you can find the information and every single teams wiki ends up being a collection of links to a myriad of different places. Also half of the people still email people documents instead of the links because they don't understand anything else.
[1] yes it is in the background the same product but people access them and more importantly know or search the information in totally different ways.
You are very close. But Office isn't the secret to Microsoft's unassailable dominance in enterprise. I could remove Office at work and we'd be okay.
Active Directory is the key. A unified management of users, devices, groups, and policies that everything else is built on. Nothing outside of the Windows world even comes close. There's Linux tools to impersonate or talk to Active Directory, but no alternative to it.
Group Policy lets me set up any number of tens of thousands of configuration changes and apply it easily to any group of users or computers with a few clicks, regardless of device manufacturer. Linux distributions aren't even consistent enough about which system tools are onboard, much less what policies can be configured on them. Web browsers all have Group Policy plugins, so everyone's web browser is configured by Active Directory too.
Linux is a hellhole, for Mac JAMF fills the gap pretty well.
For Linux, I'd probably whip up Ansible these days if I were tasked with it, but getting it off the ground is ... nasty. Set it up as a systemd unit to run on boot, login and network-online.target, and that's it.
One of the answers should be for the DoD, or any other such military institution, to try and rely a little bit less on everything being "digitilized", or at least to change it all into a more fragmented data/information "archipelago", with no centralised unique source-of-truth.
The clients of said server are not going to be Linux. Running a secure, working, manageable CIFS server on Linux serving Windows clients is surely going to cost much more than just using the Microsoft solution. Some products don't even work at all with that configuration (e.g. Quickbooks Enterprise).
Could be that Microsoft can navigate all the regulatory bullshit that surrounds anything government. I don't know of anyone doing that for anything Linux.
There's tons of Red Hat in federal IT, that's not the issue. It's just that Microsoft dominates the client-facing software business, and Red Hat has minimal presence there so while you might see RHEL desktops at e.g. NASA you're unlikely to see them anywhere else, and there's no real open source equivalent of SharePoint or Office out there.
Maybe [0] will be one, eventually, but it would take a long long time to replicate the functionality if it were to ever happen. Best case scenario is that the EU were to fund an open source solution.
> Schleswig-Holstein, one of Germany’s 16 states, on Wednesday confirmed plans to move tens of thousands of systems from Microsoft Windows to Linux. The announcement follows previously established plans to migrate the state government off Microsoft Office in favor of open source LibreOffice.
People don't take it seriously because European governments have a history of making announcements like this and then rolling it back in favour of a return to Microsoft.
Lets see what happens when they try to move finance of Excel. If they are successful there, then there might be hope, if not, then they will eventually go back or have 45% of the company on some kind of exception.
> CISA advises vulnerable organizations [...] to disconnect affected products from the public-facing Internet until an official patch is available.
It's interesting to me that you'd go the hassle of hosting your own SharePoint on prem, but leave it internet facing. I would have assumed a the Venn diagram of these organizations to be entirely contained in orgs forcing you to use a VPN.
CISA is so so vital. Investigating incredibly wide ranging attacks like this, or the Salt Typhoon attack are vital for this nation. But the show is being run by a bunch of people who value political dogma far above anything else. https://www.techdirt.com/tag/cisa/
So true, they make bullshit that affect security also on some security tools analyser … do not worry NSA everything is fine, you are not at risk against worms xD
Best practice is to assume the network is compromised - a VPN doesn't provide as much guarantee as people would like. In large fleets, devices are regularly lost, damaged, retired, etc. In organizations with high target value, physical penetration through any number of means should be assumed.
So you don't do that. You use zero trust and don't care that things are exposed to the internet.
Working from anywhere (remote sites, home, your phone) is a huge benefit. Organizations want to control their data entirely while still wanting their organization to be able to access it.
Microsoft’s version of “Zero Trust” doesn’t care if things are reachable from the public internet. They have been preaching “identity is the new perimeter” [1] for years, and it doesn’t wash.
The NIST Zero Trust Architecture (ZTA) implementation guides (SP 1800-35) [2] cut through the nonsense and AI generated marketing smoke.
In ZTA, ALL network locations are untrusted. Network connections are created by a Policy Engine that creates and tears down tunnels to each resource dynamically using attribute-based-access-controls (ABAC). Per request.
Microsoft doesn’t have any products that can do full ZTA, so several pillars are missing from their “Zero Trust” marketing materials.
why bother when not a single vulnerability has resulted in any appreciable fines or loss of market share? it's absurd how untouchable their ubiquity has become.
That's pretty accurate, if you want modern practice and product quality you go to Google or Amazon, if you want compliance and reassuring the board, you go to Microsoft.
> Network connections are created by a Policy Engine that creates and tears down tunnels to each resource dynamically using attribute-based-access-controls (ABAC). Per request.
What does it mean in technical terms? What kind of tunnels are whose and what is their purpose?
There are four different micro-segmentation variations in the NIST reference guide: device-agent/gateway, enclaves, resource portals, and application sandboxing.
Basically a policy evaluation point (PEP) evaluates the security posture of both parties before and after a handshake, then creates a logical or physical path of some kind of between the actor and the resource. This can be done with software-defined virtual networks and stateful firewalls, at one or more of the OSI layers.
So the policy evaluation point has the keys to the kingdom and is the single point of failure, vs standard distributed authorisation declaration that would be up to each component of the system to implement.
In zero trust "exposed to the internet" is a bit of a misnomer compared to how traditional security would use the term. A better description might be "you're allowed to form a session to it from over the internet but only after your identity and set of rights have been verified". From this view: "zero trust" < "vpn" < "wide open" (in terms of exposure).
So it's essentially a more seamless and granular analog of a VPN? A device sits in front of the network and requires some sort of authenticated handshake (ideally all SSO) before passing packets through to a target endpoint?
Something I'll add to the other responses is "the network" isn't an assumption of zero trust. Whether it's a single server on the private corporate network or a multi-cloud multi-region service hosted on the internet zero trust treats them the same.
My way of mapping it to VPN mindset is "per app clientless VPNs straight to where the things are hosted". In an extremely open ruleset with all of the servers on a corporate network this could theoretically devolve into "a traditional clientless VPN to the office".
They can be implemented using a variety of technical patterns but they all share a common "each request is authenticated, encrypted" property instead of "anything goes once the tunnel is up" property.
HTTPS calls with any kind of authentication (cookies, tokens, even basic auth) are one way to be "authenticated, encrypted" for "each request". If they go to a reverse proxy at the entrance of a company network (a common setup for every internet facing http server) they are a way to do without a VPN.
And yet every customer of mine have some of their servers on a VPN. At the very least they enable ssh only on ports on the private network.
Yes, that's zero trust in a nutshell: A VPN that does a tunnel per TCP connection instead of one tunnel for all TCP connections.
The other salient point is that all connections are established outbound through a broker, and importantly this is the case from both sides: The appliance at the terminating end of the tunnel establishes reverse tunnels to the broker for the connections, so it's never "exposed to the internet".
The broker can then push to your SIEM or whatever so you can have your SOC log jockeys harass your employees for accidentally leaving NordVPN on after watching international sports.
There are actual benefits: You can do things like allow logins to system A from anywhere, but system B only from your home country, you can do JIT network access requests, etc... but mostly it's vendor marketing to get you to spend too much money.
Think machine certs (stored in a TPM). Plus perimeter-enforced username/password/2FA. Plus additional policy checks, like making sure your machine is up to date on security patches.
It doesn’t matter what network you are connecting from, but it does matter that you’re connecting from a company-issued laptop that’s in a trustworthy state.
Sounds like multiple single points of failure to make a security infrastructure so hostile to the end user it would be considered the equivalent of being under persistent attack.
The big difference is once you’re in, with a VPN you have direct access to the whole network.
With a zero trust setup, access has to be granted to you (or your ACL group) on a per-application basis. It makes it much harder for an attacker to move laterally when everything is default-deny.
But you can combine VPNs with SSO and limited permissions. Real networks all work that way these days. Logging into the VPN doesn't get you very far, you'll need to be provisioned with specific apps and permissions too.
In a pure implementation, the same level of trust is implied (absolutely none at all) whether a device is connecting to a resource from the public internet or the same subnet.
Arainach is advocating for something called "Zero Trust" which, from a user's perspective, is very much like a VPN.
It's software your employer pre-installs on your work PC, that asks you to log in with your work SSO credentials, performs some endpoint security checks, then routes your traffic over a virtual network adapter, and thereby allows you to access workplace resources, even when working from home.
The main difference is it adds some semi-authenticated states. Correct device, username, password, and 2FA, but failed a device posture check because they plugged their phone into their laptop to charge it? The 'Zero Trust' system can block some systems, while letting them retain access to others.
The other big difference is the pricing - rather than paying a five-figure sum upfront for networking hardware, you instead pay $25 per employee per month, forever.
Zero trust is when every session with every service is like its own VPN, independently authenticated and encrypted. Consider the way an HTTPS session between a server and a browser is created anew every time the browser accesses a domain, and ends after a short flurry of requests needed to load a page.
There's a significant difference which my original message hints at and is subsequently clarified: there's still an intermediary. If there's an exploit in the service, like this case, it's still not directly exposed. The intermediary device is still sitting in between and won't allow any old traffic through without separate authorization
The product was explicitly promoted as being useful to run public websites. Before cloud took off we had Microsoft sales people in our office announcing the death of Wordpress with the latest Sharepoint release. That position may be old, but plenty of orgs live in the past.
> It's interesting to me that you'd go the hassle of hosting your own SharePoint on prem, but leave it internet facing. I would have assumed a the Venn diagram of these organizations to be entirely contained in orgs forcing you to use a VPN.
It likely will be entirely contained, at least in theory. Because is your IT and OT isolated? They should be, but man could I tell you something about the energy and public sectors... Let's just say, that if you're in an organisation with any sort of OT, then you may as well assume that everything you have is facing the internet in some way. I suspect it's frankly like this in any sort of enterprise organisation getting worse the more the org views IT purely as a cost center.
This is why we don't just rely on things like VPNs. Everything we have uses port security (mac-adresses) at a much more ganular level than the VPN does. At least for the parts of our systems landscape where this is possible. With something like SharePoint it's hard to allow specific devices because it's usually something everyone should have some sort of access to. Then you have all the organisations where SharePoint also has some sort of non-VPN access because some CEO level wanted it at one point since they can't be bothered to bring a work PC to their Holiday home.
The answer is contractors and consultants. State agencies routinely work with third parties that need to be able to share files. Obviously this isn’t universal but it isn’t uncommon.
That’s the whole thing with Azure; it blurs the line between on-prem and cloud “because you can.”
I never remember thinking years ago how nice it would be to have all of our private docs that we only need to access on our private network accessible to the public. I just wasn’t thinking outside the box enough.
> It's interesting to me that you'd go the hassle of hosting your own SharePoint on prem, but leave it internet facing.
Once upon a time Microsoft marketed it as, and a lot of Orgs adopted SharePoint as their Intranet. With SharePoint 2019 being sunset, a lot of Orgs are scrambling to implement replacements.
> “Anybody who’s got a hosted SharePoint server has got a problem,” said Adam Meyers, senior vice president with CrowdStrike, a cybersecurity firm. “It’s a significant vulnerability.’’
Senior VP at CrowdStrike, so a professional in destroying large amounts of systems.
I have spent far too much of my life on SharePoint.
Having it internet facing has never been a good idea.
Not really what it is meant for, though the promo verbiage
on that has changed over different versions.
Some folks wanted SharePoint as their "web server",
I would set that installation up entirely separted from
all other instances they may have on the network.
Actually it wasn't too long ago, in the early-2010's, that Microsoft was promoting SharePoint for internet sites; I think at one point some Europoean car manufacturer (BMW? Ferrari?) had their global marketing site on SharePoint. Of course that didn't last long, as Microsoft licensed it at a crazy price ($40k per site or something like that).
The Navy still runs more than a few web servers using Sharepoint, albeit behind dedicated network firewall appliances.
The Secretary of the Navy's page (at https://www.secnav.navy.mil/Pages/default.aspx) for instance, is a Sharepoint site. I used to maintain a Navy website hosted under there, and had a bunch of Hugo-specific scripts to convert a Hugo static site into something I could upload to the Sharepoint and have it mostly still work (which involved things like rewriting links and renaming files to end in .aspx).
Well, they would have had to purchase one Client Access License per potential device or user that would access the website. Since there's about 5-6 billion people with internet access, and a CAL is about $50 a pop, that would be roughly two hundred and fifty billion dollars to fully and correctly license a public server.
I worked on a couple of public facing SharePoint 2010 sites for large, well known companies before while it was in RC and immediately after - MS had a big marketing push to get people to build more than Intranet portals on it at the time. It seems like that died off entirely once Office 365 came around, and it was never a good idea in the first place, but it was definitely a thing.
And it probably needed a very hefty bunch of servers, even after caching, if you needed just a little bit of dynamic content or interaction with the site.
Microsoft.com and Office.com used to be entirely built upon SharePoint, as SharePoint solutions. It was to prove it out as possible, eat your own dogfood.
I think the shift away started in 2013 or 2014, but you can imagine the throw away effort spent on it.
Not sure about microsoft.com, but office.com frontend "rendering" SharePoint instances were read-only, not plain SharePoint exposed as-is.
Yes, as is OneDrive and Teams file sharing. Those, however, are part of SharePoint Online. SPO is distinct from this CVE, which only applies to the standalone SharePoint Server.
What I was kind of implying is that if the codebase is not that different maybe there has been a complete breach of office365 and Microsoft has stayed quiet about that.
You're joking, but many of the code bases I saw that were produced by/with AI-support are not maintainable by any sane human. The more you go AI, the less you can turn back.
> A programming flaw in its cloud services also allowed China-backed hackers to steal email from federal officials. On Friday, Microsoft said it would stop using China-based engineers to support Defense Department cloud-computing programs after a report by investigative outlet ProPublica revealed the practice, prompting Defense Secretary Pete Hegseth to order a review of Pentagon cloud deals.
Maybe instead of fines, large companies should be forbidden to do any new contracts for some months. That would be a larger incentive and also comprehensible to sales people.
In which magical country do you suspect this would be enforced ?
Microsoft also has a captive market here. Realistically you aren't going to migrate millions of employees and servers to another tech stack, even over something egregiously bad.
Something like storing cleared data really should be handled 100% internally with an open source stack that's regularly audited.
But that sounds really difficult, even if it would be cheaper or the same price in the long run.
I didn't suggested preventing the fulfillment of existing contracts. Nobody would change for all costumers. They just wouldn't get any new contractors.
If you happen to be unlucky and Microsoft just got convicted, you either need to wait some months or go to a competitor. The state shouldn't care about that, when your mechanic just went to prison, what you're gonna do?
But yeah I don't know any party who has such ideas.
The US doesn't either. Someone didn't comply with existing law here. I've been on a program where uncleared people from another business unit were used as internal labor loan for export controlled work. One of them was belatedly discovered to be a Canadian citizen and they were retasked the next day. There are strict rules in this domain. It's just that nobody gives a fuck about paying for an IT cost center to do things securely. Chalk up another win for outsourcing and moving to the cloud for cost savings.
I work both cybersec + fun/research, LOVE this resource and lucky to have come across it here. Subscribed via email & looking forward to RSS. Thanks for sharing it here!
Thanks so much, that really means a lot! I'm actively upgrading the feed right now: more vendors, faster signal (closer to real-time), and smarter triage to cut through the noise.
I’m also shaping a Pro tier and would love your input. Some of the things I’m working on:
Meanwhile, Citrix has been on fire causing much worse things (you can just grab any session you want and become anyone who's already logged in). Who needs to break into SharePoint when you're becoming someone who's already got access... including to everything else (not just SharePoint)
It's patchable, but it's been two times in a row now, and patching is always slow and incomplete.
I was just building a SharePoint integration for some enterprise customers (I do RAG on their data) and I find it brutal, that now, I have access to all their SharePoint data for all SharePoint sites. Even the ones I don't want to index. And I even use user login over admin/service key login.
AFAIK, the Oauth claims of SharePoint don't allow specifying particular projects only.
(BTW: same counts for platforms like ACC/BIM360)
If Sharepoint was an animal it would be a Duck-billed Platypus. I never understood why it got the degree of use that it did, even as a free product it was always best avoided. Everything seemed to be tacked on at a different angle from the normal one with broken interfaces in between.
this is barely one year after the CSRB recommended: "...Microsoft leadership should consider directing internal Microsoft teams to deprioritize feature developments across the company’s cloud infrastructure and product suite until substantial security improvements have been made in order to preclude competition for resources. In all instances, security risks should be
fully and appropriately assessed and addressed before new features are deployed."
These recommendations followed a review of MS practices following the Exchange online compromise. I highly doubt anything changed at MS since then.
At the risk of massive downvotes, I have to admit that a small part of me wants this so that maybe corporations stop using Sharepoint as soon as possible.
Seriously, I haven't used it since 2017, but every time I used it then it was the worst part of my day. I used to have a shirt that said SHarepoIT Happens that I would wear to work, and it seemed like the one thing I could get my coworkers agree on was that Sharepoint is terrible and we'd rather use anything else.
Each M365 Teams Team creates an M365 Group which creates a SharePoint site and Exchange mailbox. Teams channel files are stored in that SharePoint site. Teams channel messages are stored in the Exchange mailbox.
