> CISA advises vulnerable organizations [...] to disconnect affected products from the public-facing Internet until an official patch is available.
It's interesting to me that you'd go the hassle of hosting your own SharePoint on prem, but leave it internet facing. I would have assumed a the Venn diagram of these organizations to be entirely contained in orgs forcing you to use a VPN.
CISA is so so vital. Investigating incredibly wide ranging attacks like this, or the Salt Typhoon attack are vital for this nation. But the show is being run by a bunch of people who value political dogma far above anything else. https://www.techdirt.com/tag/cisa/
Best practice is to assume the network is compromised - a VPN doesn't provide as much guarantee as people would like. In large fleets, devices are regularly lost, damaged, retired, etc. In organizations with high target value, physical penetration through any number of means should be assumed.
So you don't do that. You use zero trust and don't care that things are exposed to the internet.
Working from anywhere (remote sites, home, your phone) is a huge benefit. Organizations want to control their data entirely while still wanting their organization to be able to access it.
Microsoft’s version of “Zero Trust” doesn’t care if things are reachable from the public internet. They have been preaching “identity is the new perimeter” [1] for years, and it doesn’t wash.
The NIST Zero Trust Architecture (ZTA) implementation guides (SP 1800-35) [2] cut through the nonsense and AI generated marketing smoke.
In ZTA, ALL network locations are untrusted. Network connections are created by a Policy Engine that creates and tears down tunnels to each resource dynamically using attribute-based-access-controls (ABAC). Per request.
Microsoft doesn’t have any products that can do full ZTA, so several pillars are missing from their “Zero Trust” marketing materials.
why bother when not a single vulnerability has resulted in any appreciable fines or loss of market share? it's absurd how untouchable their ubiquity has become.
> Network connections are created by a Policy Engine that creates and tears down tunnels to each resource dynamically using attribute-based-access-controls (ABAC). Per request.
What does it mean in technical terms? What kind of tunnels are whose and what is their purpose?
There are four different micro-segmentation variations in the NIST reference guide: device-agent/gateway, enclaves, resource portals, and application sandboxing.
Basically a policy evaluation point (PEP) evaluates the security posture of both parties before and after a handshake, then creates a logical or physical path of some kind of between the actor and the resource. This can be done with software-defined virtual networks and stateful firewalls, at one or more of the OSI layers.
In zero trust "exposed to the internet" is a bit of a misnomer compared to how traditional security would use the term. A better description might be "you're allowed to form a session to it from over the internet but only after your identity and set of rights have been verified". From this view: "zero trust" < "vpn" < "wide open" (in terms of exposure).
In a pure implementation, the same level of trust is implied (absolutely none at all) whether a device is connecting to a resource from the public internet or the same subnet.
Think machine certs (stored in a TPM). Plus perimeter-enforced username/password/2FA. Plus additional policy checks, like making sure your machine is up to date on security patches.
It doesn’t matter what network you are connecting from, but it does matter that you’re connecting from a company-issued laptop that’s in a trustworthy state.
So it's essentially a more seamless and granular analog of a VPN? A device sits in front of the network and requires some sort of authenticated handshake (ideally all SSO) before passing packets through to a target endpoint?
Something I'll add to the other responses is "the network" isn't an assumption of zero trust. Whether it's a single server on the private corporate network or a multi-cloud multi-region service hosted on the internet zero trust treats them the same.
My way of mapping it to VPN mindset is "per app clientless VPNs straight to where the things are hosted". In an extremely open ruleset with all of the servers on a corporate network this could theoretically devolve into "a traditional clientless VPN to the office".
They can be implemented using a variety of technical patterns but they all share a common "each request is authenticated, encrypted" property instead of "anything goes once the tunnel is up" property.
Yes, that's zero trust in a nutshell: A VPN that does a tunnel per TCP connection instead of one tunnel for all TCP connections.
The other salient point is that all connections are established outbound through a broker, and importantly this is the case from both sides: The appliance at the terminating end of the tunnel establishes reverse tunnels to the broker for the connections, so it's never "exposed to the internet".
The broker can then push to your SIEM or whatever so you can have your SOC log jockeys harass your employees for accidentally leaving NordVPN on after watching international sports.
There are actual benefits: You can do things like allow logins to system A from anywhere, but system B only from your home country, you can do JIT network access requests, etc... but mostly it's vendor marketing to get you to spend too much money.
Arainach is advocating for something called "Zero Trust" which, from a user's perspective, is very much like a VPN.
It's software your employer pre-installs on your work PC, that asks you to log in with your work SSO credentials, performs some endpoint security checks, then routes your traffic over a virtual network adapter, and thereby allows you to access workplace resources, even when working from home.
The main difference is it adds some semi-authenticated states. Correct device, username, password, and 2FA, but failed a device posture check because they plugged their phone into their laptop to charge it? The 'Zero Trust' system can block some systems, while letting them retain access to others.
The other big difference is the pricing - rather than paying a five-figure sum upfront for networking hardware, you instead pay $25 per employee per month, forever.
Zero trust is when every session with every service is like its own VPN, independently authenticated and encrypted. Consider the way an HTTPS session between a server and a browser is created anew every time the browser accesses a domain, and ends after a short flurry of requests needed to load a page.
There's a significant difference which my original message hints at and is subsequently clarified: there's still an intermediary. If there's an exploit in the service, like this case, it's still not directly exposed. The intermediary device is still sitting in between and won't allow any old traffic through without separate authorization
The product was explicitly promoted as being useful to run public websites. Before cloud took off we had Microsoft sales people in our office announcing the death of Wordpress with the latest Sharepoint release. That position may be old, but plenty of orgs live in the past.
The answer is contractors and consultants. State agencies routinely work with third parties that need to be able to share files. Obviously this isn’t universal but it isn’t uncommon.
That’s the whole thing with Azure; it blurs the line between on-prem and cloud “because you can.”
I never remember thinking years ago how nice it would be to have all of our private docs that we only need to access on our private network accessible to the public. I just wasn’t thinking outside the box enough.
> It's interesting to me that you'd go the hassle of hosting your own SharePoint on prem, but leave it internet facing.
Once upon a time Microsoft marketed it as, and a lot of Orgs adopted SharePoint as their Intranet. With SharePoint 2019 being sunset, a lot of Orgs are scrambling to implement replacements.
We need more Red Hat and less Microsoft in the on-prem enterprise business. These exploitable vulnerabilities are unacceptable when your customers are the likes of DoD.
No one considers Google anything less than an impenetrable fortress, but when it's some government entity responsible for keeping American lives safe it's like "ah yeah they probably have a vulnerable on-prem Sharepoint that could easily be pwned."
So why is this? Why do Microsoft products enjoy a monopoly on the server in these sectors when more secure (Linux-based) options are far cheaper and widely deployed already? Isn't security the number one priority in those spaces?
Most enterprise PCs are Windows machines and integrate with Microsoft services easily. The only way Microsoft is going to lose the enterprise market is if enterprise PCs move away from Windows.