Private files dropped in Teams are stored in OneDrive (rebranded SharePoint). Private Teams messages are stored in the sender and recipients’ Exchange mailboxes.
M365 is SharePoint and Exchange. EVERYTHING is built on top.
EDIT: changed ‘individual’ to ‘sender and recipients’
The whole Microsoft 365 environment is a mess. The web interface of SharePoint is super slow and buggy.
Why do I have a useless "General" folder in the root of my SharePoint documents, which I can't delete? I don't even have access to Teams, because I'm using the Teams-less M365 subscription for EU users.
Every day I think more and more that I should just switch provider for my small company.
Throwaway account so keep this comment separate from my main account.
I used to work within the Office group. The way that data is organized in Exchange is mind-boggling -- and not in a good way, IMO. Its design is from decades ago, and trying to understand how to find something really takes a lot of experience. Without going into any gruesome details of how it works, I'll just say that it is a HUGE hurdle to being productive for day-to-day work.
Similarly, I'm not surprised that there's some kooky way that the Teams folks shoehorned their data into the existing Exchange system -- they probably have no other way to operate at that scale without taking years in writing their own database system. (I can't imagine that using SQL Server to do this would be viable, either, given what they want to do and the capabilities already built on top of Exchange.)
> The way that data is organized in Exchange is mind-boggling -- and not in a good way, IMO. Its design is from decades ago, and trying to understand how to find something really takes a lot of experience
I assume you're talking about MAPI, which owes some of its baroque nature to X.400. It definitely comes from another time. It always struck me as over-engineered.
On the other hand, it has also been ridiculously successful.
To be fair exchange works quite well for mail and calendar, it syncs very fast, is easy to set up and the cloud version is easy to administer (i never had to admin an on-prem exchange but ive heard its not fun).
Using this infra for teams makes sense since it already works well. As one poster said, its probably via some hidden folder.
I wonder what they did with skype, did they actually integrate any of it into teams or just dump it entirely?
Teams was built from Skype. The fundamental infra for communication (chat, video call) was pulled out of Skype as a separate component and integrated into both. Skype the client is completely sunset, but a part of its back-end will continue to be used.
Teams came from Skype. Skype Lync was just a client (so far as I know). Don't take my word for it though, I was not there during the transition, this is just my understanding from talking to the ones that were.
On-prem Exchange is usually fine. Migration is a pain, but for a mid-size org you can mostly just install it and use it. If you have multiple servers distributed globally and database availability groups and such, yeah, it gets to be its own thing, but that's because at that point you're huge and you're going to feel the pain no matter what platform you run.
I know it's popular to dump on Microsoft and there are some valid reasons, this is not one of them.
There are so many companies and businesses that rely on offline data, or silo'd data than will be tied through their AD LDAP account permission, M365, teams included, is such a better option than hand rolling all of them and praying you configured every service correctly.
I don't think this is nearly as crazy as you may think at first glance
Imagine if it was just a hidden (special) folder in an Exchange mailbox.
Voila, you already have a well-known and widely implemented and tested message syncing solution both for content and status (read/unread)
I assume Windows Phone worked the same way with its text message backup. When you'd set up a new phone it would take a while for your Microsoft account to finish syncing during which new messages would trickle into the Messaging app in real time. In fact if your old phone was still on WiFi new messages would show up on both. Still more advanced 15(?!) years ago than my Android today
When you dig it up, it is totally crazy and the total shit that we could expect.
Nothing works really well nowadays with exchange (classic, new, web, ...) or Teams.
It is a complex layer based on sharepoint, that was not designed for that, because OneDrive is so bad that they have absolutely no way to manage a proper sharing of files between multiple persons, and so even less between teams and orgs.
At some point Microsoft tried to sell some automatic DRM system based on SharePoint to some company that I worked for.
The sales pitch was that they could upload documents to SharePoint and when people downloaded the documents SharePoint would automatically apply DRM so the documents could only be opened by that person on authorised machines for a specified number of days.
Well, it turned out depending on how you logged in (using the same account, just different login forms) on the SharePoint server it would either give you the files with DRM applied - or the completely unrestricted files.
We got some senior Microsoft consultant working directly for Microsoft to look at it but in the end they were just as confused as us.
As a mid size company that does work with government agencies, it’s near impossible to use anything ‘better’ solution. Cybersecurity requirements are getting so onerous that Sharepoint is too commercially feasible of an option to use anything else for a shared file store between organizations.
The fact that Sharepoint sucks* doesn’t matter… because anything else is seen as a risk.
* folders with lots of files are hard to scroll through because each page is lazy loaded, the automation functions are buggy, logins between different M365 tenants breaks and is not correctable by a normal site admin, human readable URL paths aren’t standard, search is shit, tables/filters are buggy, the new interface hides a bunch of the permissions logic, some things like permission groups need to be managed via outlook, etc etc. I’m sure a bunch of my gripes are technically fixable, but these aren’t things that should need a web search in order to use/fix.
It’s not cybersecurity. It’s legal, trust me. For large corporations, eDiscovery is huge. Failing eDiscovery can cost a company millions. Having a bunch of different data sources makes it impossible, so companies stick with M365 as corporate policy and call it a day.
My company has SharePoint and another internal site for documents/notes (think about Notion/Quip/Confluence). The other site works quite well, and most developers write all their notes/docs on it. But some people just insist on uploading Word documents to SharePoint. So now everybody else has to use SharePoint as well, plus search twice whenever they need to find something.
My boss spent over a year trying to get me to setup Sharepoint. About 6 months into this, I finally looked into it and what it provided and said no. Eventually he hired a second tech and he set it up "in an afternoon." Good for him. Nobody ever used it. He also stole my high speed USB drive.
Clearly Sharepoint is being used. Otherwise, this would not be a news story. So if every single Sharepoint user switched to another piece of software, it would be more than nobody using it.
I think you missed the joke here, being that Sharepoint is installed in many of orgs, but never used after installation.
I have worked at an org that did the same. We already had Confluence. Somebody decided we needed Sharepoint. We licensed and installed it. Six months later we migrated the handful of documents and files and decommissioned it.
probably so. every corp I've worked for that had Sharepoint used it religiously. that is a whopping 3 different companies, but > 1 anecdotal experience. to be fair though, 2 of the 3 companies used it because the same person was at both companies and was responsible for using it at both companies during their tenure.
And sharepoint in large organisations I have been at recently is now using oauth which breaks Microsoft's own sharepoint client API. That whole software is one massive waste of time and buget.
Unlike Slack and Mattermost. Teams was designed by layers of middle managers at big corporate. Teams is literally everything wrong with big corporate in one package, being shoved by morons on small companies. Overall it's crippling the American economy.
Sorry to disappoint you, but Sharepoint isn't going to die.
This is actually a great day for Microsoft. People will come to their cloud solutions in troves after this and everyone will be happy. Maybe not everyone, but Microsoft for sure.
The only reason to get downvotes is nonsense of prefacing the post with the 'worry'. Sharepoint would be far from a first choice under normal circumstances (e.g. not bundled with excel and friends)
It is instructive that we are seeing the results of DOGE's work:
"The process took six hours Saturday night — much longer than it otherwise would have, because the threat-intelligence and incident-response teams have been cut by 65 percent as CISA slashed funding, Rose said."
I'm not sure which part pisses me off more: that tons of professionals lost their jobs and will likely not work in public service again because of it, or that through all that, they barely found any actual waste at all. A fucking farce.
Seems like generally it ended up being a surveillance play, in practice if not original intent. For example, Dog coin has been reported to be passing data taken from other agencies directly to ICE^[1] for law enforcement applications, and there was that other matter of logins apparently from Russia using accounts the Dog coin personnel demanded agencies create on their internal systems with (auditable) logging disabled^[2]. And probably more that I'm forgetting.
One does wonder whether this was all part of Musk's vision, or more thanks to the scum he hired to staff Dog coin and/or other lawless opportunists in the Trump administration.
The idea that Musk's intent was to gut all of the agencies that were in a position to regulate any of his companies does seem to suggest that DOGE was an outstanding success.
I see your refusal to acquiesce to Musk's appropriation of an innocent meme, and raise you a, "Keep calling it 'doge', but pronounce it phonetically to piss him off."
I'm assuming nothing of the sort. I assume what I always assume in these situations; that unqualified ignorant fuckwits convinced a bunch of other unqualified ignorant fuckwits to vote for them, so they could make their lack of understanding everyone else's problem. And likely get away with a huge sack of money Hanna Barbera style in the process.
The first obvious sign was that the people not holding office or having any access to government data were making unfounded claims about how the government was operating.
How about the fact that Elon and most of his cronies weren’t even born here and seem to feel that the people who were born here are stupid and/or lazy. Maybe only Vivek said that quiet part out loud, but they very much agreed on the solution.
There is waste. A God awful amount of waste, fraud, and abuse. You don't rack up a 1.8 trillion deficit and a debt per capita that is 7x the income per capita without waste, fraud, and abuse.
The problem is that while common sense would dictate those nonsensical expenses as such, they were part of the official process, so it was all legalized, so they avoid the FWA labels because the rule writers have made it so.
The problem with your argument is that Social Security (old people income), Medicare (old people healthcare) and interest on the national debt account for fully one half of total federal spending. Add in national defense and you reach two thirds.
Interest is trivially accounted for. We know how much debt is outstanding.
Social Security and Medicare expenditures are well within 5% of what should be expected, given the total population of the US and its age distribution.
Your God Awful amount of waste, fraud and abuse reduces to a fraction of a fraction of the total budget. A tiny fraction of a big number may be a big number, but it simply doesn't matter structurally.
The only way out is to cancel the entire military, slash social security or raise taxes. The rest of the stuff (even if it is purely waste with no useful purpose) simply doesn't add up to enough dollars to fix the budget.
I know this isn't what anyone wants to hear, but numbers are numbers and you can't just wish away unpleasant realities.
A solid portion of the 1.8 trillion figure the GP quoted was also the insane spending that had to happen to keep the economy somewhat afloat during the pandemic.
Of course in proper propagandist fashion, we only ever hear about how much money the undeserving poors got, and nothing about the millions upon millions of dollars in loans given to private businesses and their owners that were definitely, 100% used for them to weather the pandemic, and later forgiven despite being explicitly loans.
There is of course waste. But the budget for everything apart from social security, medicare/caid, and defense is very small in comparison to those. The US could cut everything except for those three and it wouldn't delay the debt bomb's detonation by more than a year. Current projections are around 20 years of current trends. The US has to keep borrowing, or the world economy breaks down with no reserve currency. The trick is that the borrowing needs to keep increasing the gdp at the same rate as the debt. I.E. the loans have to be spent on assets. That is not currently the case.
I'll tell you what pisses me off: Having to be subjected to low security services because one political party wants to run a reality TV show instead of caring for people. The consequences are all for us to bear.
Because the losers and deadbeats who run the government have not figured out the right approach to making "pay 20x the current budget to military contractors to do half of what CISA does" sound like a good deal for taxpayers.
I got a 502 Bad Gateway for all our onprem SP sites for a few minutes last night, which is very unusual. Wondering if this had something to do with that.
I tell you in good faith: the chaotic response would have been to not notice, not disclose, not fix, and then go to the press claiming everything is fine, and accusing anyone saying otherwise of having a nefarious agenda.
The root cause might less be whether an entity uses Linux or Windows but whether they use cloud or on-prem. No matter how skilled, the on-prem stuff getting maintained by IT/SOC (often external contractors) are unlikely to deliver the same level of diligence as one of the big cloud vendors.
Things are so complex we have critical bugs everywhere that can not be patched without major breakage. So what does a diligent org do? they make a risk-assessment to explain things away for legal & compliance purposes.
check your SCA/SBOM in any/most stacks if you think this is untrue ...
Haha, Microsoft, the source of all the leaks, it's always Microsoft, quick, let's give Microsoft even more government contracts! They truly are the best!
It's not right to victim blame but it's also not wrong. Akin to investing lots of money in a stock. If you took the risks of maintaining a public SharePoint server in 2025, here's your very bad day.
MS's hosted version of SharePoint. It's apparently unimpacted by this current round of attacks. DOD (since it's been brought up by other commenters) makes significant use of this.
People hosting SharePoint instances themselves. Some on-prem, some with rented computers. These are the impacted ones. It's not about "the cloud", it's about hosted SharePoint having weaknesses that were exploited and many organizations apparently leaving their SharePoint instances accessible over the open internet. These hosted instances are also probably old and unpatched which doesn't help things. Some (many?) units within DOD make use of this, but definitely not all.
I don't understand why anyone uses SharePoint. The product is extremely low quality. I have never met a happy SharePoint user. Now we also learn that it's insecure as well as having a horrible user experience.
It’s similar to Salesforce, Dynamics etc, they rarely achieve what they promise - the entire business is making executives feel like they’re transforming the business without taking on any risk.
> The process of reviewing the Epstein and Maxwell files was chaotic, and the orders were constantly changing - sometimes daily. One person I spoke to on the condition of anonymity said that many agents spent more time waiting for new instructions than they did processing files. But here’s what caught my attention: the files were stored on a shared drive that anyone in the division could access. Normally, access is only granted to those working on a project, but because of the hurried nature of the exercise, the usual permission restrictions were not in place. Additionally, the internal SharePoint site the bureau ended up using to distribute the files toward the end did not have the usual restricted permissions. This left the Epstein and Maxwell files open to viewing by a much larger group of people than previously thought.
So how does this work for someone to know what server to use the exploit? Do companies make their Sharepoint servers accessible to WWW? Do hackers need to use this on a network they've already pwnd? Finding out the FBI put something like this on a server open to the WWW would be classic. That much larger group just got a wee bit larger than they previously thought on their previously thought number.
If I am ever on the board of a company, I will always vote no confidence in the dipshit CTO or founder that willingly install/mandate use of Microsoft junk in the company.
As a corporate drone that has accidentally opened various Microsoft office suite links inside of Teams. My dislike for anything Microsoft continues to grow.
Am I surprised that sharepoint has vulnerabilities? Hell no.
Once worked at a place in 2017 with a dipshit CIO. Guy spent his entire time trying to evangelize Teams as the reason to switch to Microsoft. He ended up leaving 11 months into the gig and we were more than happy to stay on Slack.
It feels like Microsoft has a (bad) deal with every 3rd rate IT leader where the IT leader eschews Microsoft's BS in exchange for being "unfireable" because "who else knows how all the Microsoft stuff works?"
I wonder what drives people using Microsoft and then using more from this company.
We didn’t knew it better, back then. We knew it better, now. But migrating is work. So we prefer to suffer! And harm others! This Linux and BSD people are so annoying with their desire for compatibility. They shall suffer, too! And when we buy everything from a Monopoly, we don’t need to think.
Somehow. Part of the game is that you’ve always an excuse with Microsoft. You cannot made responsible? There is this quote about IBM:
Nobody Ever Got Fired for Buying IBM.
But I cannot remember stories about suffering from IBM forever.
From what I've seen in my industry? To pass all the liability to Microsoft.
"If something happens, we used enterprise grade industry standard software. We did our due diligence."
This outlook is basically why we can't innovate anymore.
I had to recently sit through a meeting where our CTO quoted all the "blogs" he's been reading as a way to slap down my suggestion for an in-house project.
It's why school boards don't do anything useful, among many many other things in our society. It's an endemic disease.
Most of the time it's extremely exaggerated, but it's trotted out and used as a CYA excuse almost immediately by most in the executive/managerial class. Both due to outright laziness and incompetence, and also as just a... why take any personal risk whatsoever making actual decisions with any impact if I can keep my cushy job and career rolling by being as milquetoast as possible.
Never mind you get the big bucks to make such important and controversial decisions at great personal (career) risk when some inevitably go wrong. Everyone forgot that part. Such roles should be hard, difficult, and risky.
They're using Microsoft because all of the alternatives have the same issues.
FOSS isn't magically immune to vulnerabilities.
It doesn't help that the FOSS community generally prefers the C programming language over more modern and safer alternatives as a cultural thing. The result is just as many vulnerabilities, if not more, per line of code or per feature. Keep in mind that SharePoint is an enormous product with a 3.6 GB ISO image used to install it. If you think anyone is able to develop that volume of server code and have zero vulnerabilities... I have a bridge to sell you.
Valid point about the image size. A possible sign for bloat? Bloat is danger.
Second:
C, C++ or Rust are our tools. Everyone prefers another for technical and personal reasons. A religious believe in salvation by the next programming language is not helpful and causing harm. I hope sanitizers for C/C++ improve further - which improved safety a lot. For C++28 or C++3x we can hope for further safety improvements. Which we need.
Most bugs are logic errors. SharePoint is - according to my knowledge - implemented in C#. The CVEs mention deserialization of untrusted data, improper limitation of a pathname to a restricted directory ('path traversal'), improper control of generation of code ('code injection') and so on.
I'm rather careful about people requiring another language and claiming it will fix everything. Reliability needs hard work (design, code, review, testing...more review) even with well selected tools. I guess Microsoft does that. And I guess Microsoft works like the rest of the industry, focus on time-to-market and building a monopoly in every area. That's why we see rapid updates in a lot areas and - worse - enforced updates. And why software is known for it's low quality in comparsion to other industries?
Examples:
GNOME opted to use JavaScript in the hype back in 2010:
* JavaScript reduced compatibility compared to C/C++.
* They suffered a lot from memory-leaks. Due to JavaScript.