But, for enterprises, the only reasonable migration away from Windows is Mac. JAMF Pro for Mac can be hosted on-premise on Linux. The majority of enterprise software runs on Mac. However, Macs are expensive so it's unlikely to overtake Windows enterprise machine usage.
Hardware support for Linux PCs is poor and lacks the manageable of Windows PCs with Active Directory and GPO, or JAMF for Macs. Enterprise software usually doesn't support Linux. Linux PCs are uncommon for personal use and corporations don't want to train users how to use Linux.
I can assure you, the DoD isn't a bunch of windows servers hosting sharepoint for the public. Federal government IT in general is a RHEL shop, at least serverside.
Microsoft invested in making integrated Windows-based business software and a big closed-source ecosystem and/or bought other tech companies that previously developed similar tech. Some of them older than Red Hat even Microsoft.
Where is the equivalent tech on the Linux side that Red Hat developed? They simply didn't have a competitive enough alternative. Usually anything outside of cloud/web server space, you'd find alternative open-source projects rotting with non-clear ownership and year old last commits. Red Hat and Linux world weren't interested in developing those things. They weren't interested in making competitive user friendly alternatives that enabled non-programmer users. It is hard, thankless, soul crushing work that nobody does anymore since Microsoft bought or eliminated them. There are simply no equivalent alternatives in the open source world because competing with Microsoft requires accepting significant losses as a company for a long time. Google Workspace is a thing only because Google can finance its developers with ad money.
Just having Linux is no golden key to security either. You need to put the exact amount of barriers in front of your on-prem servers regardless of the OS.
The whole security mess is just the symptom of capitalist economy. Most companies give 0 fucks about it because caring about security is costly and time consuming. With the race to the bottom for first-to-market, caring about security is a risk, it is a distraction. They ignore it until they establish a position and maybe their misdeeds become a liability. However, no company got actually severely punished for not caring about security. So it is still seen as cost by many.
Most government IT is using RHEL. You are correct, it is because of the thankless work they put into long term enterprise support. Microsoft doesn't do anything like that.
The clients of said server are not going to be Linux. Running a secure, working, manageable CIFS server on Linux serving Windows clients is surely going to cost much more than just using the Microsoft solution. Some products don't even work at all with that configuration (e.g. Quickbooks Enterprise).
Could be that Microsoft can navigate all the regulatory bullshit that surrounds anything government. I don't know of anyone doing that for anything Linux.
There's tons of Red Hat in federal IT, that's not the issue. It's just that Microsoft dominates the client-facing software business, and Red Hat has minimal presence there so while you might see RHEL desktops at e.g. NASA you're unlikely to see them anywhere else, and there's no real open source equivalent of SharePoint or Office out there.
Maybe [0] will be one, eventually, but it would take a long long time to replicate the functionality if it were to ever happen. Best case scenario is that the EU were to fund an open source solution.
I have spent far too much of my life on SharePoint.
Having it internet facing has never been a good idea.
Not really what it is meant for, though the promo verbiage
on that has changed over different versions.
Some folks wanted SharePoint as their "web server",
I would set that installation up entirely separted from
all other instances they may have on the network.
Actually it wasn't too long ago, in the early-2010's, that Microsoft was promoting SharePoint for internet sites; I think at one point some Europoean car manufacturer (BMW? Ferrari?) had their global marketing site on SharePoint. Of course that didn't last long, as Microsoft licensed it at a crazy price ($40k per site or something like that).
I worked on a couple of public facing SharePoint 2010 sites for large, well known companies before while it was in RC and immediately after - MS had a big marketing push to get people to build more than Intranet portals on it at the time. It seems like that died off entirely once Office 365 came around, and it was never a good idea in the first place, but it was definitely a thing.
And it probably needed a very hefty bunch of servers, even after caching, if you needed just a little bit of dynamic content or interaction with the site.
> A programming flaw in its cloud services also allowed China-backed hackers to steal email from federal officials. On Friday, Microsoft said it would stop using China-based engineers to support Defense Department cloud-computing programs after a report by investigative outlet ProPublica revealed the practice, prompting Defense Secretary Pete Hegseth to order a review of Pentagon cloud deals.
The US doesn't either. Someone didn't comply with existing law here. I've been on a program where uncleared people from another business unit were used as internal labor loan for export controlled work. One of them was belatedly discovered to be a Canadian citizen and they were retasked the next day. There are strict rules in this domain. It's just that nobody gives a fuck about paying for an IT cost center to do things securely. Chalk up another win for outsourcing and moving to the cloud for cost savings.
Meanwhile, Citrix has been on fire causing much worse things (you can just grab any session you want and become anyone who's already logged in). Who needs to break into SharePoint when you're becoming someone who's already got access... including to everything else (not just SharePoint)
It's patchable, but it's been two times in a row now, and patching is always slow and incomplete.
Something to understand about the word “leak” is that it implies at some point it was keeping things in. Microsoft security is so underfunded and garbage, it is fundamentally making technology as a whole unsafe.
Example: if Kroger or whatever your supermarket of choice distributed meat that was infected they would get sued to bits. Microsoft distributes thousands of malicious NPM dependencies and underfund the NPM security team - if there is such a thing - resulting in an entire industry of supplychain security companies to exist. No other registry has the issue of malicious packages as badly as NPM since Microsoft acquired Github.
Microsoft just does not know how to handle security, which is why so many security companies exist to fill their gaps. I don’t trust their security practices one bit tbh.
At the risk of massive downvotes, I have to admit that a small part of me wants this so that maybe corporations stop using Sharepoint as soon as possible.
Seriously, I haven't used it since 2017, but every time I used it then it was the worst part of my day. I used to have a shirt that said SHarepoIT Happens that I would wear to work, and it seemed like the one thing I could get my coworkers agree on was that Sharepoint is terrible and we'd rather use anything else.
Each M365 Teams Team creates an M365 Group which creates a SharePoint site and Exchange mailbox. Teams channel files are stored in that SharePoint site. Teams channel messages are stored in the Exchange mailbox.
Private files dropped in Teams are stored in OneDrive (rebranded SharePoint). Private Teams messages are stored in the sender and recipients’ Exchange mailboxes.
M365 is SharePoint and Exchange. EVERYTHING is built on top.
EDIT: changed ‘individual’ to ‘sender and recipients’
Throwaway account so keep this comment separate from my main account.
I used to work within the Office group. The way that data is organized in Exchange is mind-boggling -- and not in a good way, IMO. Its design is from decades ago, and trying to understand how to find something really takes a lot of experience. Without going into any gruesome details of how it works, I'll just say that it is a HUGE hurdle to being productive for day-to-day work.
Similarly, I'm not surprised that there's some kooky way that the Teams folks shoehorned their data into the existing Exchange system -- they probably have no other way to operate at that scale without taking years in writing their own database system. (I can't imagine that using SQL Server to do this would be viable, either, given what they want to do and the capabilities already built on top of Exchange.)
> The way that data is organized in Exchange is mind-boggling -- and not in a good way, IMO. Its design is from decades ago, and trying to understand how to find something really takes a lot of experience
I assume you're talking about MAPI, which owes some of its baroque nature to X.400. It definitely comes from another time. It always struck me as over-engineered.
On the other hand, it has also been ridiculously successful.
To be fair exchange works quite well for mail and calendar, it syncs very fast, is easy to set up and the cloud version is easy to administer (i never had to admin an on-prem exchange but ive heard its not fun).
Using this infra for teams makes sense since it already works well. As one poster said, its probably via some hidden folder.
I wonder what they did with skype, did they actually integrate any of it into teams or just dump it entirely?
I know it's popular to dump on Microsoft and there are some valid reasons, this is not one of them.
There are so many companies and businesses that rely on offline data, or silo'd data than will be tied through their AD LDAP account permission, M365, teams included, is such a better option than hand rolling all of them and praying you configured every service correctly.
I don't think this is nearly as crazy as you may think at first glance
Imagine if it was just a hidden (special) folder in an Exchange mailbox.
Voila, you already have a well-known and widely implemented and tested message syncing solution both for content and status (read/unread)
I assume Windows Phone worked the same way with its text message backup. When you'd set up a new phone it would take a while for your Microsoft account to finish syncing during which new messages would trickle into the Messaging app in real time. In fact if your old phone was still on WiFi new messages would show up on both. Still more advanced 15(?!) years ago than my Android today
When you dig it up, it is totally crazy and the total shit that we could expect.
Nothing works really well nowadays with exchange (classic, new, web, ...) or Teams.
It is a complex layer based on sharepoint, that was not designed for that, because OneDrive is so bad that they have absolutely no way to manage a proper sharing of files between multiple persons, and so even less between teams and orgs.
At some point Microsoft tried to sell some automatic DRM system based on SharePoint to some company that I worked for.
The sales pitch was that they could upload documents to SharePoint and when people downloaded the documents SharePoint would automatically apply DRM so the documents could only be opened by that person on authorised machines for a specified number of days.
Well, it turned out depending on how you logged in (using the same account, just different login forms) on the SharePoint server it would either give you the files with DRM applied - or the completely unrestricted files.
We got some senior Microsoft consultant working directly for Microsoft to look at it but in the end they were just as confused as us.
My company has SharePoint and another internal site for documents/notes (think about Notion/Quip/Confluence). The other site works quite well, and most developers write all their notes/docs on it. But some people just insist on uploading Word documents to SharePoint. So now everybody else has to use SharePoint as well, plus search twice whenever they need to find something.
My boss spent over a year trying to get me to setup Sharepoint. About 6 months into this, I finally looked into it and what it provided and said no. Eventually he hired a second tech and he set it up "in an afternoon." Good for him. Nobody ever used it. He also stole my high speed USB drive.
Clearly Sharepoint is being used. Otherwise, this would not be a news story. So if every single Sharepoint user switched to another piece of software, it would be more than nobody using it.
I think you missed the joke here, being that Sharepoint is installed in many of orgs, but never used after installation.
I have worked at an org that did the same. We already had Confluence. Somebody decided we needed Sharepoint. We licensed and installed it. Six months later we migrated the handful of documents and files and decommissioned it.
probably so. every corp I've worked for that had Sharepoint used it religiously. that is a whopping 3 different companies, but > 1 anecdotal experience. to be fair though, 2 of the 3 companies used it because the same person was at both companies and was responsible for using it at both companies during their tenure.
As a mid size company that does work with government agencies, it’s near impossible to use anything ‘better’ solution. Cybersecurity requirements are getting so onerous that Sharepoint is too commercially feasible of an option to use anything else for a shared file store between organizations.
The fact that Sharepoint sucks* doesn’t matter… because anything else is seen as a risk.
* folders with lots of files are hard to scroll through because each page is lazy loaded, the automation functions are buggy, logins between different M365 tenants breaks and is not correctable by a normal site admin, human readable URL paths aren’t standard, search is shit, tables/filters are buggy, the new interface hides a bunch of the permissions logic, some things like permission groups need to be managed via outlook, etc etc. I’m sure a bunch of my gripes are technically fixable, but these aren’t things that should need a web search in order to use/fix.
It’s not cybersecurity. It’s legal, trust me. For large corporations, eDiscovery is huge. Failing eDiscovery can cost a company millions. Having a bunch of different data sources makes it impossible, so companies stick with M365 as corporate policy and call it a day.
And sharepoint in large organisations I have been at recently is now using oauth which breaks Microsoft's own sharepoint client API. That whole software is one massive waste of time and buget.
Sorry to disappoint you, but Sharepoint isn't going to die.
This is actually a great day for Microsoft. People will come to their cloud solutions in troves after this and everyone will be happy. Maybe not everyone, but Microsoft for sure.
The only reason to get downvotes is nonsense of prefacing the post with the 'worry'. Sharepoint would be far from a first choice under normal circumstances (e.g. not bundled with excel and friends)
It is instructive that we are seeing the results of DOGE's work:
"The process took six hours Saturday night — much longer than it otherwise would have, because the threat-intelligence and incident-response teams have been cut by 65 percent as CISA slashed funding, Rose said."
I'm not sure which part pisses me off more: that tons of professionals lost their jobs and will likely not work in public service again because of it, or that through all that, they barely found any actual waste at all. A fucking farce.
Seems like generally it ended up being a surveillance play, in practice if not original intent. For example, Dog coin has been reported to be passing data taken from other agencies directly to ICE^[1] for law enforcement applications, and there was that other matter of logins apparently from Russia using accounts the Dog coin personnel demanded agencies create on their internal systems with (auditable) logging disabled^[2]. And probably more that I'm forgetting.
One does wonder whether this was all part of Musk's vision, or more thanks to the scum he hired to staff Dog coin and/or other lawless opportunists in the Trump administration.
The idea that Musk's intent was to gut all of the agencies that were in a position to regulate any of his companies does seem to suggest that DOGE was an outstanding success.
I see your refusal to acquiesce to Musk's appropriation of an innocent meme, and raise you a, "Keep calling it 'doge', but pronounce it phonetically to piss him off."
The first obvious sign was that the people not holding office or having any access to government data were making unfounded claims about how the government was operating.
There is waste. A God awful amount of waste, fraud, and abuse. You don't rack up a 1.8 trillion deficit and a debt per capita that is 7x the income per capita without waste, fraud, and abuse.
The problem is that while common sense would dictate those nonsensical expenses as such, they were part of the official process, so it was all legalized, so they avoid the FWA labels because the rule writers have made it so.
There is of course waste. But the budget for everything apart from social security, medicare/caid, and defense is very small in comparison to those. The US could cut everything except for those three and it wouldn't delay the debt bomb's detonation by more than a year. Current projections are around 20 years of current trends. The US has to keep borrowing, or the world economy breaks down with no reserve currency. The trick is that the borrowing needs to keep increasing the gdp at the same rate as the debt. I.E. the loans have to be spent on assets. That is not currently the case.