* The run-time modification seems not to be a big benefit.
* Extra dependencies for JavaScript. More memory usage.
The code matured and it works now rather well. I didn't liked the decision back then. I don't like it now. But I also don't request a rewrite in C, C++, Rust or Python. Without good reasons (plural) it doesn't benefit the project.
Java also suffered. This rewrite of C++ to Java with JRE is a example, why rewrites for the sake of rewrites aren't a solution:
Rust has never been successfully used to develop large-scale software of the size of SharePoint, Exchange, or anything of that order of magnitude: gigabytes of compiled code with the main executable being 10s of megabytes in size.
An observation I've made about Rust is that because it eschews OOP, it tends not to "scale" to large development teams for single applications. It's great for CLI tools, small web apps, etc... but after some scale it runs out of steam.
This is exacerbated by its glacial compile times compared to other languages, even C++, let alone C#.
I just can't imagine something the size of SharePoint being developed entirely in Rust!
Think of an app like SharePoint as "Linux Kernel + Drivers + Userspace tools". There's a few large monolithic executables some tens of megabytes in size for each of the core web apps and services, and then hundreds file format converter plugins, database drivers, etc, etc...
Chromium is similar. It's practically an operating system now, it even has USB drivers! I had to compile Chromium from scratch once, for which I spun up a 120-core cloud VM with 456 GB of memory so that it wouldn't take all day.
With Rust... that would take all week even on that box.
I mean.. people contributing to FOSS generally program in what they know - i.e. I have some time to contribute, I'll spend 10 productive hours in C, because I know what I'm doing, vs. learning Rust only to spend 30 hours and not really getting anything done.
I contributed to a Tcl/Tk library that I was using at work that had a specific issue with some image files, so I fixed it internally, and contributed the fix back to the FOSS project (with permission from work).
People working at Microsoft in the SharePoint team also program in a language/framework they know (and they must be masochists if they're working with ASP.NET WebForms). Knowledge of the language doesn't prevent vulnerabilities.
Genuinely asking - is there a Linux alternative to Sharepoint? I couldn't care less if it was lit on metaphorical fire and dumped into the sea, but a lot of orgs using it extensively.
For collaborative documentation, there’s probably a bunch of alternatives.
But SharePoint is the linchpin for Microsoft 365. Well technically SharePoint and Exchange. You can’t use any Microsoft 365 products without SharePoint.
OneDrive uses SharePoint. Outlook Groups and Teams Channels create Microsoft 365 Groups. Every Microsoft 365 Group creates a SharePoint site. Microsoft Loop uses Microsoft SharePoint Embedded.
SharePoint is now a “file and document management system suitable for use in any application”.
So, if you want an alternative to SharePoint you would need an alternative to any M365 Product, including Outlook and OneDrive.
Fun Fact: Teams messages are actually stored via Exchange Mailboxes.
Google Docs and Libre Office both produce compatible documents. There's really no reason to force one or the other.
It's just conflating needs. Document editing and file storage are two different tasks. It's weird that people want everything integrated. It's not much effort to just drag and drop a file into G-Drive, OneDrive, Dropbox, box.com...
What people want are systems that compose and work well together. That's what MS provides, or at least attempts to provide, with SharePoint. When you start trying to tack on collaborative document editors, workflow management systems, shared storage, and other capabilities from different providers or systems you run into more and more complications (especially because most of these don't offer any kind of standards compliance that lets them be used interchangeably). That's also why G-Suite works as a competitor to MS, it covers at least the more critical integrations that people want to work smoothly without needing to combine multiple maybe compatible things together.
Which is so funny because it was a pain in the ass on prem to make sharepoint work for that purpose. Silly item restrictions, complaints about database sizes (which stored the files), etc
Sure. Just saying when that first was brought up in 2007+ and I had to admin it and people loved their folders and searching and such wouldn’t work because if the view sizes.
> I've never been able to properly work on a Word document together with a colleague. Not even once
Many millions of others seem to do it all the time without issue. I've done it practically every day for many years now and haven't run into sync issues for a long time.
It's not made to sync if two people are trying to open the file off a NAS, it's made for people editing files stored in OneDrive/SharePoint.
But as both examples show, you need to have your document editing and document storage closely working together for multi-user live editing to work. That's something that so far practically only integrated editors/storage platforms offer.
Nextcloud, particularly with the Collabora Office integration for real-time collaborative document editing. It's got some rough edges but I'd say it suits the majority of use cases now. I suggest spinning up a copy of the community edition in a VM to give it a spin, I was pleasantly surprised. There is a lot of money getting poured in right now as entities outside the US are exploring ways to ditch American software.
Sorry, I don’t know the answer to your question, but I can offer some possible insight into why it’s used so much.
We’re on Microsoft 365 and technically fall into the camp of “uses SharePoint”, but only for “shared network folder” usage which OneDrive seamlessly synchronizes should you dislike the web interface. We don’t actively use any other features of it.
Also worth mentioning that realtime collaboration and automatic versioning of Office documents is seamless for files on SharePoint, even if opened on a desktop on a OneDrive synchronized folder.
Files shared over Teams as well as meeting recordings are also stored on SharePoint.
My point is that SharePoint is used a lot but possibly not in the way one might have assumed.
I don’t know if self hosted SharePoint can do all this.
For the file storage/sharing/collaboration part, yeah - there's plenty, and sharepoint arguably sucks even for that.
What trapped a lot of orgs is making use of the whole PowerPlatform around sharepoint. There's a lot of crusty old LoB apps built with MS's no code tools (PowerAutomate, PowerApps) which run on SharePoint as the delivery platform. Some of these even hook into Excel files stored in the various document libraries, etc. There are entire, large business processes being handled by this platform, and so migrating will require actual dev time, which automatically makes it a non-starter for most, unfortunately. Doubly so when you consider that a lot of these "solutions" were built by non-devs, long since gone from the company and no one knows how deep the tentacles go.
> Genuinely asking - is there a Linux alternative to Sharepoint?
Genuinely asking - is there a Microsoft alternative to eBPF, k8s, nginx?
The answer is NO. Alternative to SharePoint is SharePoint. I would argue such project just not needed in general and therefor there is no 'alternative'.
O365 is a poor amalgamation of like 18 different things. Quite frankly I hope there isn't a true "alternative" to it.
The reason orgs use Sharepoint is they are forced to if they use Microsoft. One drive is sharepoint, teams is sharepoint, sharepoint sites is sharepoint, etc...
I'm sure all those things have better alternatives, but Microsoft shoves them down your throat when you license with them.
But it's understandable why an org would prefer that to having to maintain and manage the 18 things, right? It's a hard sell.
I'm not saying that wouldn't be better, but it makes sense why an org would be reluctant. Again, not a fan of Sharepoint myself, but from an org's viewpoint, moving to Linux raises more problems than it solves.
It's understandable, but it doesn't excuse how poorly everything actually works and how confusing it is to use and administrate.
To some extent I think Microsoft is largely in the business of building solutions for problems that don't exist.
Most orgs are probably perfectly fine with a document management system + desktop word application and then a commercial NAS for bulk storage / backups.
As far as I can tell there's two vulnerabilities bundled up here. One is an unauthenticated command injection (!) vulnerability to steal some keys and the other is of course yet another serialization-based RCE in a safe language, mediated by signed cookies (signed with the keys stolen in step 1).
I don't understand how often this design has to blow up in people's faces until they stop doing this and use something dumb and safe instead.
I operate under the assumption that open source projects are compromised by states. If you espouse unpopular ideas or are yourself a state don’t rely on it.
Lets pretend what you are saying is true, which it is not. Who would you want to access your data ? The State or the "underworld". Many countries have laws on how to access your data. The underworld, you may wake up dead.
Granted there are countries that act like a Criminal Org., but if you live there you have more issues than your data.
With proprietary software, it is a much larger chance that backdoors exist than in Open Source. Many of us heard of 1 issue where it was claimed a project had a Gov sponsored BH in it. They did a long audit and found that was false.
Eventually Open Source backdoors will found in Open Systems. Proprietary you are SOL unless you do very expensive and very hard testing. Even then it is doubtful you will find a backdoor.
It is true. Denying trivial truths with the purpose of not giving an inch does not add to one's argument, it weakens it.
Plenty of closed source products will happily backdoor their products on request, without a warrant, if they are confident they will never be found out. That's the point. Not that FOSS source is somehow inviolable to nation-states with virtually infinite resources, many of which sponsor or contribute to the finance of a huge percentage of the development of FOSS themselves.
It's easier to find backdoors in FOSS if you're looking, because you're allowed to look. But somebody has to be looking.
IIRC Microsoft is rewriting some of these backend services in Rust, although not because it will increase security but because it lets them get better perf than existing solutions without the safety tradeoff they'd have suffered to go to C++ which would have been their option 15-20 years ago. I don't know whether Sharepoint was on that list.
SharePoint is primarily written in C# [.NET Framework 4.8] and leverages ASP.NET; there would be no reason to rewrite the majority in another language. There is some C++ in SharePoint Search (and a few other components here and there).
IIS which SharePoint runs atop of is written in presumably primarily C.
You can decompile most of SharePoint if you ever need to peek at the code. That's a huge advantage to figure out how it works.
Something to understand about the word “leak” is that it implies at some point it was keeping things in. Microsoft security is so underfunded and garbage, it is fundamentally making technology as a whole unsafe.
Example: if Kroger or whatever your supermarket of choice distributed meat that was infected they would get sued to bits. Microsoft distributes thousands of malicious NPM dependencies and underfund the NPM security team - if there is such a thing - resulting in an entire industry of supplychain security companies to exist. No other registry has the issue of malicious packages as badly as NPM since Microsoft acquired Github.
Microsoft just does not know how to handle security, which is why so many security companies exist to fill their gaps. I don’t trust their security practices one bit tbh.
It’s kind of wild how we end up here over and over, a big government breach, angry headlines, but the tech never seems to change (imo). If you work in IT, this whole SharePoint story is probably a deja vu,
A few real-world points that stood out to me:
- SharePoint (and a lot of other MS stuff) didn’t win because it was bulletproof, just because it was bundled “FREE” and nobody got fired for rolling it out in the 2000s. Once you’re deep into the Microsoft ecosystem, the cost and pain of replaccing is huge!
- Security honestly feels like a service for a lot of giants. When someone asks if it’s the number one priority, the answer from experiencem, is “no.” Cost, compliance available support, and how easy it is to blame a vendor if things fail tend to matter more.
- When people say Linux would be more secure in these environments, maybe. But if Linux or Red Hat took over everywhere, you can bet it would become the juiciest target immediately. Right now, Windows gets a lot of attention because it’s everywhere. And obviously, attackers like to go where the odds of a big payoff are highest.
- A lot of giants aren’t making decisions based only on security or technical merit. It’s about familiarity, employee training costs, consulting partners, and “safe” bets. If you pick Microsoft and get breached, it’s an industry problem. If you pick something niche and get breached... it’s 100% your fault.
- Resistance to change is real. Swapping out platforms isn’t just a technical lift. Management, end users, even IT staff get pretty set in their ways.
Honestly, unless there’s enough public backlash or a relgulation hammer, I don’t see the inertia breaking any time soon. For most companies, “patch and carry on” still beats “burn it all down and start fresh.”
Something to understand here is that Sharepoint is not Windows. Sure it runs on Windows, but the vulnerability here was the application. Are we going to argue that applications that run on Linux cannot have security vulnerabilities? Especially large archaic enterprisey things like this?
I bet Oracle and SAP have similar types of things happen to their application suites but no one runs public websites on Oracle eApplications (yeah, plenty of companies have that exposed to the internet, but it's not The Company's Website)
While I agree with you on most points, security is never the number one priority. If it were we'd all destroy our computers, never write anything down, and simply accept the collapse of society. Security is always weighed against many other priorities such as authorised users being able to access data, and ease of use. A unique 128 character password for each document would have high security, but be widely considered unacceptable even in a system handling classified material.
Security is not only Confidentiality, Availability is also a part of the triad.
This is the crux of the issue. The CIA triad (confidentiality, integrity and availability) are the root of all security. However, those goals are often self-contradictory.
There will always, for example, be a conflict between availability and confidentiality. Ultimate confidentiality might require that the data be stored in an inaccessible bunker with no outside access. Ultimate availability might involve hosting sensitive data on a publicly accessible server with no access controls.
In the real world we must always balance these needs carefully, and triage available resources to achieve an "ideal" outcome. This means that security will never, and can never, be a solved problem.
> If it were we'd all destroy our computers, never write anything down, and simply accept the collapse of society.
No, this is the same sort of defeatism that prevents us from making progress on security. We could engineer usable systems where actual security is a priority, and not just security theater. We don't because nobody in a position to change anything actually gives a shit.
You can engineer systems where security is a priority. You can't engineer useful systems where security is the priority.
You’re implying any real system can have a single top priority, which is equally false. There are always multiple priorities, and the one sitting at the top changes based on the context
> We could engineer usable systems where actual security is a priority,
Security is a priority. But it's not the only priority.
It would be difficult engineering even if it was the only priority, but given that there's little point to security for a system you never deploy, it's not likely to ever completely monopolize focus, either for users or implementers.
At this point i don't think security is a priority at all for companies like MS. Marketing themselves has having security is a priority. Doing the bare minimum to avoid lawsuits is their priority.
Ultimately though, they know that no matter how many times their failure to invest in security results in their customer's data being compromised or destroyed they'll keep making money.
Their customers are corporations who have insurance to cover their expenses when Microsoft's failure to make security a priority inevitably leads to a breech and those corporations are able to avoid all accountability for their decision to use Microsoft products no matter who else gets hurt as a result.
Dealing with yet another security issue caused by Microsoft is just another cost of doing business. It's still cheaper and/or easier for the corporations to keep MS and deal with the endless vulnerability/patch cycle than it is to move to something else and pay people who know what they're doing to manage those new systems so nothing changes.
"Sorry, you can’t use that password to encrypt this email. It’s already being used on NUCLEAR_CODES_2 (final) (2).docx. Please try another password."
> When people say Linux would be more secure in these environments, maybe. But if Linux or Red Hat took over everywhere, you can bet it would become the juiciest target immediately.
I do not think that is the only difference between Windows and Linux though.
For one thing Linux has multiple distros, some very varied. Its less of a monoculture. If Linux was more widely used it would also get grater usage for BSDs because a lot of things that run on Linux will run on them too.
Linux IS very widely used on servers, and on Chromebooks, and embedded. The kernel and a few other bits are widely used on phones too.
Look at Android. It is more of a leaky sive than Windows now.
Android was designed from day one specifically to be a leaky sieve that funnels as much of your personal and private data to Google and their partners as possible. They're left with the impossible task of making it harder for third parties to gain access to the data they're collecting without making it too hard for them to collect it for themselves.
> SharePoint (and a lot of other MS stuff) didn’t win because it was bulletproof, just because it was bundled “FREE”
In what world has SharePoint Server and SharePoint Standard + Enterprise User CALs ever been "FREE"?
> Security honestly feels like a service for a lot of giants.
While code security is on Microsoft, infrastructure security is on the organization deploying SharePoint Server.
Remember, the topic you're commenting on is about SharePoint Server. Not M365. Not SPO.
> In what world has SharePoint Server and SharePoint Standard + Enterprise User CALs ever been "FREE"?
Yeah.. I think people say "bundled FREE" when they really referring to MS enterprise packages. It's similar to how Comcast will sell you TV for $100, land line for $20, internet for $100, but you can get a TV/land line package for $90? or a TV/internet for $130. You can "bundle FREE" phone on your TV/internet package for an extra $5. (And yes, I heard support before tell me "For $10 more a month, you get a free upgrade to 1Gbps". ???? How is that free? They will say "It's the same package, but one level up for $10 more. It comes with free 1Gbps upgrade. what doesn't make sense?"
The issue isn’t Windows vs Linux. It’s an application security exploit and it just so happens that it only runs on Windows.
SharePoint Server is widely used and is a high value target.
Atlassian Server products have had their fair share of 0-day exploits. Atlassian also EOL their server products and forced a cloud migration.
> Right now, Windows gets a lot of attention because it’s everywhere.
I disagree with this take. Linux dominates in the server market.
Yeah... but mostly external services.
Meanwhile, Windows is running the crown jewels for operations inside the company, like SharePoint and Active Directory.
with microsoft's history of insecurity, if you pick microsoft (or azure) and get breached, it's totally on you.
We need more Red Hat and less Microsoft in the on-prem enterprise business. These exploitable vulnerabilities are unacceptable when your customers are the likes of DoD.
No one considers Google anything less than an impenetrable fortress, but when it's some government entity responsible for keeping American lives safe it's like "ah yeah they probably have a vulnerable on-prem Sharepoint that could easily be pwned."
So why is this? Why do Microsoft products enjoy a monopoly on the server in these sectors when more secure (Linux-based) options are far cheaper and widely deployed already? Isn't security the number one priority in those spaces?
"Why do Microsoft products enjoy a monopoly on the server ...?"
They don't. There's plenty, even a majority, of non-Windows servers in gov (I know, some depts are true MS shops).
Sharepoint is one of those things that snuck in via the desktop. It was touted by MS as an evolution of shared folders with "Intranet" features included. If you already ran a Windows Server for fileshares, Sharepoint was "free".