The problem with your argument is that Social Security (old people income), Medicare (old people healthcare) and interest on the national debt account for fully one half of total federal spending. Add in national defense and you reach two thirds.
Interest is trivially accounted for. We know how much debt is outstanding.
Social Security and Medicare expenditures are well within 5% of what should be expected, given the total population of the US and its age distribution.
Your God Awful amount of waste, fraud and abuse reduces to a fraction of a fraction of the total budget. A tiny fraction of a big number may be a big number, but it simply doesn't matter structurally.
The only way out is to cancel the entire military, slash social security or raise taxes. The rest of the stuff (even if it is purely waste with no useful purpose) simply doesn't add up to enough dollars to fix the budget.
I know this isn't what anyone wants to hear, but numbers are numbers and you can't just wish away unpleasant realities.
How about the fact that Elon and most of his cronies weren’t even born here and seem to feel that the people who were born here are stupid and/or lazy. Maybe only Vivek said that quiet part out loud, but they very much agreed on the solution.
I'll tell you what pisses me off: Having to be subjected to low security services because one political party wants to run a reality TV show instead of caring for people. The consequences are all for us to bear.
MS's hosted version of SharePoint. It's apparently unimpacted by this current round of attacks. DOD (since it's been brought up by other commenters) makes significant use of this.
People hosting SharePoint instances themselves. Some on-prem, some with rented computers. These are the impacted ones. It's not about "the cloud", it's about hosted SharePoint having weaknesses that were exploited and many organizations apparently leaving their SharePoint instances accessible over the open internet. These hosted instances are also probably old and unpatched which doesn't help things. Some (many?) units within DOD make use of this, but definitely not all.
Tinfoil theory, but what if Microsoft secretly sponsored the attack so that users ditch onprem in favour of the hosted cloud version? Microsoft is in the best position to know of their own software's shortcomings and would have just needed to pay the right folks to do the dirty job.
I mean, dumber things have happened. Governments have destroyed their own government buildings to blame on the opposition and gain sympathy for their causes.
Yes, false flags. That's usually used to motivate people to go attack someone or to garner sympathy or support for a cause. MS's products being subject to attacks because they have numerous vulnerabilities does not encourage anyone to go out and buy other MS products.
You sink one of your own naval vessels (or it sinks due to an accident and you take advantage of the situation) and blame it on an enemy. That enemy is now the target of your military and your population approves.
A shipbuilder hires someone to poke a hole in 1000 of their ships that are so badly designed and manufactured that it only takes a rubber ducky bouncing off the hull to sink them does not encourage anyone to go back to that shipbuilder.
False flags (particularly of the "let's kill or maim hundreds of our own people and other innocent people" variety) push into evil territory. They aren't dumb on their own, they're calculated risks predicated on the willingness of the masses to fall in line after a catastrophe.
Deliberately hurting your own customers by using weaknesses in your own systems in order to motivate them to go buy your other products or services is dumb.
It's not right to victim blame but it's also not wrong. Akin to investing lots of money in a stock. If you took the risks of maintaining a public SharePoint server in 2025, here's your very bad day.
If I am ever on the board of a company, I will always vote no confidence in the dipshit CTO or founder that willingly install/mandate use of Microsoft junk in the company.
As a corporate drone that has accidentally opened various Microsoft office suite links inside of Teams. My dislike for anything Microsoft continues to grow.
Am I surprised that sharepoint has vulnerabilities? Hell no.
Once worked at a place in 2017 with a dipshit CIO. Guy spent his entire time trying to evangelize Teams as the reason to switch to Microsoft. He ended up leaving 11 months into the gig and we were more than happy to stay on Slack.
It feels like Microsoft has a (bad) deal with every 3rd rate IT leader where the IT leader eschews Microsoft's BS in exchange for being "unfireable" because "who else knows how all the Microsoft stuff works?"
I wonder what drives people using Microsoft and then using more from this company.
We didn’t knew it better, back then. We knew it better, now. But migrating is work. So we prefer to suffer! And harm others! This Linux and BSD people are so annoying with their desire for compatibility. They shall suffer, too! And when we buy everything from a Monopoly, we don’t need to think.
Somehow. Part of the game is that you’ve always an excuse with Microsoft. You cannot made responsible? There is this quote about IBM:
Nobody Ever Got Fired for Buying IBM.
But I cannot remember stories about suffering from IBM forever.
From what I've seen in my industry? To pass all the liability to Microsoft.
"If something happens, we used enterprise grade industry standard software. We did our due diligence."
This outlook is basically why we can't innovate anymore.
I had to recently sit through a meeting where our CTO quoted all the "blogs" he's been reading as a way to slap down my suggestion for an in-house project.
It's why school boards don't do anything useful, among many many other things in our society. It's an endemic disease.
Most of the time it's extremely exaggerated, but it's trotted out and used as a CYA excuse almost immediately by most in the executive/managerial class. Both due to outright laziness and incompetence, and also as just a... why take any personal risk whatsoever making actual decisions with any impact if I can keep my cushy job and career rolling by being as milquetoast as possible.
Never mind you get the big bucks to make such important and controversial decisions at great personal (career) risk when some inevitably go wrong. Everyone forgot that part. Such roles should be hard, difficult, and risky.
They're using Microsoft because all of the alternatives have the same issues.
FOSS isn't magically immune to vulnerabilities.
It doesn't help that the FOSS community generally prefers the C programming language over more modern and safer alternatives as a cultural thing. The result is just as many vulnerabilities, if not more, per line of code or per feature. Keep in mind that SharePoint is an enormous product with a 3.6 GB ISO image used to install it. If you think anyone is able to develop that volume of server code and have zero vulnerabilities... I have a bridge to sell you.
Rust has never been successfully used to develop large-scale software of the size of SharePoint, Exchange, or anything of that order of magnitude: gigabytes of compiled code with the main executable being 10s of megabytes in size.
An observation I've made about Rust is that because it eschews OOP, it tends not to "scale" to large development teams for single applications. It's great for CLI tools, small web apps, etc... but after some scale it runs out of steam.
This is exacerbated by its glacial compile times compared to other languages, even C++, let alone C#.
I just can't imagine something the size of SharePoint being developed entirely in Rust!
I mean.. people contributing to FOSS generally program in what they know - i.e. I have some time to contribute, I'll spend 10 productive hours in C, because I know what I'm doing, vs. learning Rust only to spend 30 hours and not really getting anything done.
I contributed to a Tcl/Tk library that I was using at work that had a specific issue with some image files, so I fixed it internally, and contributed the fix back to the FOSS project (with permission from work).
Genuinely asking - is there a Linux alternative to Sharepoint? I couldn't care less if it was lit on metaphorical fire and dumped into the sea, but a lot of orgs using it extensively.
For collaborative documentation, there’s probably a bunch of alternatives.
But SharePoint is the linchpin for Microsoft 365. Well technically SharePoint and Exchange. You can’t use any Microsoft 365 products without SharePoint.
OneDrive uses SharePoint. Outlook Groups and Teams Channels create Microsoft 365 Groups. Every Microsoft 365 Group creates a SharePoint site. Microsoft Loop uses Microsoft SharePoint Embedded.
SharePoint is now a “file and document management system suitable for use in any application”.
So, if you want an alternative to SharePoint you would need an alternative to any M365 Product, including Outlook and OneDrive.
Fun Fact: Teams messages are actually stored via Exchange Mailboxes.
Google Docs and Libre Office both produce compatible documents. There's really no reason to force one or the other.
It's just conflating needs. Document editing and file storage are two different tasks. It's weird that people want everything integrated. It's not much effort to just drag and drop a file into G-Drive, OneDrive, Dropbox, box.com...
What people want are systems that compose and work well together. That's what MS provides, or at least attempts to provide, with SharePoint. When you start trying to tack on collaborative document editors, workflow management systems, shared storage, and other capabilities from different providers or systems you run into more and more complications (especially because most of these don't offer any kind of standards compliance that lets them be used interchangeably). That's also why G-Suite works as a competitor to MS, it covers at least the more critical integrations that people want to work smoothly without needing to combine multiple maybe compatible things together.
Which is so funny because it was a pain in the ass on prem to make sharepoint work for that purpose. Silly item restrictions, complaints about database sizes (which stored the files), etc
Sorry, I don’t know the answer to your question, but I can offer some possible insight into why it’s used so much.
We’re on Microsoft 365 and technically fall into the camp of “uses SharePoint”, but only for “shared network folder” usage which OneDrive seamlessly synchronizes should you dislike the web interface. We don’t actively use any other features of it.
Also worth mentioning that realtime collaboration and automatic versioning of Office documents is seamless for files on SharePoint, even if opened on a desktop on a OneDrive synchronized folder.
Files shared over Teams as well as meeting recordings are also stored on SharePoint.
My point is that SharePoint is used a lot but possibly not in the way one might have assumed.
I don’t know if self hosted SharePoint can do all this.
For the file storage/sharing/collaboration part, yeah - there's plenty, and sharepoint arguably sucks even for that.
What trapped a lot of orgs is making use of the whole PowerPlatform around sharepoint. There's a lot of crusty old LoB apps built with MS's no code tools (PowerAutomate, PowerApps) which run on SharePoint as the delivery platform. Some of these even hook into Excel files stored in the various document libraries, etc. There are entire, large business processes being handled by this platform, and so migrating will require actual dev time, which automatically makes it a non-starter for most, unfortunately. Doubly so when you consider that a lot of these "solutions" were built by non-devs, long since gone from the company and no one knows how deep the tentacles go.
Nextcloud, particularly with the Collabora Office integration for real-time collaborative document editing. It's got some rough edges but I'd say it suits the majority of use cases now. I suggest spinning up a copy of the community edition in a VM to give it a spin, I was pleasantly surprised. There is a lot of money getting poured in right now as entities outside the US are exploring ways to ditch American software.
> Genuinely asking - is there a Linux alternative to Sharepoint?
Genuinely asking - is there a Microsoft alternative to eBPF, k8s, nginx?
The answer is NO. Alternative to SharePoint is SharePoint. I would argue such project just not needed in general and therefor there is no 'alternative'.
O365 is a poor amalgamation of like 18 different things. Quite frankly I hope there isn't a true "alternative" to it.
The reason orgs use Sharepoint is they are forced to if they use Microsoft. One drive is sharepoint, teams is sharepoint, sharepoint sites is sharepoint, etc...
I'm sure all those things have better alternatives, but Microsoft shoves them down your throat when you license with them.
But it's understandable why an org would prefer that to having to maintain and manage the 18 things, right? It's a hard sell.
I'm not saying that wouldn't be better, but it makes sense why an org would be reluctant. Again, not a fan of Sharepoint myself, but from an org's viewpoint, moving to Linux raises more problems than it solves.
It's understandable, but it doesn't excuse how poorly everything actually works and how confusing it is to use and administrate.
To some extent I think Microsoft is largely in the business of building solutions for problems that don't exist.
Most orgs are probably perfectly fine with a document management system + desktop word application and then a commercial NAS for bulk storage / backups.
I operate under the assumption that open source projects are compromised by states. If you espouse unpopular ideas or are yourself a state don’t rely on it.
Lets pretend what you are saying is true, which it is not. Who would you want to access your data ? The State or the "underworld". Many countries have laws on how to access your data. The underworld, you may wake up dead.
Granted there are countries that act like a Criminal Org., but if you live there you have more issues than your data.
With proprietary software, it is a much larger chance that backdoors exist than in Open Source. Many of us heard of 1 issue where it was claimed a project had a Gov sponsored BH in it. They did a long audit and found that was false.
Eventually Open Source backdoors will found in Open Systems. Proprietary you are SOL unless you do very expensive and very hard testing. Even then it is doubtful you will find a backdoor.
It is true. Denying trivial truths with the purpose of not giving an inch does not add to one's argument, it weakens it.
Plenty of closed source products will happily backdoor their products on request, without a warrant, if they are confident they will never be found out. That's the point. Not that FOSS source is somehow inviolable to nation-states with virtually infinite resources, many of which sponsor or contribute to the finance of a huge percentage of the development of FOSS themselves.
It's easier to find backdoors in FOSS if you're looking, because you're allowed to look. But somebody has to be looking.
As far as I can tell there's two vulnerabilities bundled up here. One is an unauthenticated command injection (!) vulnerability to steal some keys and the other is of course yet another serialization-based RCE in a safe language, mediated by signed cookies (signed with the keys stolen in step 1).
I don't understand how often this design has to blow up in people's faces until they stop doing this and use something dumb and safe instead.
Could you please stop posting unsubstantive comments and flamebait? You've unfortunately been doing it repeatedly. It's not what this site is for, and destroys what it is for.
Giving OP the benefit of the doubt, there were issues with how the Windows kernel had little guardrails and restrictions.
That said, that was the EU's fault, as the EU in 2009 forced Microsoft to fully expose their OS internals to outside vendors during an anti-trust settlement, and with little ability to enforce vendor standards:
""Microsoft shall make available to interested undertakings Interoperability Information that enables non-Microsoft server Software Products to interoperate with Windows Server Operating System on an equal footing with other Microsoft Server Software Products.
"Microsoft shall ensure on an ongoing basis and in a Timely Manner that the APIs in the Windows Client PC Operating System and the Windows Server Operating System that are called on by Microsoft Security Software Products are documented and available for use by third-party security software products that run on the Windows Client PC Operating System and/or the Windows Server Operating System.
These APIs will be documented on the Microsoft Developer Network, unless open publication would create security risks. In such circumstances, Microsoft will provide third-party security vendors with access to such APIs pursuant to a royalty-free license and on fair, reasonable and non-discriminatory terms." [0]
This meant that by offering Microsoft Defender for Endpoint, Microsoft needs to give similar access to the underlying kernel to competing vendors like CRWD and S1.