The initial few implementations were of extremely poor quality, even by MS standards, but SP was positioned in the MS channel as the future of MS server side application development. So all of the consultancy/sales channel jumped on the SP wagon for any custom server projects.
For developers, it was a nightmare. Underneat the platform was a frankensteinian horror of bits and pieces of resurected code from many departments and projects across MS crudely bolted together with chewing gum scraped of a park bench and bits of string recovered from old fish guts. Lists (SP's core structure for file directories with exposed metadata properties) could not work reliably, the system fell over under even light load, latency was totaly unaceptable even for basic operations, files did not rountrip through the server unchanged ...
Over the years MS cut it down from "the future platform for custom backoffice apps" to "out of the box Intranet with mainly cosmetic configuration options" to "cloud hosted office 365 shared folders".
" Isn't security the number one priority in those spaces?"
No. It's exacly like every other IT environment of comparable size. Security is considered important, but does not drive sales. Features and cost, but also available expertise from the supplier/channel partners dominates the choice. Security is covered by promises and certifications, but more often than not left to operations to patch up.
I was involved in a software startup that was aligned with MSFT 18 or so years ago. We built the web app side of our tool in Sharepoint precisely to be a good team player, and make ourselves more attractive to Redmond, even though it gave us no real benefits.
The support problems were INSANE. We ended up spending an entire release cycle pulling the web app out of Sharepoint and just doing a proper stand-alone web site. Support calls plummeted.
Sharepoint is something only a marketer could love.
Sharepoint’s problem, as parent alluded to, is that it’s three kids in a trenchcoat pretending to be an adult.
At no time did MS seem to say “Here’s our vision for Sharepoint as a complete product.”
Instead, you got coming on 25 years of random big customer feature asks + a home for lost MS product bits.
It would surprise no one that performance of that has been atrocious for most of its life (for those not old enough, think non-functional search and 20s page loads for on-prem instances), salvaged only semi-recently via the cloud managed version (that I’d guess runs on a ground-up backend reimplementation).
>> The initial few implementations were of extremely poor quality, even by MS standards, but SP was positioned in the MS channel as the future of MS server side application development. So all of the consultancy/sales channel jumped on the SP wagon for any custom server projects.
The gaslighting around this matter was intense. It destroyed any remaining trust I had at that point.
It all started with Novell Netware. It was a great product and companies would buy it to have centralized management. Microsoft noticed this and decided to use their power position to drive Novell out of the market by offering a similar service and have it built in in their server product line. Novell tried to fight but it didn't last long.
The protocol was proprietary and an open source implementation in Samba was very slow at catching up. If you decided to host a domain controller using it, you newer knew if a random disconnect was a network issue or the controller or the client.
And here we are. Active directory, or Entra or however they call it these days, is basically a standard way to manage users everywhere. And until a strong entity (EU?) comes up with strong backup towards an alternative solutions (we have plenty of them now), the situation will not change.
> Active directory, or Entra or however they call it these days, is basically a standard way to manage users everywhere. And until a strong entity (EU?) comes up with strong backup towards an alternative solutions (we have plenty of them now), the situation will not change.
You still have Active Directory on premise and now you have EntraID (formerly Azure AD) in the Azure cloud.
For Windows devices, it is the only mechanism supported to have a centralized management system.
For other systems, such as MacOS, you have alternatives that don't require any centralized user database.
Most cloud-native companies today rely on Okta or Amazon Cognito for their applications. Google Workspace supports this too, but it is incredibly basic at what it can do.
I don't think there's nothing that anyone can do to make this different.
And just to nitpick a little, it's like saying the smartphone reduced the camera market because of its dominant position. It didn't, it just provided convenience when there was none (a phone, a camera, a video recorder...).
I do wonder if the fact that these vulnerabilities get exploited so often is because the customers are the likes of DoD. If DoD used Red Hat, maybe we'd see more large-scale linux/freedesktop exploits being discovered.
I think there's certainly an element of tall poppy syndrome here. Windows, for example, used to be targeted because its security was a complete joke until quite late in the XP era (SP3 IIRC). But there's always been, and still is, and element that it's targeted because it's a big, juicy target.
A huge portion of the desktop and server market are running Windows. It used to be almost all Windows, at least on the desktop. Nowadays mobile computing has become far more important so Windows doesn't have the end user dominance it once did, but there are still a huge portion of end user devices running Windows.
Same on the back end: it's just a big juicy target, and the bang for buck that hackers get from it is huge given how prevalent it remains in corporate and government environments.
yet nearly all internet facing servers are linux; and we don't see the same volume of issues.
I hate Microsoft products as much as the next person, but I don’t think your statement is entirely fair:
SharePoint isn’t Windows. It’s a Microsoft product that’s only available for Windows Server. But it’s not Windows.
The reason I make that distinction is because if you widen the scope of services available on Linux then you might come a lot closer to the same volume of issues.
For example, take a look at how frequently CVEs are raised against popular CMSs.
> For example, take a look at how frequently CVEs are raised against popular CMSs.
One popular CMS in particular?
Sure, I get the point, a more apt comparison might actually be RedHat though, since they're doing E2E packaging for a product suite.
I mean, Linux isn't even Linux - At the risk of invoking a meme: Linux is actually GNU + Linux; and even then there's a web-server on top, and software that it runs.
So, a working comparison might be Wikipedia? As far as I understand it; that's the largest CMS on the planet.
The closest comparison to SharePoint is probably a combination of Zoho Connect, Zoho WorkDrive, and Zoho Flow. Zoho's office suite also integrates with WorkDrive and has collaborative editing. They even have a desktop app for Writer.
Even then, SharePoint is more of a platform. You can build SharePoint apps and extend it.
There isn't a comparison for SharePoint Server. There really isn't any single thing like it for on-premise.
Neither Wikipedia nor Redhat are as big targets as Microsoft’s ecosystems. Not even remotely.
ok, nginx+linux power nearly every website, is that close enough of a sizable target?
As mentioned, even if we exclude websites, Linux is a pretty enormous target. Much more enormous than microsoft - by an order of magnitude or more, yet: we don’t seem to have these kind of issues. Curious, don’t you think?
Very curious. Just based on the incidents we see, and analyze over time, almost all of them are compromised Windows systems. When I say "almost", I'll provide these stats: ~4500 Windows incidents over 5 years, vs. two Linux incidents.
Similarly, looking at vulnerability counts by vendor doesn't paint a rosy picture of our largest vendor Microsoft, either. But it pales in comparison to the incident statistics, which speak for themselves.
To Microsoft's credit, they've managed to turn their weaknesses into a secondary industry, wherein they now no longer sell just the disease, they also sell the cure. "Oh, your Windows systems have security problems? Have we told you about our expansive security solutions? They're only an additional $your_budget_doubled per year!"
Nginx doesn’t have the same attack surface.
Microsoft’s back office suite is massive. So you’re talking about Nginx + a CMS + online office suite + video conferencing + identity providers and so on and so forth.
There isn’t really a direct comparison in the FOSS world. It’s either smaller in scope or smaller in terms of high profile organisation adoption.
This is why I think it’s easier to ignore the “Linux” part. Not because Linux is technically a kernel, but because there isn’t a directly comparable solution that targets Linux / GNU or whatever other base OS moniker you want to use. Same is true for BSD, Darwin and so on.
The alternatives to Microsoft’s dominance are typically more narrow in scope and usually proprietary too (eg Okta for identities, Google Docs for O365, etc)
Does this mean that Microsoft products are secure? Not really. It just means we cannot make a fair comparison against FOSS when it comes to these specific types of attacks.
If every car in your neighborhood that gets broken into is manufactured by a single manufacturer, it is in your interest in asking why that is, and perhaps considering that fact when shopping for a new car.
That does happen though. Cars worth more are stolen while cards worth less are not.
The common factor there isn’t that 40 year old hatchbacks have better security. It’s that the risk vs reward isn’t there compared to the brand new luxury cars with higher resale value on the black market.
This isn’t something I’ve just made up either. This is what the police told us when my neighbours Merc was stolen while my Skoda, which was accidentally left unlocked, was not.
Thieves target the expensive cars because they’re worth more. It’s really that simple.
> Thieves target the expensive cars because they’re worth more. It’s really that simple.
They don't target the expensive cars. The most stolen cars in the US are cheap Hyundais And Kias. Before they claimed the top spot on the list of cars taken most often the winner was pick up trucks and old Toyotas.
Thieves target what's easy to take and easy to chop up and sell, not luxury cars with high resale value.
If every car in your neighborhood that gets broken into is manufactured by Ford, but some people keep saying that their sneakers never get broken into, why don't you just walk everywhere, also they've never driven a car and don't really believe anyone else drives a car and keep implying it's just a status symbol...
and then they say "okay what if we consider everyone's sneakers all together, and how rarely they get stolen compared to cars" as if they've come up with a sensible comparison in complexity...
and then someone suggests "RedHat Linux" as an alternative to your car. Apparently they don't know what section of the world a car fits into, to suggest an alternative - but they're still convinced that you don't need a car and they are genuinely puzzled why more people aren't using "RedHat Linux" instead of cars...
... also only Ford make cars and the only real alternative is something completely different and then pay consultants to customise it and retrain your entire workforce at great cost and upheaval for little to no return, except hoping for an increase in security but not being able to prove same, or even clearly nail down what that means precisely.
One should be wary of anyone selling you a solution to your problems they know nothing about. Naturally, the only way to be entirely secure is to shutdown all the applications and decommission all the computers, a solution which the business side tends to finds unreasonable. Thus the tender balance between business needs and business risk emerges as the deciding principle.
But the numbers are the numbers in heterogenous environments, regarding security problems by platform. And if it rains perpetual Windows-based incidents on your security staff, and you don't consider the numbers when evaluating what you will and will not do, compute/services-wise, then you are statistically likely to see the same rate of incidents, at whatever cost that comes to the business, indefinitely.
> "a solution which the business side tends to finds unreasonable"
Isn't it odd that "unreasonable" solutions keep being suggested in threads started by people who first push Linux, and second ask what the thing even does anyway.
> "Thus the tender balance between business needs and business risk emerges as the deciding principle."
There is no tender balance and this is nothing like the deciding principle, and again it's illustrative that in a world where big organizations turn to poor quality software with poor UX for reasons like "nobody got fired for buying IBM" and "I look good on the Gartner report" and "the vendor will bend over backwards to make our auditors and legal team approve it" that Linux people go for the only thing they have going and try to suggest it's the most important thing, even though it's demonstrably an afterthought or a never-thought.
> "you are statistically likely to see the same rate of incidents, at whatever cost that comes to the business, indefinitely."
And you see this happening for literally 30 years and the "whatever cost" being written off as a business expense that has never changed anything, but you still call it "the deciding principle" when the evidence shows that the decision makers barel consider this at all?
DoD does use Red Hat (a ton). Not for this, apparently, but for plenty of other things.
> Isn't security the number one priority in those spaces?
Money changing hands between suitable people who pop up together at the right social occasions is the priority.
This though is also true in the private sector.
In the private sector, there's a slightly more direct link between job underperformance and being fired.
> In the private sector, there's a slightly more direct link between job underperformance and being fired.
Not in my experience. Connections are most important than competence in big corporations. The bigger the company the most is works like the old Soviet Union.
I've been working in major famous corps most my professional 45 years, and this is what I have observed.
In most big companies you don’t really get fired for bad performance (as long as you try to do your job).
In my experience you only really get fired when the command from top comes to cut X% of the workforce (sometimes this is yearly due to stack ranking systems) but even then the best way to keep your job is not doing a good job. In actuality it is connections (being good friends with your boss)
Remember a lot of large mulinational companies are larger than many small countries so if you have a very large multinational company you're gonna have the same type of corruption and inefficiency as in countries and governments. Of course if you have a small startup with 10 people and the owners are very involved in the day-to-day business they can probably spot when there is underperformance but in a multinational company where you can barely know who is responsible for what probably not.
And if your strategy fails, you (usually) can't raise taxes to make up for lost revenue. So there is an even more direct link between underperformance and losing money.
If your strategy fails the government bails you out, or you float away from the burning wreckage on your golden parachute until you land in a new job at another company which you can then ruin without meaningful consequences or you just retire with the millions you got in your severance package and live the rest of your life carefree.
I don't get such incomplete, selective, comparisons.
The country can't go bankrupt and you just found another one.
Yes, when a country messes up they have to actually fix things, there is no way around it. Except getting merged into another country - like my birth country, the GDR, ended up as West Germany's problem (but its people still had to do the work).
Also, if big enough companies (and banks) fail, it is the same. Not having a string government would not help either, in such cases the companies would be the government, as we saw in even wilder times of huge companies and much less state in the US some century or two ago.
At some point in the hierarchy you have to live with not having omniscience and accept that sometimes things don't work out, and that you can't just walk away from the consequences of those failures.
Oh boy. Haven't watched much US news since, like, Reagan, have we? Dumping the debt of your failures on future generations has become somewhat of a competitive sport in politics. Can't really do that in the private sector.
Private equity would like a word...
Private equity does not have write access to the money ledger.
But nobody gets fired to spend money on stuff made by giants such as IBM, Oracle or Microsoft, regardless of the issues than can arise, while choosing a less known competitor is a liability for the decision maker, even if the impact is much smaller.
Nope. That correlation disappears completely for enterprises of larger size. I have more often than not seen the least (or even negative) productive climb the promotional ladder in those environments.
Exactly. I worked for both public and private sector clients. For departments/companies of the same size, there is no difference in attitudes and behaviour. People seem to percieve a difference, but that is mostly because they compare big gov depts to smaller private companies, not equivalently sized enterprises.
For small companies, they just look at the "winner"'s operation, not including the "waste" of the other 39 "losers" that failed.
Most enterprise PCs are Windows machines and integrate with Microsoft services easily. The only way Microsoft is going to lose the enterprise market is if enterprise PCs move away from Windows.
But, for enterprises, the only reasonable migration away from Windows is Mac. JAMF Pro for Mac can be hosted on-premise on Linux. The majority of enterprise software runs on Mac. However, Macs are expensive so it's unlikely to overtake Windows enterprise machine usage.
Hardware support for Linux PCs is poor and lacks the manageable of Windows PCs with Active Directory and GPO, or JAMF for Macs. Enterprise software usually doesn't support Linux. Linux PCs are uncommon for personal use and corporations don't want to train users how to use Linux.
"Hardware support for Linux PCs is poor and lacks the manageable of Windows PCs with Active Directory and GPO, or JAMF for Macs. Enterprise software usually doesn't support Linux. Linux PCs are uncommon for personal use and corporations don't want to train users how to use Linux."
I would dispute the "hardware support" comment. Linux has pretty good hardware support nowadays. And "enterprise" software is a vague term here. For desktop Windows, of course Microsoft will have that covered every which way, but for things such as authentication, authorization and security, Linux has a place. A comment about adding "Redhat" to the mix is not talking about desktops (necessarily) but servers and security.
There are still plenty of issues with bluetooth, batteries, microphones, gpus, touchpads etc when doing a clean install of Ubuntu on any random laptop.
True. But larger orgs don't buy "random laptops". The trick is to just buy laptops where you know everything works, and the company making them has a commitment to Linux.
Buy your linux laptop fleet from Framework, System76, Starlabs etc and you won't have any problems like that. You might have OTHER problems, but not that one.
None of those companies have a logistics chain which would at all be suitable for the US federal government.
Even in corporate, there's basically two vendors - Dell, and a distant second Lenovo, with Apple having a foothold in niche usecases.
You used to be able to buy Dells with Linux pre-installed, quite a while ago. Did they stop?
No, but it's not universal across their range.
Do these companies support Net 30/60/90 payment? Do they provide enterprise support?
There’s a reason why corporations use HP and Dell machines. And there’s a reason why HP/Dell/etc don’t have Linux OSes on their corporate client machines. Well, they do, but companies don’t care to order them for the other reasons people have listed here.
I work for a company with 1000+ people in RnD doing software development. 80% of those use Ubuntu and have one desktop and one laptop (HP EliteBooks) and that works fine.
You are right that not all devices don't work perfectly, but the Bluetooth headsets, Bluetooth mouses, conference rooms etc. that the company supports are tested for compatibility before being bought by our IT department.
Canonical and Red Hat have certified hardware. Most corporate workers aren’t software developers. They just want their productivity suite for email, scheduling, messaging, documents, spreadsheets, and presentations.
Enterprise and government don't use random laptops.
> A comment about adding "Redhat" to the mix is not talking about desktops (necessarily) but servers and security.
Why would you use RHEL to manage Windows client machines, when you could use Windows Server/Azure and get Microsoft support?
This suggests that the main thing Linux needs, for broader enterprise adoption, is a much improved "log into something that quacks like Active Directory" solution. Not actual Active Directory, obviously that just contributes to the lock-in, but what else is even remotely as polished and well integrated? I suspect this is the true moat actually. Nearly every actual business has "log into our company managed authentication system and have our communication and basic productivity apps just work" woven throughout the core of onboarding.
Microsoft sure has a lot of warts, but even as a Linux enthusiast, I cannot deny that Outlook "Just Works" with a frankly shocking set of basic stuff. Login for the first time, check your email, hey there's your meeting with your manager on your calendar, and now we can add new events just by putting you in this group, etc etc. There's dozens of little integrations baked in here that a tech enthusiast could feasibly replace in isolation, all of which vanish the moment you turn off the Exchange server or whatever it is. It's way more complex under the hood than most people realize, which is why "ditching Microsoft" so often turns into "Adopting Google Apps", as they have a similar turnkey solution to most of the same problems.