Well, I hate Microsoft as much as the next person, but I'm not sure "writing a buggy kernel module can crash the kernel" is much of an indictment of Windows in particular...
The EU defense is something they claim to shirk responsibility, best left to their PR team. Nothing prevented Microsoft from following Apple’s lead in having safer APIs to perform filtering. Note how it refers to “equal footing”? That means that they have to let other people do what Defender does, not that they can’t secure Windows at all.
The obvious answer would've been to create a secure public API and have defender use that. But like always, corporations throw a hissy fit and implement the worst possible version of the ruling. Then people hate the EU instead of the corporation for no good reason.
It's the exact same thing as with Google Maps in Google Search. The EU did NOT say "Remove Google Maps" it said "Give competitors equal opportunity". The most user-hostile choice was removing the Google Maps integration entirely (because "no access" is still "equal access"), instead of offering users the choice.
Personally, the digital policies are one of the few things the EU generally gets right, and (as unrealistic as it is) I hope all the Googles and Apples go choke on it and di...solve.
> Giving OP the benefit of the doubt, there were issues with how the Windows kernel had little guardrails and restrictions.
This also wasn't Microsofts fault. It was bad kernel code, and don't say you would like microsoft to audit everyone else's code before it can be deployed somewhere.
Security by obscurity is a bad security concept. If anything making that information available prevented things from lurking in there and doing even more damage.
I agree with your position on security via obscurity being uslesss, but the issue was the settlement didn't allow Microsoft to add limits such as additional validation checks on vendors offerings, as those actions could be construed as violating the "non-discriminatory terms".
Any vendor's legal team worth their mettle could then argue that any additional validation on vendors is unfair given that MS would always have significant internal knowledge about how the Windows Kernel operated.
It's yet another example of the EU getting in the way of itself.
> The process of reviewing the Epstein and Maxwell files was chaotic, and the orders were constantly changing - sometimes daily. One person I spoke to on the condition of anonymity said that many agents spent more time waiting for new instructions than they did processing files. But here’s what caught my attention: the files were stored on a shared drive that anyone in the division could access. Normally, access is only granted to those working on a project, but because of the hurried nature of the exercise, the usual permission restrictions were not in place. Additionally, the internal SharePoint site the bureau ended up using to distribute the files toward the end did not have the usual restricted permissions. This left the Epstein and Maxwell files open to viewing by a much larger group of people than previously thought.
So how does this work for someone to know what server to use the exploit? Do companies make their Sharepoint servers accessible to WWW? Do hackers need to use this on a network they've already pwnd? Finding out the FBI put something like this on a server open to the WWW would be classic. That much larger group just got a wee bit larger than they previously thought on their previously thought number.
IIRC Microsoft is rewriting some of these backend services in Rust, although not because it will increase security but because it lets them get better perf than existing solutions without the safety tradeoff they'd have suffered to go to C++ which would have been their option 15-20 years ago. I don't know whether Sharepoint was on that list.
SharePoint is primarily written in C# [.NET Framework 4.8] and leverages ASP.NET; there would be no reason to rewrite the majority in another language. There is some C++ in SharePoint Search (and a few other components here and there).
IIS which SharePoint runs atop of is written in presumably primarily C.
You can decompile most of SharePoint if you ever need to peek at the code. That's a huge advantage to figure out how it works.
It's interesting to me that you'd go the hassle of hosting your own SharePoint on prem, but leave it internet facing. I would have assumed a the Venn diagram of these organizations to be entirely contained in orgs forcing you to use a VPN.
What a pity that CISA has been purged down of effective useful people and turned into another sad selected-for-political-compliance-only force.
Arizona recently got attacked from Iranian hackers & didn't even bother trying to get help from CISA. https://archive.is/2025.07.19-143305/https://www.azcentral.c...
CISA is so so vital. Investigating incredibly wide ranging attacks like this, or the Salt Typhoon attack are vital for this nation. But the show is being run by a bunch of people who value political dogma far above anything else. https://www.techdirt.com/tag/cisa/
So you don't do that. You use zero trust and don't care that things are exposed to the internet.
Working from anywhere (remote sites, home, your phone) is a huge benefit. Organizations want to control their data entirely while still wanting their organization to be able to access it.
The NIST Zero Trust Architecture (ZTA) implementation guides (SP 1800-35) [2] cut through the nonsense and AI generated marketing smoke.
In ZTA, ALL network locations are untrusted. Network connections are created by a Policy Engine that creates and tears down tunnels to each resource dynamically using attribute-based-access-controls (ABAC). Per request.
Microsoft doesn’t have any products that can do full ZTA, so several pillars are missing from their “Zero Trust” marketing materials.
[1] https://www.microsoft.com/insidetrack/blog/securing-the-bord...
[2] https://doi.org/10.6028/NIST.SP.1800-35
TBH several pillars are missing from their entire security posture.
What does it mean in technical terms? What kind of tunnels are whose and what is their purpose?
Basically a policy evaluation point (PEP) evaluates the security posture of both parties before and after a handshake, then creates a logical or physical path of some kind of between the actor and the resource. This can be done with software-defined virtual networks and stateful firewalls, at one or more of the OSI layers.
With a VPN the attack surface of this vulnerability would have been miniscule compared to a publicly accessible zero-day RCE
(And it's not like you have to allow carte-blanche access behind the wall)
Defense in depth!
In a pure implementation, the same level of trust is implied (absolutely none at all) whether a device is connecting to a resource from the public internet or the same subnet.
It doesn’t matter what network you are connecting from, but it does matter that you’re connecting from a company-issued laptop that’s in a trustworthy state.
My way of mapping it to VPN mindset is "per app clientless VPNs straight to where the things are hosted". In an extremely open ruleset with all of the servers on a corporate network this could theoretically devolve into "a traditional clientless VPN to the office".
They can be implemented using a variety of technical patterns but they all share a common "each request is authenticated, encrypted" property instead of "anything goes once the tunnel is up" property.
The other salient point is that all connections are established outbound through a broker, and importantly this is the case from both sides: The appliance at the terminating end of the tunnel establishes reverse tunnels to the broker for the connections, so it's never "exposed to the internet".
The broker can then push to your SIEM or whatever so you can have your SOC log jockeys harass your employees for accidentally leaving NordVPN on after watching international sports.
There are actual benefits: You can do things like allow logins to system A from anywhere, but system B only from your home country, you can do JIT network access requests, etc... but mostly it's vendor marketing to get you to spend too much money.
It's software your employer pre-installs on your work PC, that asks you to log in with your work SSO credentials, performs some endpoint security checks, then routes your traffic over a virtual network adapter, and thereby allows you to access workplace resources, even when working from home.
The main difference is it adds some semi-authenticated states. Correct device, username, password, and 2FA, but failed a device posture check because they plugged their phone into their laptop to charge it? The 'Zero Trust' system can block some systems, while letting them retain access to others.