Not meaning to be a big ball of negativity, but as I haven't really explored here... in the FOSS space, what is the equivalent? Which tools are the most polished, and what server backends could be hosted on-prem to gain the same basic integrations with login, email, calendar, chat, and video conferencing?
Amen .. and this has been the case for a very long time. I remember transitioning my startup employer to "small business server" (Active Directory+Exchange) over 20 years ago. Why? Email and calendaring, especially - remember this? - Blackberry integration.
Everyone above middle-manager level lives in meetings, which means that the calendar is a critical piece of productivity software for them, and they want the comforting familiarity of Outlook. Which means they get to impose that on a whole organization.
The company that should be doing this kind of integration is Red Hat, but they've never quite managed it.
The open source solution space is probably LDAP and CalDAV, but as you say, nowhere near as conveniently integrated.
AD integration and desktop management solutions rule the Windows desktop. But not Macs in an organization, which are an absolute pain to manage, and yet somehow persist.
Perhaps it's not enough for there to be a "push" to Open Source because you've been failed by a proprietary solution, there needs to be a "pull".
> Perhaps it's not enough for there to be a "push" to Open Source because you've been failed by a proprietary solution, there needs to be a "pull".
Absolutely. A company isn’t going to create a GitHub issue and wait around. You can’t make service agreements with FOSS. There needs to be market forces to sell this software to corporations and it’s a hard sell.
Even macOS has a ton of goofy workarounds and third-party products required to get that level of ease for logging in with a corporate identity and having everything "just work". It's only finally getting close in Tahoe with the new additions to Platform SSO, but close is not "feature parity" either.
Apple focussed on consumer and even shunned the enterprise.
MS for all its flaws, welcomed, targetted and tried to support scale operations in larger business environments (Imaging, AD, GP, SuS, bitlocker, ...).
Also, if your only fix a hardware problem option was to "visit the 'genious bar'" and wait 6 weeks for a machine to come back, vs the Dell/HP/... service of "same day onsite repair", what is IT going to prefer for client computers?
Apple has changed their tune, in so far as they probably need some level of identity management on the Mac, crypto-key escrow, restrictions, and so on. Their Device Management framework is quite capable.
For large enough businesses Apple will let you do your own self-service repairs too. On-site. Order the part and you're still in warranty.
> corporations don't want to train users how to use Linux
This is a huge factor. There are a lot of people who’ll curl up into a ball if you try and get them to use something new.
I'm in the manufacturing sector, on the integration side of things now, but yes, change is always a battle. The way I see it, the problem is two-fold:
Side 1: the workers, especially the labor portion, are extremely resistant to learning new ways to do things unless you can prove, beyond the shadow of doubt, that the new way will be easier than the old way (aka, less to remember/think about) but also does not diminish the quality of their work or increase the perception that their coworkers might see them as having it easier than them.
Side 2: the people responsible for purchasing and resource allocation often do not know what they are buying. In any shop, if you say "we need new PC's for the office" the first thing the purchaser will do is ask a supplier for a deal on a fleet of Dells because that's just what they've always done. If the company is larger and has an actual IT department, they will just provide Windows PCs because that's what they were trained to support. The alternative, Linux, is never considered because they simply don't know anything about it and it's not being offered by their suppliers anyway, so why learn?
> Linux PCs are uncommon for personal use and corporations don't want to train users how to use Linux.
I wonder how quickly that’ll change with the generations. The kids these days use Android and iOS, right?
Going Mac in an enterprise environment is a stupid move. Apple is constantly changing how MDM works. One week they'll go all-in on some method of doing things, and tell everyone they must comply or GTFO. The next week they'll completely change their minds and gaslight you, saying that old way is stupid and nobody should have ever used it ever. Then they will put in blocks to prevent it from working. This means all the work and tooling that people poured into it are just dead.
It’s been pretty consistent with how macOS MDM works with device profiles. The software to manage provisioning of device profiles may have changed, but at the OS level it hasn’t.
Hard to square this with every startup after ~2006 running a substantial, if not majority, Mac fleet. In addition to the major tech companies.
Startups rarely use MDM solutions, that's a thing when you hit >> 1000 users because you need dedicated teams to hand-hold the MDM.
Neither of those claims is true in my experience. MDM is par for the course for SOC2, which is increasingly popular these days, and managing MDM seems like one of many responsibilities of ops teams.
I managed 1000 computers and a few hundred iPads by myself. No team required. HIPAA covered entity.
I've worked in two 5k-10k companies in the past 10 years with 80+% of MacBooks in the fleet, all managed through MDM and as an end-user I never experienced issues. Unsure how the IT folks felt about it but they managed it pretty well if I didn't experience any problems for so long.
You could argue changes to MDM strategy is indicative of new threat vectors appearing
I can assure you, the DoD isn't a bunch of windows servers hosting sharepoint for the public. Federal government IT in general is a RHEL shop, at least serverside.
Only because Microsoft offers “certified professional” badges and the MSCP’s are pushing the only thing they are certified for, and the corporations buy into the whole “certified” thing.
I have a ton of customers where the admins are constantly reminding everyone about the certifications they have, all while their basic security is below average.
… but they are certified!
> Isn't security the number one priority in those spaces?
No. Quick iterations and output output output. Security is one of the least concerns in any company I have ever worked in.
> when more secure (Linux-based) options are far cheaper and widely deployed
Hold on, we are talking about SharePoint here. I don't know any software that could replace it, that is allowing office suite to collaborate in a way SharePoint Server does it (versioning, concurrent editing, online editing, workflows, customizations, OneDrive, IRM, compliance, search etc.)
Even in a windows environment. Can you name more secure, cheaper and widely deployed alternative?
Google Workspace
This is SharePoint on-premise, so Google Workspace isn’t a good comparison?
Also, even if we do look at cloud: Workspace isn’t bad (exception: sheets vs Excel), but SharePoint is the center of Teams, Power Platform, PowerBI… to replace M365 with Workspace means a lot of research, setup and testing of 3rd party alternatives to the above.
If you’ve ever worked in a well configured Microsoft stack, nothing beats the integration.
There’s no reason to believe Workspace would be more secure if it had the same feature set/integration configured.
Sheets is vastly superior to Excel for most users ;)
Most users don't produce most of the value.
That's actually good point, thank you. However not something that one can install on-premises or is "far cheaper".
Unpopular opinion but I don't think this solves anything. The exploit wasn't an OS exploit but a userland app exploit (Sharepoint Server/App). These attacks will always be developed until we're able to write perfect exploitation free software.
If the government was running Red Hat with 'open source SharePoint alternative' the headline would be 'open source SharePoint on-prem solution exploited'.
Microsoft invested in making integrated Windows-based business software and a big closed-source ecosystem and/or bought other tech companies that previously developed similar tech. Some of them older than Red Hat even Microsoft.
Where is the equivalent tech on the Linux side that Red Hat developed? They simply didn't have a competitive enough alternative. Usually anything outside of cloud/web server space, you'd find alternative open-source projects rotting with non-clear ownership and year old last commits. Red Hat and Linux world weren't interested in developing those things. They weren't interested in making competitive user friendly alternatives that enabled non-programmer users. It is hard, thankless, soul crushing work that nobody does anymore since Microsoft bought or eliminated them. There are simply no equivalent alternatives in the open source world because competing with Microsoft requires accepting significant losses as a company for a long time. Google Workspace is a thing only because Google can finance its developers with ad money.
Just having Linux is no golden key to security either. You need to put the exact amount of barriers in front of your on-prem servers regardless of the OS.
The whole security mess is just the symptom of capitalist economy. Most companies give 0 fucks about it because caring about security is costly and time consuming. With the race to the bottom for first-to-market, caring about security is a risk, it is a distraction. They ignore it until they establish a position and maybe their misdeeds become a liability. However, no company got actually severely punished for not caring about security. So it is still seen as cost by many.
Most government IT is using RHEL. You are correct, it is because of the thankless work they put into long term enterprise support. Microsoft doesn't do anything like that.
Red Hat were interested. They funded desktop Linux heavily for a long time. It didn't work because the (non-capitalist!) ideology of Linux is incompatible with success, and Red Hat always tied down by the community they chained themselves to. Desktop platforms have far more hardware and software heterogeneity than server platforms do, the pace of innovation is much faster, and they require the ability to ship closed source software, closed source drivers, to innovate and then for people to capture some of the value to fund all that.
For the longest time desktop Linux simply tried to clone Windows/macOS. Eventually Red Hat came to dominate GNOME enough that it developed a bit of its own personality, but the kernel and software distribution approach always held it back from even matching its competitors in usability, which wasn't even close to enough. Apple have executed excellently for decades and even they only made progress in the pure consumer space, the enterprise space is one they never tried to attack despite having the money needed to do so.
Capitalism isn't the problem here. Communist software isn't exactly famous for being impenetrable, in fact it's more famous for hardly existing at all. Google and Apple are highly capitalist, and their security stance is much better. The problems at MS are deeper.
Security aside, what even is an alternative to SharePoint on Linux? There is not one.
Probably because most Linux users aren’t looking to share (or even use) office documents. Linux collaboration happens on wikis, message boards, and Git.
There's Liferay:
https://www.liferay.com/resources/l/content-management-syste...
https://hub.docker.com/r/liferay/portal
I haven't played with it in about 5 years but it was substantially less polished than a well-run Sharepoint 2013 instance.
> Why do Microsoft products enjoy a monopoly on the server in these sectors when more secure (Linux-based) options are far cheaper and widely deployed already?
Because there is no FOSS solution even coming close to the level of out-of-the-box integration of Office 365. Thunderbird has zero integration with LibreOffice, LibreOffice has zero integration with Owncloud (or whatever else one might use), neither has integration with a softphone software, much less a backend like Asterisk. And some software like Sharepoint or MS Access doesn't have anything on the FOSS side.
OTOH that is a plus for security. When everything is interconnected/integrated, everything is usually pwned at the same time.
The problem is, decision-makers will not go for the "secure" way, they want a solution out of "one mold" - and so do users. It is a common complaint when trying to set up a FOSS solution, users complain that they have to learn and memorize different ways of doing the same thing across different application... and made worse by many FOSS projects not having UI/UX designers at all that care about consistency even in the scope of the application itself.
And on top of that, many data exchange formats are not just "old", they're "fossil" and don't even come close to meeting the demands that people have come to expect.
In the non FOSS world it still ends up the same.
In every single company I have been working in the last 15 years, information was spread across so many different tools that integration was a moot point: Office365, Jira, Confluence, a separate ticketing tool, some mkdocs or single markdown files in repositories, spreadsheets, dedicated HR web portal, intranet, internal blog/comm/social media... Even within Office365 information is stored randomly as office files in sharepoint, teams channels, personnal onedrive, emails, copy/paste in teams, teams channel onedrive synched drivees, onenotes...[1] Also RBAC makes sure that whenever you came across one doc containing link to other stuff, you end up having no access to half of the links
Bottom line the tightest integration doesn't reduce any friction because there is not a single toolsuite that fits every use case and people end up making a mess of everything. You never know where you can find the information and every single teams wiki ends up being a collection of links to a myriad of different places. Also half of the people still email people documents instead of the links because they don't understand anything else.
[1] yes it is in the background the same product but people access them and more importantly know or search the information in totally different ways.
You are very close. But Office isn't the secret to Microsoft's unassailable dominance in enterprise. I could remove Office at work and we'd be okay.
Active Directory is the key. A unified management of users, devices, groups, and policies that everything else is built on. Nothing outside of the Windows world even comes close. There's Linux tools to impersonate or talk to Active Directory, but no alternative to it.
Group Policy lets me set up any number of tens of thousands of configuration changes and apply it easily to any group of users or computers with a few clicks, regardless of device manufacturer. Linux distributions aren't even consistent enough about which system tools are onboard, much less what policies can be configured on them. Web browsers all have Group Policy plugins, so everyone's web browser is configured by Active Directory too.
Linux is a hellhole, for Mac JAMF fills the gap pretty well.
For Linux, I'd probably whip up Ansible these days if I were tasked with it, but getting it off the ground is ... nasty. Set it up as a systemd unit to run on boot, login and network-online.target, and that's it.
the problem is not Windows' (alleged) insecurity, it's it popularity. if everyone would use red hat, the same thing would happen.
> your customers are the likes of DoD.
One of the answers should be for the DoD, or any other such military institution, to try and rely a little bit less on everything being "digitilized", or at least to change it all into a more fragmented data/information "archipelago", with no centralised unique source-of-truth.
The clients of said server are not going to be Linux. Running a secure, working, manageable CIFS server on Linux serving Windows clients is surely going to cost much more than just using the Microsoft solution. Some products don't even work at all with that configuration (e.g. Quickbooks Enterprise).
Not sure how it is in US but where I am, it is mostly because of corruption.
Could be that Microsoft can navigate all the regulatory bullshit that surrounds anything government. I don't know of anyone doing that for anything Linux.
There's tons of Red Hat in federal IT, that's not the issue. It's just that Microsoft dominates the client-facing software business, and Red Hat has minimal presence there so while you might see RHEL desktops at e.g. NASA you're unlikely to see them anywhere else, and there's no real open source equivalent of SharePoint or Office out there.
Maybe [0] will be one, eventually, but it would take a long long time to replicate the functionality if it were to ever happen. Best case scenario is that the EU were to fund an open source solution.
[0] https://www.techradar.com/pro/mozilla-launching-thundermail-...
> Schleswig-Holstein, one of Germany’s 16 states, on Wednesday confirmed plans to move tens of thousands of systems from Microsoft Windows to Linux. The announcement follows previously established plans to migrate the state government off Microsoft Office in favor of open source LibreOffice.
https://arstechnica.com/information-technology/2024/04/germa...
People don't take it seriously because European governments have a history of making announcements like this and then rolling it back in favour of a return to Microsoft.
Lets see what happens when they try to move finance of Excel. If they are successful there, then there might be hope, if not, then they will eventually go back or have 45% of the company on some kind of exception.
Huh, I didn't know Red Hat did any government stuff.
Did you already forget about log4j?
log4j is a once in a decade event, while vulnerable Microsoft software is more like once a month.
Zero day actively explored events are not a once a month thing. Are you trying to argue there’s no Linux vulnerabilities monthly??
No, as we both know, there are vulnerabilities on Linux, like log4j.
And I also did not say that zero days are a once a month thing, I said that vulnerable Microsoft software is a once a month thing.
There are monthly security updates for packages for our Linux systems too.
Log4j is a Java thing divorced from the operating system running it.
SharePoint isn't an operating system either
This was about open source. Not Linux.
> CISA advises vulnerable organizations [...] to disconnect affected products from the public-facing Internet until an official patch is available.
It's interesting to me that you'd go the hassle of hosting your own SharePoint on prem, but leave it internet facing. I would have assumed a the Venn diagram of these organizations to be entirely contained in orgs forcing you to use a VPN.
Oh CISA...
What a pity that CISA has been purged down of effective useful people and turned into another sad selected-for-political-compliance-only force.
Arizona recently got attacked from Iranian hackers & didn't even bother trying to get help from CISA. https://archive.is/2025.07.19-143305/https://www.azcentral.c...
CISA is so so vital. Investigating incredibly wide ranging attacks like this, or the Salt Typhoon attack are vital for this nation. But the show is being run by a bunch of people who value political dogma far above anything else. https://www.techdirt.com/tag/cisa/
It almost seems like the goal is to hurt people
So true, they make bullshit that affect security also on some security tools analyser … do not worry NSA everything is fine, you are not at risk against worms xD
Best practice is to assume the network is compromised - a VPN doesn't provide as much guarantee as people would like. In large fleets, devices are regularly lost, damaged, retired, etc. In organizations with high target value, physical penetration through any number of means should be assumed.
So you don't do that. You use zero trust and don't care that things are exposed to the internet.
Working from anywhere (remote sites, home, your phone) is a huge benefit. Organizations want to control their data entirely while still wanting their organization to be able to access it.
Microsoft’s version of “Zero Trust” doesn’t care if things are reachable from the public internet. They have been preaching “identity is the new perimeter” [1] for years, and it doesn’t wash.
The NIST Zero Trust Architecture (ZTA) implementation guides (SP 1800-35) [2] cut through the nonsense and AI generated marketing smoke.
In ZTA, ALL network locations are untrusted. Network connections are created by a Policy Engine that creates and tears down tunnels to each resource dynamically using attribute-based-access-controls (ABAC). Per request.
Microsoft doesn’t have any products that can do full ZTA, so several pillars are missing from their “Zero Trust” marketing materials.
[1] https://www.microsoft.com/insidetrack/blog/securing-the-bord...
[2] https://doi.org/10.6028/NIST.SP.1800-35
> several pillars are missing from their “Zero Trust” marketing materials.
TBH several pillars are missing from their entire security posture.
why bother when not a single vulnerability has resulted in any appreciable fines or loss of market share? it's absurd how untouchable their ubiquity has become.
They’re the Boeing of software. They go down with the ship, but, critically, it means they also can’t go down until and unless the ship also does.
It’s a symbiotic relationship that allows them to stop having to spend resources to compete in the market on merit.
That's pretty accurate, if you want modern practice and product quality you go to Google or Amazon, if you want compliance and reassuring the board, you go to Microsoft.