The other big difference is the pricing - rather than paying a five-figure sum upfront for networking hardware, you instead pay $25 per employee per month, forever.
this is not a requirement of zero trust.
I never remember thinking years ago how nice it would be to have all of our private docs that we only need to access on our private network accessible to the public. I just wasn’t thinking outside the box enough.
Once upon a time Microsoft marketed it as, and a lot of Orgs adopted SharePoint as their Intranet. With SharePoint 2019 being sunset, a lot of Orgs are scrambling to implement replacements.
No one considers Google anything less than an impenetrable fortress, but when it's some government entity responsible for keeping American lives safe it's like "ah yeah they probably have a vulnerable on-prem Sharepoint that could easily be pwned."
So why is this? Why do Microsoft products enjoy a monopoly on the server in these sectors when more secure (Linux-based) options are far cheaper and widely deployed already? Isn't security the number one priority in those spaces?
But, for enterprises, the only reasonable migration away from Windows is Mac. JAMF Pro for Mac can be hosted on-premise on Linux. The majority of enterprise software runs on Mac. However, Macs are expensive so it's unlikely to overtake Windows enterprise machine usage.
Hardware support for Linux PCs is poor and lacks the manageable of Windows PCs with Active Directory and GPO, or JAMF for Macs. Enterprise software usually doesn't support Linux. Linux PCs are uncommon for personal use and corporations don't want to train users how to use Linux.
Money changing hands between suitable people who pop up together at the right social occasions is the priority.
Where is the equivalent tech on the Linux side that Red Hat developed? They simply didn't have a competitive enough alternative. Usually anything outside of cloud/web server space, you'd find alternative open-source projects rotting with non-clear ownership and year old last commits. Red Hat and Linux world weren't interested in developing those things. They weren't interested in making competitive user friendly alternatives that enabled non-programmer users. It is hard, thankless, soul crushing work that nobody does anymore since Microsoft bought or eliminated them. There are simply no equivalent alternatives in the open source world because competing with Microsoft requires accepting significant losses as a company for a long time. Google Workspace is a thing only because Google can finance its developers with ad money.
Just having Linux is no golden key to security either. You need to put the exact amount of barriers in front of your on-prem servers regardless of the OS.
The whole security mess is just the symptom of capitalist economy. Most companies give 0 fucks about it because caring about security is costly and time consuming. With the race to the bottom for first-to-market, caring about security is a risk, it is a distraction. They ignore it until they establish a position and maybe their misdeeds become a liability. However, no company got actually severely punished for not caring about security. So it is still seen as cost by many.
Maybe [0] will be one, eventually, but it would take a long long time to replicate the functionality if it were to ever happen. Best case scenario is that the EU were to fund an open source solution.
[0] https://www.techradar.com/pro/mozilla-launching-thundermail-...
Some folks wanted SharePoint as their "web server", I would set that installation up entirely separted from all other instances they may have on the network.
It's the go-to warm-up joke whenever someone in the military gives a speech.
https://zerodaypublishing.com/feed
> A programming flaw in its cloud services also allowed China-backed hackers to steal email from federal officials. On Friday, Microsoft said it would stop using China-based engineers to support Defense Department cloud-computing programs after a report by investigative outlet ProPublica revealed the practice, prompting Defense Secretary Pete Hegseth to order a review of Pentagon cloud deals.
Anyway, from what I can tell being in this industry, a lot of things need to be explicitly illegal to stop companies from doing it.
Edit: The penalities also have to be meaningful. There's a lot of "technically not legal, but sue us lol" going on.
"Hey, this is a really really stupid idea." Isn't going to stop a middle manager from trying to come in under budget.
At most MS will pay a nominal fine, and proceed to learn nothing.
Would the CCP allow their cloud infra to be administrated by US staff in the US? Never.
It's patchable, but it's been two times in a row now, and patching is always slow and incomplete.
Example: if Kroger or whatever your supermarket of choice distributed meat that was infected they would get sued to bits. Microsoft distributes thousands of malicious NPM dependencies and underfund the NPM security team - if there is such a thing - resulting in an entire industry of supplychain security companies to exist. No other registry has the issue of malicious packages as badly as NPM since Microsoft acquired Github.
Microsoft just does not know how to handle security, which is why so many security companies exist to fill their gaps. I don’t trust their security practices one bit tbh.
Seriously, I haven't used it since 2017, but every time I used it then it was the worst part of my day. I used to have a shirt that said SHarepoIT Happens that I would wear to work, and it seemed like the one thing I could get my coworkers agree on was that Sharepoint is terrible and we'd rather use anything else.
Here’s just one example:
Each M365 Teams Team creates an M365 Group which creates a SharePoint site and Exchange mailbox. Teams channel files are stored in that SharePoint site. Teams channel messages are stored in the Exchange mailbox.
Private files dropped in Teams are stored in OneDrive (rebranded SharePoint). Private Teams messages are stored in the sender and recipients’ Exchange mailboxes.
M365 is SharePoint and Exchange. EVERYTHING is built on top.
EDIT: changed ‘individual’ to ‘sender and recipients’
Contacts and voicemail are stored in Exchange.
Diagram of data storage locations: https://youtu.be/V6B4KraD-FM?feature=shared&t=454
M365 Groups are still SharePoint + Exchange.
Good lord. It truly is a layer of dung layered upon more layers of dung.
I used to work within the Office group. The way that data is organized in Exchange is mind-boggling -- and not in a good way, IMO. Its design is from decades ago, and trying to understand how to find something really takes a lot of experience. Without going into any gruesome details of how it works, I'll just say that it is a HUGE hurdle to being productive for day-to-day work.
Similarly, I'm not surprised that there's some kooky way that the Teams folks shoehorned their data into the existing Exchange system -- they probably have no other way to operate at that scale without taking years in writing their own database system. (I can't imagine that using SQL Server to do this would be viable, either, given what they want to do and the capabilities already built on top of Exchange.)
I assume you're talking about MAPI, which owes some of its baroque nature to X.400. It definitely comes from another time. It always struck me as over-engineered.
On the other hand, it has also been ridiculously successful.
Using this infra for teams makes sense since it already works well. As one poster said, its probably via some hidden folder.
I wonder what they did with skype, did they actually integrate any of it into teams or just dump it entirely?
There are so many companies and businesses that rely on offline data, or silo'd data than will be tied through their AD LDAP account permission, M365, teams included, is such a better option than hand rolling all of them and praying you configured every service correctly.
Imagine if it was just a hidden (special) folder in an Exchange mailbox.
Voila, you already have a well-known and widely implemented and tested message syncing solution both for content and status (read/unread)
I assume Windows Phone worked the same way with its text message backup. When you'd set up a new phone it would take a while for your Microsoft account to finish syncing during which new messages would trickle into the Messaging app in real time. In fact if your old phone was still on WiFi new messages would show up on both. Still more advanced 15(?!) years ago than my Android today
very slowly
and why the search doesn't work
Nothing works really well nowadays with exchange (classic, new, web, ...) or Teams. It is a complex layer based on sharepoint, that was not designed for that, because OneDrive is so bad that they have absolutely no way to manage a proper sharing of files between multiple persons, and so even less between teams and orgs.