> Network connections are created by a Policy Engine that creates and tears down tunnels to each resource dynamically using attribute-based-access-controls (ABAC). Per request.
What does it mean in technical terms? What kind of tunnels are whose and what is their purpose?
There are four different micro-segmentation variations in the NIST reference guide: device-agent/gateway, enclaves, resource portals, and application sandboxing.
Basically a policy evaluation point (PEP) evaluates the security posture of both parties before and after a handshake, then creates a logical or physical path of some kind of between the actor and the resource. This can be done with software-defined virtual networks and stateful firewalls, at one or more of the OSI layers.
So the policy evaluation point has the keys to the kingdom and is the single point of failure, vs standard distributed authorisation declaration that would be up to each component of the system to implement.
How is this PEP better?
Maybe I'm missing something but doesn't this very story cut your assertion off at the knees?
With a VPN the attack surface of this vulnerability would have been miniscule compared to a publicly accessible zero-day RCE
(And it's not like you have to allow carte-blanche access behind the wall)
Defense in depth!
In zero trust "exposed to the internet" is a bit of a misnomer compared to how traditional security would use the term. A better description might be "you're allowed to form a session to it from over the internet but only after your identity and set of rights have been verified". From this view: "zero trust" < "vpn" < "wide open" (in terms of exposure).
So it's essentially a more seamless and granular analog of a VPN? A device sits in front of the network and requires some sort of authenticated handshake (ideally all SSO) before passing packets through to a target endpoint?
Something I'll add to the other responses is "the network" isn't an assumption of zero trust. Whether it's a single server on the private corporate network or a multi-cloud multi-region service hosted on the internet zero trust treats them the same.
My way of mapping it to VPN mindset is "per app clientless VPNs straight to where the things are hosted". In an extremely open ruleset with all of the servers on a corporate network this could theoretically devolve into "a traditional clientless VPN to the office".
At a high level, yeah.
They can be implemented using a variety of technical patterns but they all share a common "each request is authenticated, encrypted" property instead of "anything goes once the tunnel is up" property.
HTTPS calls with any kind of authentication (cookies, tokens, even basic auth) are one way to be "authenticated, encrypted" for "each request". If they go to a reverse proxy at the entrance of a company network (a common setup for every internet facing http server) they are a way to do without a VPN.
And yet every customer of mine have some of their servers on a VPN. At the very least they enable ssh only on ports on the private network.
Yes, that's zero trust in a nutshell: A VPN that does a tunnel per TCP connection instead of one tunnel for all TCP connections.
The other salient point is that all connections are established outbound through a broker, and importantly this is the case from both sides: The appliance at the terminating end of the tunnel establishes reverse tunnels to the broker for the connections, so it's never "exposed to the internet".
The broker can then push to your SIEM or whatever so you can have your SOC log jockeys harass your employees for accidentally leaving NordVPN on after watching international sports.
There are actual benefits: You can do things like allow logins to system A from anywhere, but system B only from your home country, you can do JIT network access requests, etc... but mostly it's vendor marketing to get you to spend too much money.
(Not just TCP)
Makes “zero trust” sound like basic username/password from ancient times.
Think machine certs (stored in a TPM). Plus perimeter-enforced username/password/2FA. Plus additional policy checks, like making sure your machine is up to date on security patches.
It doesn’t matter what network you are connecting from, but it does matter that you’re connecting from a company-issued laptop that’s in a trustworthy state.
Sounds like multiple single points of failure to make a security infrastructure so hostile to the end user it would be considered the equivalent of being under persistent attack.
VPN products do all of that.
They absolutely do, that’s fair.
The big difference is once you’re in, with a VPN you have direct access to the whole network.
With a zero trust setup, access has to be granted to you (or your ACL group) on a per-application basis. It makes it much harder for an attacker to move laterally when everything is default-deny.
But you can combine VPNs with SSO and limited permissions. Real networks all work that way these days. Logging into the VPN doesn't get you very far, you'll need to be provisioned with specific apps and permissions too.
That’s my understanding.
In a pure implementation, the same level of trust is implied (absolutely none at all) whether a device is connecting to a resource from the public internet or the same subnet.
Arainach is advocating for something called "Zero Trust" which, from a user's perspective, is very much like a VPN.
It's software your employer pre-installs on your work PC, that asks you to log in with your work SSO credentials, performs some endpoint security checks, then routes your traffic over a virtual network adapter, and thereby allows you to access workplace resources, even when working from home.
The main difference is it adds some semi-authenticated states. Correct device, username, password, and 2FA, but failed a device posture check because they plugged their phone into their laptop to charge it? The 'Zero Trust' system can block some systems, while letting them retain access to others.
The other big difference is the pricing - rather than paying a five-figure sum upfront for networking hardware, you instead pay $25 per employee per month, forever.
>then routes your traffic over a virtual network adapter
this is not a requirement of zero trust.
Zero trust is when every session with every service is like its own VPN, independently authenticated and encrypted. Consider the way an HTTPS session between a server and a browser is created anew every time the browser accesses a domain, and ends after a short flurry of requests needed to load a page.
Almost sounds like “zero trust” is classic HTTPS authentication with extra marketing added…
There's a significant difference which my original message hints at and is subsequently clarified: there's still an intermediary. If there's an exploit in the service, like this case, it's still not directly exposed. The intermediary device is still sitting in between and won't allow any old traffic through without separate authorization
The product was explicitly promoted as being useful to run public websites. Before cloud took off we had Microsoft sales people in our office announcing the death of Wordpress with the latest Sharepoint release. That position may be old, but plenty of orgs live in the past.
My former boss bought that hook,line, and sinker and that’s why I was fixing the legacy cms environment today.
> It's interesting to me that you'd go the hassle of hosting your own SharePoint on prem, but leave it internet facing. I would have assumed a the Venn diagram of these organizations to be entirely contained in orgs forcing you to use a VPN.
It likely will be entirely contained, at least in theory. Because is your IT and OT isolated? They should be, but man could I tell you something about the energy and public sectors... Let's just say, that if you're in an organisation with any sort of OT, then you may as well assume that everything you have is facing the internet in some way. I suspect it's frankly like this in any sort of enterprise organisation getting worse the more the org views IT purely as a cost center.
This is why we don't just rely on things like VPNs. Everything we have uses port security (mac-adresses) at a much more ganular level than the VPN does. At least for the parts of our systems landscape where this is possible. With something like SharePoint it's hard to allow specific devices because it's usually something everyone should have some sort of access to. Then you have all the organisations where SharePoint also has some sort of non-VPN access because some CEO level wanted it at one point since they can't be bothered to bring a work PC to their Holiday home.
I would assume some orgs made it public facing for covid and it remained like that
The answer is contractors and consultants. State agencies routinely work with third parties that need to be able to share files. Obviously this isn’t universal but it isn’t uncommon.
Hosting internal services be they SharePoint or Exchange behind a [pre-auth] reverse proxy isn't that unusual.
That’s the whole thing with Azure; it blurs the line between on-prem and cloud “because you can.”
I never remember thinking years ago how nice it would be to have all of our private docs that we only need to access on our private network accessible to the public. I just wasn’t thinking outside the box enough.
> It's interesting to me that you'd go the hassle of hosting your own SharePoint on prem, but leave it internet facing.
Once upon a time Microsoft marketed it as, and a lot of Orgs adopted SharePoint as their Intranet. With SharePoint 2019 being sunset, a lot of Orgs are scrambling to implement replacements.
SharePoint is a great way to share data with third parties. You may even know some of them.
Share to any Point
Excellent :D
> “Anybody who’s got a hosted SharePoint server has got a problem,” said Adam Meyers, senior vice president with CrowdStrike, a cybersecurity firm. “It’s a significant vulnerability.’’
Senior VP at CrowdStrike, so a professional in destroying large amounts of systems.
> cybersecurity firm
Sure, might as well call it that.
I have spent far too much of my life on SharePoint. Having it internet facing has never been a good idea. Not really what it is meant for, though the promo verbiage on that has changed over different versions.
Some folks wanted SharePoint as their "web server", I would set that installation up entirely separted from all other instances they may have on the network.
Actually it wasn't too long ago, in the early-2010's, that Microsoft was promoting SharePoint for internet sites; I think at one point some Europoean car manufacturer (BMW? Ferrari?) had their global marketing site on SharePoint. Of course that didn't last long, as Microsoft licensed it at a crazy price ($40k per site or something like that).
The Navy still runs more than a few web servers using Sharepoint, albeit behind dedicated network firewall appliances.
The Secretary of the Navy's page (at https://www.secnav.navy.mil/Pages/default.aspx) for instance, is a Sharepoint site. I used to maintain a Navy website hosted under there, and had a bunch of Hugo-specific scripts to convert a Hugo static site into something I could upload to the Sharepoint and have it mostly still work (which involved things like rewriting links and renaming files to end in .aspx).
Well, they would have had to purchase one Client Access License per potential device or user that would access the website. Since there's about 5-6 billion people with internet access, and a CAL is about $50 a pop, that would be roughly two hundred and fifty billion dollars to fully and correctly license a public server.
I worked on a couple of public facing SharePoint 2010 sites for large, well known companies before while it was in RC and immediately after - MS had a big marketing push to get people to build more than Intranet portals on it at the time. It seems like that died off entirely once Office 365 came around, and it was never a good idea in the first place, but it was definitely a thing.
2013 literally came with a tool to built a theme from your html and css and other features for hosting web sites.
And it probably needed a very hefty bunch of servers, even after caching, if you needed just a little bit of dynamic content or interaction with the site.
Microsoft.com and Office.com used to be entirely built upon SharePoint, as SharePoint solutions. It was to prove it out as possible, eat your own dogfood.
I think the shift away started in 2013 or 2014, but you can imagine the throw away effort spent on it.
Not sure about microsoft.com, but office.com frontend "rendering" SharePoint instances were read-only, not plain SharePoint exposed as-is.
I've only interacted with SharePoint briefly one time years ago, thought public web hosting was the entire purpose.
Isn't Office365 an online sharepoint?
Yes, as is OneDrive and Teams file sharing. Those, however, are part of SharePoint Online. SPO is distinct from this CVE, which only applies to the standalone SharePoint Server.
Yes I know.
What I was kind of implying is that if the codebase is not that different maybe there has been a complete breach of office365 and Microsoft has stayed quiet about that.
How did Principal Engineer Copilot not prevent this?!
This vuln might have existed before Copilot received that title bump. It could have been introduced while Copilot was just an intern
It's safe to say at this point. The more Microsoft relies on Copilot to solve its security problems, the more problems Microsoft will have.
Sounds like job security for Copilot!
You're joking, but many of the code bases I saw that were produced by/with AI-support are not maintainable by any sane human. The more you go AI, the less you can turn back.
Because the hackers used Copilot too, and one side has to win ... (?)
Question, is this just a joke about AI taking over our jobs, or did someone at Microsoft call Copilot a Principal Engineer?
I've heard many Pentagon employees claim that if someone wanted to take out the US military, all they'd have to do is kill Sharepoint.
It's the go-to warm-up joke whenever someone in the military gives a speech.
If somebody deleted PowerPoint the US Army would fall to its knees
Ah yeah power point not share point sorry.
We had a lot of SharePoint back in the day
Wasn’t Microsoft just recently using Chinese people living in China to administer DOD servers? I would guess they use Sharepoint inside the DOD?
Says this in the article:
> A programming flaw in its cloud services also allowed China-backed hackers to steal email from federal officials. On Friday, Microsoft said it would stop using China-based engineers to support Defense Department cloud-computing programs after a report by investigative outlet ProPublica revealed the practice, prompting Defense Secretary Pete Hegseth to order a review of Pentagon cloud deals.
Absolutely insane. Especially in light of their layoffs. Should be criminal. According to another comment in the thread, it is?
Microsoft only has a market cap if 3.7 trillion. They can't afford to hire domestically.
Anyway, from what I can tell being in this industry, a lot of things need to be explicitly illegal to stop companies from doing it.
Edit: The penalities also have to be meaningful. There's a lot of "technically not legal, but sue us lol" going on.
"Hey, this is a really really stupid idea." Isn't going to stop a middle manager from trying to come in under budget.
At most MS will pay a nominal fine, and proceed to learn nothing.
> "Hey, this is a really really stupid idea." Isn't going to stop a middle manager from trying to come in under budget.
Neither is "you can go to jail" when it comes to export controls training
Maybe instead of fines, large companies should be forbidden to do any new contracts for some months. That would be a larger incentive and also comprehensible to sales people.
In which magical country do you suspect this would be enforced ?
Microsoft also has a captive market here. Realistically you aren't going to migrate millions of employees and servers to another tech stack, even over something egregiously bad.
Something like storing cleared data really should be handled 100% internally with an open source stack that's regularly audited.
But that sounds really difficult, even if it would be cheaper or the same price in the long run.
One can dream.
I didn't suggested preventing the fulfillment of existing contracts. Nobody would change for all costumers. They just wouldn't get any new contractors.
Sanctions already exist.
Ok.
So after the current contract do you switch stacks, or just have a 3rd partner Microsoft shop maintain your existing stack?
Regardless, I don't think our current legal system has any real ability to hold a company like Microsoft accountable.
If you happen to be unlucky and Microsoft just got convicted, you either need to wait some months or go to a competitor. The state shouldn't care about that, when your mechanic just went to prison, what you're gonna do?
But yeah I don't know any party who has such ideas.
Excuse me??
Link: https://www.reuters.com/world/us/microsoft-stop-using-engine...
That is... crazy.
Would the CCP allow their cloud infra to be administrated by US staff in the US? Never.
The US doesn't either. Someone didn't comply with existing law here. I've been on a program where uncleared people from another business unit were used as internal labor loan for export controlled work. One of them was belatedly discovered to be a Canadian citizen and they were retasked the next day. There are strict rules in this domain. It's just that nobody gives a fuck about paying for an IT cost center to do things securely. Chalk up another win for outsourcing and moving to the cloud for cost savings.
There is a DoD version of M365 which has SPO, but that isn't what the article is discussing.
Revert to the typewriters for security
https://arstechnica.com/information-technology/2015/10/how-s...
My real-time security alert feed picked this up before the major news outlets:
https://zerodaypublishing.com/feed
This looks like quite an interesting service. Second the request for an RSS feed.
that's cool, do you support an RSS feed?
Not yet, but I’m planning to roll one out later this week! Are you in cybersecurity or just tracking vulnerabilities for fun/work?
I work both cybersec + fun/research, LOVE this resource and lucky to have come across it here. Subscribed via email & looking forward to RSS. Thanks for sharing it here!
Thanks so much, that really means a lot! I'm actively upgrading the feed right now: more vendors, faster signal (closer to real-time), and smarter triage to cut through the noise.
I’m also shaping a Pro tier and would love your input. Some of the things I’m working on:
Full access to all alerts (not just critical)
Fine-grained filtering (vendor, product, CVSS score, tags)
Delivery via webhooks, Slack, Teams, pagerduty, Splunk, other SIEMs
A “Time Machine” view so you can preview what you would’ve received had you been subscribed earlier
Would love to know what you’d want in a tool like this. Anything missing that would help your day-to-day in cybersec or research?
Meanwhile, Citrix has been on fire causing much worse things (you can just grab any session you want and become anyone who's already logged in). Who needs to break into SharePoint when you're becoming someone who's already got access... including to everything else (not just SharePoint)
It's patchable, but it's been two times in a row now, and patching is always slow and incomplete.
I wonder how widely this affected all 3 of Citrix customers?
Big customers though, like the VA and NIH
I was just building a SharePoint integration for some enterprise customers (I do RAG on their data) and I find it brutal, that now, I have access to all their SharePoint data for all SharePoint sites. Even the ones I don't want to index. And I even use user login over admin/service key login.
AFAIK, the Oauth claims of SharePoint don't allow specifying particular projects only. (BTW: same counts for platforms like ACC/BIM360)
If Sharepoint was an animal it would be a Duck-billed Platypus. I never understood why it got the degree of use that it did, even as a free product it was always best avoided. Everything seemed to be tacked on at a different angle from the normal one with broken interfaces in between.
this is barely one year after the CSRB recommended: "...Microsoft leadership should consider directing internal Microsoft teams to deprioritize feature developments across the company’s cloud infrastructure and product suite until substantial security improvements have been made in order to preclude competition for resources. In all instances, security risks should be fully and appropriately assessed and addressed before new features are deployed."
These recommendations followed a review of MS practices following the Exchange online compromise. I highly doubt anything changed at MS since then.
source: https://www.cisa.gov/sites/default/files/2025-03/CSRBReviewO...
At the risk of massive downvotes, I have to admit that a small part of me wants this so that maybe corporations stop using Sharepoint as soon as possible.
Seriously, I haven't used it since 2017, but every time I used it then it was the worst part of my day. I used to have a shirt that said SHarepoIT Happens that I would wear to work, and it seemed like the one thing I could get my coworkers agree on was that Sharepoint is terrible and we'd rather use anything else.
It’s impossible to stop using M365 while stopping usage of SharePoint (cloud or on-premises). See https://news.ycombinator.com/item?id=44640219
Here’s just one example:
Each M365 Teams Team creates an M365 Group which creates a SharePoint site and Exchange mailbox. Teams channel files are stored in that SharePoint site. Teams channel messages are stored in the Exchange mailbox.
Private files dropped in Teams are stored in OneDrive (rebranded SharePoint). Private Teams messages are stored in the sender and recipients’ Exchange mailboxes.
M365 is SharePoint and Exchange. EVERYTHING is built on top.
EDIT: changed ‘individual’ to ‘sender and recipients’
CORRECTION: Chats are only journaled to Exchange mailboxes for data compliance. Messages are actually stored in Cosmos DB. https://youtu.be/V6B4KraD-FM?feature=shared&t=319
Contacts and voicemail are stored in Exchange.
Diagram of data storage locations: https://youtu.be/V6B4KraD-FM?feature=shared&t=454
M365 Groups are still SharePoint + Exchange.
The whole Microsoft 365 environment is a mess. The web interface of SharePoint is super slow and buggy.
Why do I have a useless "General" folder in the root of my SharePoint documents, which I can't delete? I don't even have access to Teams, because I'm using the Teams-less M365 subscription for EU users.
Every day I think more and more that I should just switch provider for my small company.
> Private Teams messages are stored in individual Exchange mailboxes.
Good lord. It truly is a layer of dung layered upon more layers of dung.
Throwaway account so keep this comment separate from my main account.
I used to work within the Office group. The way that data is organized in Exchange is mind-boggling -- and not in a good way, IMO. Its design is from decades ago, and trying to understand how to find something really takes a lot of experience. Without going into any gruesome details of how it works, I'll just say that it is a HUGE hurdle to being productive for day-to-day work.
Similarly, I'm not surprised that there's some kooky way that the Teams folks shoehorned their data into the existing Exchange system -- they probably have no other way to operate at that scale without taking years in writing their own database system. (I can't imagine that using SQL Server to do this would be viable, either, given what they want to do and the capabilities already built on top of Exchange.)
> The way that data is organized in Exchange is mind-boggling -- and not in a good way, IMO. Its design is from decades ago, and trying to understand how to find something really takes a lot of experience
I assume you're talking about MAPI, which owes some of its baroque nature to X.400. It definitely comes from another time. It always struck me as over-engineered.
On the other hand, it has also been ridiculously successful.
To be fair exchange works quite well for mail and calendar, it syncs very fast, is easy to set up and the cloud version is easy to administer (i never had to admin an on-prem exchange but ive heard its not fun).
Using this infra for teams makes sense since it already works well. As one poster said, its probably via some hidden folder.
I wonder what they did with skype, did they actually integrate any of it into teams or just dump it entirely?
Teams was built from Skype. The fundamental infra for communication (chat, video call) was pulled out of Skype as a separate component and integrated into both. Skype the client is completely sunset, but a part of its back-end will continue to be used.
Skype Skype or Lync that was rebranded Skype Business?
Teams came from Skype. Skype Lync was just a client (so far as I know). Don't take my word for it though, I was not there during the transition, this is just my understanding from talking to the ones that were.
On-prem Exchange is usually fine. Migration is a pain, but for a mid-size org you can mostly just install it and use it. If you have multiple servers distributed globally and database availability groups and such, yeah, it gets to be its own thing, but that's because at that point you're huge and you're going to feel the pain no matter what platform you run.
I know it's popular to dump on Microsoft and there are some valid reasons, this is not one of them.
There are so many companies and businesses that rely on offline data, or silo'd data than will be tied through their AD LDAP account permission, M365, teams included, is such a better option than hand rolling all of them and praying you configured every service correctly.
I don't think this is nearly as crazy as you may think at first glance
Imagine if it was just a hidden (special) folder in an Exchange mailbox.
Voila, you already have a well-known and widely implemented and tested message syncing solution both for content and status (read/unread)
I assume Windows Phone worked the same way with its text message backup. When you'd set up a new phone it would take a while for your Microsoft account to finish syncing during which new messages would trickle into the Messaging app in real time. In fact if your old phone was still on WiFi new messages would show up on both. Still more advanced 15(?!) years ago than my Android today
explains why scrolling up in teams loads 3 messages at a time too
very slowly
and why the search doesn't work
When you dig it up, it is totally crazy and the total shit that we could expect.
Nothing works really well nowadays with exchange (classic, new, web, ...) or Teams. It is a complex layer based on sharepoint, that was not designed for that, because OneDrive is so bad that they have absolutely no way to manage a proper sharing of files between multiple persons, and so even less between teams and orgs.
Yeah. Once you start working with the SharePoint API and Exchange API, you realize how it’s a miracle that Teams works at all. It’s bonkers.
I once figured out that you can go to the permissions page on the SharePoint site created by Teams and remove access for the corresponding M365 group.
M365 relies on SharePoint and Exchange, but they don’t rely on M365. So, you can potentially break Teams.
At some point Microsoft tried to sell some automatic DRM system based on SharePoint to some company that I worked for.
The sales pitch was that they could upload documents to SharePoint and when people downloaded the documents SharePoint would automatically apply DRM so the documents could only be opened by that person on authorised machines for a specified number of days.
Well, it turned out depending on how you logged in (using the same account, just different login forms) on the SharePoint server it would either give you the files with DRM applied - or the completely unrestricted files.
We got some senior Microsoft consultant working directly for Microsoft to look at it but in the end they were just as confused as us.
As a mid size company that does work with government agencies, it’s near impossible to use anything ‘better’ solution. Cybersecurity requirements are getting so onerous that Sharepoint is too commercially feasible of an option to use anything else for a shared file store between organizations.
The fact that Sharepoint sucks* doesn’t matter… because anything else is seen as a risk.
* folders with lots of files are hard to scroll through because each page is lazy loaded, the automation functions are buggy, logins between different M365 tenants breaks and is not correctable by a normal site admin, human readable URL paths aren’t standard, search is shit, tables/filters are buggy, the new interface hides a bunch of the permissions logic, some things like permission groups need to be managed via outlook, etc etc. I’m sure a bunch of my gripes are technically fixable, but these aren’t things that should need a web search in order to use/fix.
It’s not cybersecurity. It’s legal, trust me. For large corporations, eDiscovery is huge. Failing eDiscovery can cost a company millions. Having a bunch of different data sources makes it impossible, so companies stick with M365 as corporate policy and call it a day.
My company has SharePoint and another internal site for documents/notes (think about Notion/Quip/Confluence). The other site works quite well, and most developers write all their notes/docs on it. But some people just insist on uploading Word documents to SharePoint. So now everybody else has to use SharePoint as well, plus search twice whenever they need to find something.
My boss spent over a year trying to get me to setup Sharepoint. About 6 months into this, I finally looked into it and what it provided and said no. Eventually he hired a second tech and he set it up "in an afternoon." Good for him. Nobody ever used it. He also stole my high speed USB drive.
While Sharepoint might some day die, it will only be replaced by another piece of software that gets launched for nobody to ever use.
Clearly Sharepoint is being used. Otherwise, this would not be a news story. So if every single Sharepoint user switched to another piece of software, it would be more than nobody using it.
I think you missed the joke here, being that Sharepoint is installed in many of orgs, but never used after installation.
I have worked at an org that did the same. We already had Confluence. Somebody decided we needed Sharepoint. We licensed and installed it. Six months later we migrated the handful of documents and files and decommissioned it.
> I think you missed the joke here,
probably so. every corp I've worked for that had Sharepoint used it religiously. that is a whopping 3 different companies, but > 1 anecdotal experience. to be fair though, 2 of the 3 companies used it because the same person was at both companies and was responsible for using it at both companies during their tenure.
SharePoint is like exchange. It will likely never die, instead becoming a hidden layer that has been papered over 100 times.
And sharepoint in large organisations I have been at recently is now using oauth which breaks Microsoft's own sharepoint client API. That whole software is one massive waste of time and buget.
SharePoint is garbage. Even nextcloud is way better and it doesn't exactly have the best reputation. It can't possibly be that hard can it...
I have never used SharePoint but I honestly cannot imagine it being worse than Nextcloud + Collabora Office. Which I do use almost every day.
You have no idea how good you have it.
Good news.
Teams is actually SharePoint.
It ain't going anywhere
My company was using slack and mattermost and consolidated to teams... It is so bad.
Unlike Slack and Mattermost. Teams was designed by layers of middle managers at big corporate. Teams is literally everything wrong with big corporate in one package, being shoved by morons on small companies. Overall it's crippling the American economy.
Sorry to disappoint you, but Sharepoint isn't going to die.
This is actually a great day for Microsoft. People will come to their cloud solutions in troves after this and everyone will be happy. Maybe not everyone, but Microsoft for sure.
I upvoted you .. share the same sentiment.
>At the risk of massive downvotes,
The only reason to get downvotes is nonsense of prefacing the post with the 'worry'. Sharepoint would be far from a first choice under normal circumstances (e.g. not bundled with excel and friends)
to accommodate $MSFT shareholders downvotes, have my upvote :)
nevertheless, even NFS is better than sharepoint. At least, NFS works...
i am sure nothing to do with this: https://www.tomshardware.com/tech-industry/cyber-security/mi...
It is instructive that we are seeing the results of DOGE's work:
"The process took six hours Saturday night — much longer than it otherwise would have, because the threat-intelligence and incident-response teams have been cut by 65 percent as CISA slashed funding, Rose said."
I'm not sure which part pisses me off more: that tons of professionals lost their jobs and will likely not work in public service again because of it, or that through all that, they barely found any actual waste at all. A fucking farce.
You're assuming their purpose was to find waste, it was not. Their purpose was to be the Chicago boys in DC.
Seems like generally it ended up being a surveillance play, in practice if not original intent. For example, Dog coin has been reported to be passing data taken from other agencies directly to ICE^[1] for law enforcement applications, and there was that other matter of logins apparently from Russia using accounts the Dog coin personnel demanded agencies create on their internal systems with (auditable) logging disabled^[2]. And probably more that I'm forgetting.
One does wonder whether this was all part of Musk's vision, or more thanks to the scum he hired to staff Dog coin and/or other lawless opportunists in the Trump administration.
[1] https://www.washingtonpost.com/immigration/2025/04/16/medica...
[2] https://www.reuters.com/technology/cybersecurity/whistleblow...
The idea that Musk's intent was to gut all of the agencies that were in a position to regulate any of his companies does seem to suggest that DOGE was an outstanding success.
Good point!
I see your refusal to acquiesce to Musk's appropriation of an innocent meme, and raise you a, "Keep calling it 'doge', but pronounce it phonetically to piss him off."
I can respect that but I honestly have no concept of how it's "supposed" to be pronounced. At least with Dog coin I know where I stand.
I'm assuming nothing of the sort. I assume what I always assume in these situations; that unqualified ignorant fuckwits convinced a bunch of other unqualified ignorant fuckwits to vote for them, so they could make their lack of understanding everyone else's problem. And likely get away with a huge sack of money Hanna Barbera style in the process.
The first obvious sign was that the people not holding office or having any access to government data were making unfounded claims about how the government was operating.
The move obvious sign is that people making that claim have a proven track record of being compulsive liars.
That anyone gives a word they say the time of day is actually crazy.
This is what happens when Chesterton's fence is ignored...
not just ignored but purposefully burnt down
Chesterton's fence, his dad's moat and his grandpa's bunker..
How about the fact that Elon and most of his cronies weren’t even born here and seem to feel that the people who were born here are stupid and/or lazy. Maybe only Vivek said that quiet part out loud, but they very much agreed on the solution.
There is waste. A God awful amount of waste, fraud, and abuse. You don't rack up a 1.8 trillion deficit and a debt per capita that is 7x the income per capita without waste, fraud, and abuse.
The problem is that while common sense would dictate those nonsensical expenses as such, they were part of the official process, so it was all legalized, so they avoid the FWA labels because the rule writers have made it so.
The problem with your argument is that Social Security (old people income), Medicare (old people healthcare) and interest on the national debt account for fully one half of total federal spending. Add in national defense and you reach two thirds.
Interest is trivially accounted for. We know how much debt is outstanding.
Social Security and Medicare expenditures are well within 5% of what should be expected, given the total population of the US and its age distribution.
Your God Awful amount of waste, fraud and abuse reduces to a fraction of a fraction of the total budget. A tiny fraction of a big number may be a big number, but it simply doesn't matter structurally.
The only way out is to cancel the entire military, slash social security or raise taxes. The rest of the stuff (even if it is purely waste with no useful purpose) simply doesn't add up to enough dollars to fix the budget.
I know this isn't what anyone wants to hear, but numbers are numbers and you can't just wish away unpleasant realities.
A solid portion of the 1.8 trillion figure the GP quoted was also the insane spending that had to happen to keep the economy somewhat afloat during the pandemic.
Of course in proper propagandist fashion, we only ever hear about how much money the undeserving poors got, and nothing about the millions upon millions of dollars in loans given to private businesses and their owners that were definitely, 100% used for them to weather the pandemic, and later forgiven despite being explicitly loans.
There is of course waste. But the budget for everything apart from social security, medicare/caid, and defense is very small in comparison to those. The US could cut everything except for those three and it wouldn't delay the debt bomb's detonation by more than a year. Current projections are around 20 years of current trends. The US has to keep borrowing, or the world economy breaks down with no reserve currency. The trick is that the borrowing needs to keep increasing the gdp at the same rate as the debt. I.E. the loans have to be spent on assets. That is not currently the case.
I'll tell you what pisses me off: Having to be subjected to low security services because one political party wants to run a reality TV show instead of caring for people. The consequences are all for us to bear.
Why isn't this under a branch of the military? Get lots of funding then. Protects national security
Because the losers and deadbeats who run the government have not figured out the right approach to making "pay 20x the current budget to military contractors to do half of what CISA does" sound like a good deal for taxpayers.
Damn maybe this hack could help me find fucking anything in there.
Is it possible that prior staff at companies like Microsoft may have injected backdoor vulnerabilities?
How is this auditable?
Strange question, why would it be impossible?
I got a 502 Bad Gateway for all our onprem SP sites for a few minutes last night, which is very unusual. Wondering if this had something to do with that.
With the chaos of the current administration has there ever been a better time? (other than maybe tomorrow)
I tell you in good faith: the chaotic response would have been to not notice, not disclose, not fix, and then go to the press claiming everything is fine, and accusing anyone saying otherwise of having a nefarious agenda.
I was concerned there wouldn’t be a political take
The root cause might less be whether an entity uses Linux or Windows but whether they use cloud or on-prem. No matter how skilled, the on-prem stuff getting maintained by IT/SOC (often external contractors) are unlikely to deliver the same level of diligence as one of the big cloud vendors.
Things are so complex we have critical bugs everywhere that can not be patched without major breakage. So what does a diligent org do? they make a risk-assessment to explain things away for legal & compliance purposes.
check your SCA/SBOM in any/most stacks if you think this is untrue ...
Haha, Microsoft, the source of all the leaks, it's always Microsoft, quick, let's give Microsoft even more government contracts! They truly are the best!
There is a war going on. It’s not just tanks in the Donbas, it’s a global intelligence and cybersecurity conflict.
Drat, and here I was telling myself that I'd much rather use SharePoint than Atlassian Confluence.
It's not right to victim blame but it's also not wrong. Akin to investing lots of money in a stock. If you took the risks of maintaining a public SharePoint server in 2025, here's your very bad day.
It's perfectly fine to victim blame corporations that keep kneecapping themselves. That's a hill I'm willing to day on.
Why is the US even using Microsoft? They’re in effect an Indian company now
even with GCC-High???
Wondering if this was a self goal to, you know, get people to use this enshittified product on the cloud?
There are basically two things at play here:
MS's hosted version of SharePoint. It's apparently unimpacted by this current round of attacks. DOD (since it's been brought up by other commenters) makes significant use of this.
People hosting SharePoint instances themselves. Some on-prem, some with rented computers. These are the impacted ones. It's not about "the cloud", it's about hosted SharePoint having weaknesses that were exploited and many organizations apparently leaving their SharePoint instances accessible over the open internet. These hosted instances are also probably old and unpatched which doesn't help things. Some (many?) units within DOD make use of this, but definitely not all.
I don't understand why anyone uses SharePoint. The product is extremely low quality. I have never met a happy SharePoint user. Now we also learn that it's insecure as well as having a horrible user experience.
It’s similar to Salesforce, Dynamics etc, they rarely achieve what they promise - the entire business is making executives feel like they’re transforming the business without taking on any risk.
Is it a coincidence that this was reported on the same day it was also reported that the FBI was storing the Epstein files on a Sharepoint server [1]?
https://www.muellershewrote.com/p/the-epstein-cover-up-at-th...
I was not sure if this was mere speculation on your part, but I think you might be onto something here.
https://www.muellershewrote.com/p/the-epstein-cover-up-at-th... | https://archive.is/RZqU0
> The process of reviewing the Epstein and Maxwell files was chaotic, and the orders were constantly changing - sometimes daily. One person I spoke to on the condition of anonymity said that many agents spent more time waiting for new instructions than they did processing files. But here’s what caught my attention: the files were stored on a shared drive that anyone in the division could access. Normally, access is only granted to those working on a project, but because of the hurried nature of the exercise, the usual permission restrictions were not in place. Additionally, the internal SharePoint site the bureau ended up using to distribute the files toward the end did not have the usual restricted permissions. This left the Epstein and Maxwell files open to viewing by a much larger group of people than previously thought.
So how does this work for someone to know what server to use the exploit? Do companies make their Sharepoint servers accessible to WWW? Do hackers need to use this on a network they've already pwnd? Finding out the FBI put something like this on a server open to the WWW would be classic. That much larger group just got a wee bit larger than they previously thought on their previously thought number.
> Do companies make their Sharepoint servers accessible to WWW?
Microsoft was pushing companies to use its Azure cloud services. Now everything is in the cloud. And accessible to WWW.
The post says it only applies to on-prem servers, not cloud ones like Microsoft 365.
If I am ever on the board of a company, I will always vote no confidence in the dipshit CTO or founder that willingly install/mandate use of Microsoft junk in the company.
As a corporate drone that has accidentally opened various Microsoft office suite links inside of Teams. My dislike for anything Microsoft continues to grow.
Am I surprised that sharepoint has vulnerabilities? Hell no.
What would you replace it with? Once an org gets to a certain size, they need something like sharepoint, and would they be any more secure?
> they need something like sharepoint
Or probably they don't.
Google Workspace. Yes.
Once worked at a place in 2017 with a dipshit CIO. Guy spent his entire time trying to evangelize Teams as the reason to switch to Microsoft. He ended up leaving 11 months into the gig and we were more than happy to stay on Slack.
It feels like Microsoft has a (bad) deal with every 3rd rate IT leader where the IT leader eschews Microsoft's BS in exchange for being "unfireable" because "who else knows how all the Microsoft stuff works?"
Another day another vulnerability with Microsoft. I wonder if this will incentivize the countries to move faster with Linux.
Probably not since there are so many of these breaches people just ignore them.
I miss the old days when a breach involved someone breaking into the computer room and grabbing as many mag tapes as they can carry and run :)
Oh, don't worry, there's plenty of known, unpatched vulnerabilities in FOSS, too.
I wonder what drives people using Microsoft and then using more from this company.
Somehow. Part of the game is that you’ve always an excuse with Microsoft. You cannot made responsible? There is this quote about IBM: But I cannot remember stories about suffering from IBM forever.From what I've seen in my industry? To pass all the liability to Microsoft.
"If something happens, we used enterprise grade industry standard software. We did our due diligence."
This outlook is basically why we can't innovate anymore.
I had to recently sit through a meeting where our CTO quoted all the "blogs" he's been reading as a way to slap down my suggestion for an in-house project.
It's all about CYA.
I call it the liabilty fairy.
It's why school boards don't do anything useful, among many many other things in our society. It's an endemic disease.
Most of the time it's extremely exaggerated, but it's trotted out and used as a CYA excuse almost immediately by most in the executive/managerial class. Both due to outright laziness and incompetence, and also as just a... why take any personal risk whatsoever making actual decisions with any impact if I can keep my cushy job and career rolling by being as milquetoast as possible.
Never mind you get the big bucks to make such important and controversial decisions at great personal (career) risk when some inevitably go wrong. Everyone forgot that part. Such roles should be hard, difficult, and risky.
Surely there's an untapped market for infosec liability insurance.
Pay the CYA bill, let the engineers build/choose something that actually works. Win-win.
They're using Microsoft because all of the alternatives have the same issues.
FOSS isn't magically immune to vulnerabilities.
It doesn't help that the FOSS community generally prefers the C programming language over more modern and safer alternatives as a cultural thing. The result is just as many vulnerabilities, if not more, per line of code or per feature. Keep in mind that SharePoint is an enormous product with a 3.6 GB ISO image used to install it. If you think anyone is able to develop that volume of server code and have zero vulnerabilities... I have a bridge to sell you.
First:
Valid point about the image size. A possible sign for bloat? Bloat is danger.
Second:
C, C++ or Rust are our tools. Everyone prefers another for technical and personal reasons. A religious believe in salvation by the next programming language is not helpful and causing harm. I hope sanitizers for C/C++ improve further - which improved safety a lot. For C++28 or C++3x we can hope for further safety improvements. Which we need.
Most bugs are logic errors. SharePoint is - according to my knowledge - implemented in C#. The CVEs mention deserialization of untrusted data, improper limitation of a pathname to a restricted directory ('path traversal'), improper control of generation of code ('code injection') and so on.
I'm rather careful about people requiring another language and claiming it will fix everything. Reliability needs hard work (design, code, review, testing...more review) even with well selected tools. I guess Microsoft does that. And I guess Microsoft works like the rest of the industry, focus on time-to-market and building a monopoly in every area. That's why we see rapid updates in a lot areas and - worse - enforced updates. And why software is known for it's low quality in comparsion to other industries?
Examples:
GNOME opted to use JavaScript in the hype back in 2010:
The code matured and it works now rather well. I didn't liked the decision back then. I don't like it now. But I also don't request a rewrite in C, C++, Rust or Python. Without good reasons (plural) it doesn't benefit the project.Java also suffered. This rewrite of C++ to Java with JRE is a example, why rewrites for the sake of rewrites aren't a solution:
https://neilmadden.blog/2022/04/19/psychic-signatures-in-jav...
There is no magic. Only thorough work.
We will always suffer from security issues and we shall be always careful.
Rust is very popular and quickly getting adopted. The number of Debian packages that use Rust libraries more then doubled and is now at 8%
https://www.phoronix.com/news/Rust-Debian-2025
Rust has never been successfully used to develop large-scale software of the size of SharePoint, Exchange, or anything of that order of magnitude: gigabytes of compiled code with the main executable being 10s of megabytes in size.
An observation I've made about Rust is that because it eschews OOP, it tends not to "scale" to large development teams for single applications. It's great for CLI tools, small web apps, etc... but after some scale it runs out of steam.
This is exacerbated by its glacial compile times compared to other languages, even C++, let alone C#.
I just can't imagine something the size of SharePoint being developed entirely in Rust!
> An observation I've made about Rust is that because it eschews OOP, it tends not to "scale" to large development teams for single applications.
Linux is written in C and "scales" to large teams. If folks were willing, I think most of Linux could be written in Rust.
Gigabytes of compiled source code sounds kind of sus, considering size of chromium and linux kernel etc.
Think of an app like SharePoint as "Linux Kernel + Drivers + Userspace tools". There's a few large monolithic executables some tens of megabytes in size for each of the core web apps and services, and then hundreds file format converter plugins, database drivers, etc, etc...
Chromium is similar. It's practically an operating system now, it even has USB drivers! I had to compile Chromium from scratch once, for which I spun up a 120-core cloud VM with 456 GB of memory so that it wouldn't take all day.
With Rust... that would take all week even on that box.
I mean.. people contributing to FOSS generally program in what they know - i.e. I have some time to contribute, I'll spend 10 productive hours in C, because I know what I'm doing, vs. learning Rust only to spend 30 hours and not really getting anything done.
I contributed to a Tcl/Tk library that I was using at work that had a specific issue with some image files, so I fixed it internally, and contributed the fix back to the FOSS project (with permission from work).
People working at Microsoft in the SharePoint team also program in a language/framework they know (and they must be masochists if they're working with ASP.NET WebForms). Knowledge of the language doesn't prevent vulnerabilities.
Genuinely asking - is there a Linux alternative to Sharepoint? I couldn't care less if it was lit on metaphorical fire and dumped into the sea, but a lot of orgs using it extensively.
For collaborative documentation, there’s probably a bunch of alternatives.
But SharePoint is the linchpin for Microsoft 365. Well technically SharePoint and Exchange. You can’t use any Microsoft 365 products without SharePoint.
OneDrive uses SharePoint. Outlook Groups and Teams Channels create Microsoft 365 Groups. Every Microsoft 365 Group creates a SharePoint site. Microsoft Loop uses Microsoft SharePoint Embedded.
SharePoint is now a “file and document management system suitable for use in any application”.
So, if you want an alternative to SharePoint you would need an alternative to any M365 Product, including Outlook and OneDrive.
Fun Fact: Teams messages are actually stored via Exchange Mailboxes.
https://learn.microsoft.com/en-us/sharepoint/dev/embedded/ov...
Yeah, that's what I'm thinking. Is it great? Well, no, but it's incredibly integrated and that has a great appeal to orgs.
Google Docs and Libre Office both produce compatible documents. There's really no reason to force one or the other.
It's just conflating needs. Document editing and file storage are two different tasks. It's weird that people want everything integrated. It's not much effort to just drag and drop a file into G-Drive, OneDrive, Dropbox, box.com...
What people want are systems that compose and work well together. That's what MS provides, or at least attempts to provide, with SharePoint. When you start trying to tack on collaborative document editors, workflow management systems, shared storage, and other capabilities from different providers or systems you run into more and more complications (especially because most of these don't offer any kind of standards compliance that lets them be used interchangeably). That's also why G-Suite works as a competitor to MS, it covers at least the more critical integrations that people want to work smoothly without needing to combine multiple maybe compatible things together.
> What people want are systems that compose and work well together.
Not really, that's managers' speak. All things SharePoint is just a data swamp.
You think people don't want systems that work well together? That they want isolated apps that don't communicate or work with each other?
> It's not much effort to just drag and drop a file into … OneDrive …
See, there’s the problem. Once you touch anything M365, you’re using SharePoint.
People see SharePoint as a document collaboration tool. But, in reality, it’s real use is as a data storage platform.
Which is so funny because it was a pain in the ass on prem to make sharepoint work for that purpose. Silly item restrictions, complaints about database sizes (which stored the files), etc
Most of the restrictions have been dropped. You can ignore the database size. Multi-TiB content databases are fine.
But SPO uses Azure Blob Storage to store content rather than SQL databases.
Sure. Just saying when that first was brought up in 2007+ and I had to admin it and people loved their folders and searching and such wouldn’t work because if the view sizes.
...That's a completely different complaint. And also solved long ago.
It was at the time when MS was marketing it as a CMS and file storage hence me saying that’s funny…
> Document editing and file storage are two different tasks.
Not if you want to enable multiple users to be live editing the document at the same time.
I've never been able to properly work on a Word document together with a colleague. Not even once. There's always some kind of bug or sync problem.
Google Docs, on the other hand, works great when you're working together on a document. Too bad they don't have a native client.
> I've never been able to properly work on a Word document together with a colleague. Not even once
Many millions of others seem to do it all the time without issue. I've done it practically every day for many years now and haven't run into sync issues for a long time.
It's not made to sync if two people are trying to open the file off a NAS, it's made for people editing files stored in OneDrive/SharePoint.
But as both examples show, you need to have your document editing and document storage closely working together for multi-user live editing to work. That's something that so far practically only integrated editors/storage platforms offer.
Nextcloud, particularly with the Collabora Office integration for real-time collaborative document editing. It's got some rough edges but I'd say it suits the majority of use cases now. I suggest spinning up a copy of the community edition in a VM to give it a spin, I was pleasantly surprised. There is a lot of money getting poured in right now as entities outside the US are exploring ways to ditch American software.
Works easily enough on digital ocean too.
Sorry, I don’t know the answer to your question, but I can offer some possible insight into why it’s used so much.
We’re on Microsoft 365 and technically fall into the camp of “uses SharePoint”, but only for “shared network folder” usage which OneDrive seamlessly synchronizes should you dislike the web interface. We don’t actively use any other features of it.
Also worth mentioning that realtime collaboration and automatic versioning of Office documents is seamless for files on SharePoint, even if opened on a desktop on a OneDrive synchronized folder.
Files shared over Teams as well as meeting recordings are also stored on SharePoint.
My point is that SharePoint is used a lot but possibly not in the way one might have assumed.
I don’t know if self hosted SharePoint can do all this.
> seamlessly
In 50 % of the time.
For the file storage/sharing/collaboration part, yeah - there's plenty, and sharepoint arguably sucks even for that.
What trapped a lot of orgs is making use of the whole PowerPlatform around sharepoint. There's a lot of crusty old LoB apps built with MS's no code tools (PowerAutomate, PowerApps) which run on SharePoint as the delivery platform. Some of these even hook into Excel files stored in the various document libraries, etc. There are entire, large business processes being handled by this platform, and so migrating will require actual dev time, which automatically makes it a non-starter for most, unfortunately. Doubly so when you consider that a lot of these "solutions" were built by non-devs, long since gone from the company and no one knows how deep the tentacles go.
> Genuinely asking - is there a Linux alternative to Sharepoint?
Genuinely asking - is there a Microsoft alternative to eBPF, k8s, nginx?
The answer is NO. Alternative to SharePoint is SharePoint. I would argue such project just not needed in general and therefor there is no 'alternative'.
The same people will tell you GIMP is a serious competitor to Photoshop.
And it will be true for 99% of use cases.
GIMP is falling behind because GenAI doesn't work out of the box.
git repo hosted on a secure server behind several layers of VPN? I'm sure I could probably come up with something more secure than freaking sharepoint
NextCloud is actively tries to be AIO replacement for SharePoint.
Of course it's quite a poor replacement but it does exists.
O365 is a poor amalgamation of like 18 different things. Quite frankly I hope there isn't a true "alternative" to it.
The reason orgs use Sharepoint is they are forced to if they use Microsoft. One drive is sharepoint, teams is sharepoint, sharepoint sites is sharepoint, etc...
I'm sure all those things have better alternatives, but Microsoft shoves them down your throat when you license with them.
> Sharepoint is a poor amalgamation of like 18 different things.
You’ve got it backwards. Everything M365 is an amalgamation of Entra, SharePoint, and Exchange.
Yes, thanks for the correction.
But it's understandable why an org would prefer that to having to maintain and manage the 18 things, right? It's a hard sell.
I'm not saying that wouldn't be better, but it makes sense why an org would be reluctant. Again, not a fan of Sharepoint myself, but from an org's viewpoint, moving to Linux raises more problems than it solves.
It's understandable, but it doesn't excuse how poorly everything actually works and how confusing it is to use and administrate.
To some extent I think Microsoft is largely in the business of building solutions for problems that don't exist.
Most orgs are probably perfectly fine with a document management system + desktop word application and then a commercial NAS for bulk storage / backups.
It's not just SharePoint, it's the entire Microsoft suite of "productivity" products that the government uses. Is there a Linux alternative to that?
nextcloud ?
For the self-hosted version: a Synology NAS.
As far as I can tell there's two vulnerabilities bundled up here. One is an unauthenticated command injection (!) vulnerability to steal some keys and the other is of course yet another serialization-based RCE in a safe language, mediated by signed cookies (signed with the keys stolen in step 1).
I don't understand how often this design has to blow up in people's faces until they stop doing this and use something dumb and safe instead.
> I wonder if this will incentivize the countries to move faster with Linux.
Countries are run by politicians. The ability of a politician to remember something is inverse proportional to the sum of money landed in its account.
I operate under the assumption that open source projects are compromised by states. If you espouse unpopular ideas or are yourself a state don’t rely on it.
Interesting, I'd more likely assume the same for closed source projects as there is less transparency into the supply chain
It’d be cheaper and quieter to compromise a few key employees in a private company…
Lets pretend what you are saying is true, which it is not. Who would you want to access your data ? The State or the "underworld". Many countries have laws on how to access your data. The underworld, you may wake up dead.
Granted there are countries that act like a Criminal Org., but if you live there you have more issues than your data.
With proprietary software, it is a much larger chance that backdoors exist than in Open Source. Many of us heard of 1 issue where it was claimed a project had a Gov sponsored BH in it. They did a long audit and found that was false.
Eventually Open Source backdoors will found in Open Systems. Proprietary you are SOL unless you do very expensive and very hard testing. Even then it is doubtful you will find a backdoor.
It is true. Denying trivial truths with the purpose of not giving an inch does not add to one's argument, it weakens it.
Plenty of closed source products will happily backdoor their products on request, without a warrant, if they are confident they will never be found out. That's the point. Not that FOSS source is somehow inviolable to nation-states with virtually infinite resources, many of which sponsor or contribute to the finance of a huge percentage of the development of FOSS themselves.
It's easier to find backdoors in FOSS if you're looking, because you're allowed to look. But somebody has to be looking.
https://news.ycombinator.com/item?id=27897975
https://archive.is/LVrQQ
Related:
ToolShell Mass Exploitation (CVE-2025-53770) - https://research.eye.security/sharepoint-under-siege/ | https://news.ycombinator.com/item?id=44629133
Why didn't they just rewrite it in Rust?
IIRC Microsoft is rewriting some of these backend services in Rust, although not because it will increase security but because it lets them get better perf than existing solutions without the safety tradeoff they'd have suffered to go to C++ which would have been their option 15-20 years ago. I don't know whether Sharepoint was on that list.
SharePoint is primarily written in C# [.NET Framework 4.8] and leverages ASP.NET; there would be no reason to rewrite the majority in another language. There is some C++ in SharePoint Search (and a few other components here and there).
IIS which SharePoint runs atop of is written in presumably primarily C.
You can decompile most of SharePoint if you ever need to peek at the code. That's a huge advantage to figure out how it works.
You also can get better velocity than with other languages due to the compile-time checks.
They should've just Linux.
Part of me hopes to see ICE’s personnel files leaked.
Something to understand about the word “leak” is that it implies at some point it was keeping things in. Microsoft security is so underfunded and garbage, it is fundamentally making technology as a whole unsafe.
Example: if Kroger or whatever your supermarket of choice distributed meat that was infected they would get sued to bits. Microsoft distributes thousands of malicious NPM dependencies and underfund the NPM security team - if there is such a thing - resulting in an entire industry of supplychain security companies to exist. No other registry has the issue of malicious packages as badly as NPM since Microsoft acquired Github.
Microsoft just does not know how to handle security, which is why so many security companies exist to fill their gaps. I don’t trust their security practices one bit tbh.