I once figured out that you can go to the permissions page on the SharePoint site created by Teams and remove access for the corresponding M365 group.
M365 relies on SharePoint and Exchange, but they don’t rely on M365. So, you can potentially break Teams.
The sales pitch was that they could upload documents to SharePoint and when people downloaded the documents SharePoint would automatically apply DRM so the documents could only be opened by that person on authorised machines for a specified number of days.
Well, it turned out depending on how you logged in (using the same account, just different login forms) on the SharePoint server it would either give you the files with DRM applied - or the completely unrestricted files.
We got some senior Microsoft consultant working directly for Microsoft to look at it but in the end they were just as confused as us.
I have worked at an org that did the same. We already had Confluence. Somebody decided we needed Sharepoint. We licensed and installed it. Six months later we migrated the handful of documents and files and decommissioned it.
probably so. every corp I've worked for that had Sharepoint used it religiously. that is a whopping 3 different companies, but > 1 anecdotal experience. to be fair though, 2 of the 3 companies used it because the same person was at both companies and was responsible for using it at both companies during their tenure.
The fact that Sharepoint sucks* doesn’t matter… because anything else is seen as a risk.
* folders with lots of files are hard to scroll through because each page is lazy loaded, the automation functions are buggy, logins between different M365 tenants breaks and is not correctable by a normal site admin, human readable URL paths aren’t standard, search is shit, tables/filters are buggy, the new interface hides a bunch of the permissions logic, some things like permission groups need to be managed via outlook, etc etc. I’m sure a bunch of my gripes are technically fixable, but these aren’t things that should need a web search in order to use/fix.
Teams is actually SharePoint.
It ain't going anywhere
This is actually a great day for Microsoft. People will come to their cloud solutions in troves after this and everyone will be happy. Maybe not everyone, but Microsoft for sure.
The only reason to get downvotes is nonsense of prefacing the post with the 'worry'. Sharepoint would be far from a first choice under normal circumstances (e.g. not bundled with excel and friends)
nevertheless, even NFS is better than sharepoint. At least, NFS works...
"The process took six hours Saturday night — much longer than it otherwise would have, because the threat-intelligence and incident-response teams have been cut by 65 percent as CISA slashed funding, Rose said."
One does wonder whether this was all part of Musk's vision, or more thanks to the scum he hired to staff Dog coin and/or other lawless opportunists in the Trump administration.
[1] https://www.washingtonpost.com/immigration/2025/04/16/medica...
[2] https://www.reuters.com/technology/cybersecurity/whistleblow...
That anyone gives a word they say the time of day is actually crazy.
The problem is that while common sense would dictate those nonsensical expenses as such, they were part of the official process, so it was all legalized, so they avoid the FWA labels because the rule writers have made it so.
Interest is trivially accounted for. We know how much debt is outstanding.
Social Security and Medicare expenditures are well within 5% of what should be expected, given the total population of the US and its age distribution.
Your God Awful amount of waste, fraud and abuse reduces to a fraction of a fraction of the total budget. A tiny fraction of a big number may be a big number, but it simply doesn't matter structurally.
The only way out is to cancel the entire military, slash social security or raise taxes. The rest of the stuff (even if it is purely waste with no useful purpose) simply doesn't add up to enough dollars to fix the budget.
I know this isn't what anyone wants to hear, but numbers are numbers and you can't just wish away unpleasant realities.
MS's hosted version of SharePoint. It's apparently unimpacted by this current round of attacks. DOD (since it's been brought up by other commenters) makes significant use of this.
People hosting SharePoint instances themselves. Some on-prem, some with rented computers. These are the impacted ones. It's not about "the cloud", it's about hosted SharePoint having weaknesses that were exploited and many organizations apparently leaving their SharePoint instances accessible over the open internet. These hosted instances are also probably old and unpatched which doesn't help things. Some (many?) units within DOD make use of this, but definitely not all.
I mean, there are definitely stupid people everywhere, but I'd hope MS leadership isn't that stupid.
You sink one of your own naval vessels (or it sinks due to an accident and you take advantage of the situation) and blame it on an enemy. That enemy is now the target of your military and your population approves.
A shipbuilder hires someone to poke a hole in 1000 of their ships that are so badly designed and manufactured that it only takes a rubber ducky bouncing off the hull to sink them does not encourage anyone to go back to that shipbuilder.
False flags (particularly of the "let's kill or maim hundreds of our own people and other innocent people" variety) push into evil territory. They aren't dumb on their own, they're calculated risks predicated on the willingness of the masses to fall in line after a catastrophe.
Deliberately hurting your own customers by using weaknesses in your own systems in order to motivate them to go buy your other products or services is dumb.
As a corporate drone that has accidentally opened various Microsoft office suite links inside of Teams. My dislike for anything Microsoft continues to grow.
Am I surprised that sharepoint has vulnerabilities? Hell no.
Or probably they don't.
It feels like Microsoft has a (bad) deal with every 3rd rate IT leader where the IT leader eschews Microsoft's BS in exchange for being "unfireable" because "who else knows how all the Microsoft stuff works?"
Probably not since there are so many of these breaches people just ignore them.
I miss the old days when a breach involved someone breaking into the computer room and grabbing as many mag tapes as they can carry and run :)
"If something happens, we used enterprise grade industry standard software. We did our due diligence."
This outlook is basically why we can't innovate anymore.
I had to recently sit through a meeting where our CTO quoted all the "blogs" he's been reading as a way to slap down my suggestion for an in-house project.
It's all about CYA.
It's why school boards don't do anything useful, among many many other things in our society. It's an endemic disease.
Most of the time it's extremely exaggerated, but it's trotted out and used as a CYA excuse almost immediately by most in the executive/managerial class. Both due to outright laziness and incompetence, and also as just a... why take any personal risk whatsoever making actual decisions with any impact if I can keep my cushy job and career rolling by being as milquetoast as possible.
Never mind you get the big bucks to make such important and controversial decisions at great personal (career) risk when some inevitably go wrong. Everyone forgot that part. Such roles should be hard, difficult, and risky.
Pay the CYA bill, let the engineers build/choose something that actually works. Win-win.
FOSS isn't magically immune to vulnerabilities.
It doesn't help that the FOSS community generally prefers the C programming language over more modern and safer alternatives as a cultural thing. The result is just as many vulnerabilities, if not more, per line of code or per feature. Keep in mind that SharePoint is an enormous product with a 3.6 GB ISO image used to install it. If you think anyone is able to develop that volume of server code and have zero vulnerabilities... I have a bridge to sell you.
https://www.phoronix.com/news/Rust-Debian-2025
An observation I've made about Rust is that because it eschews OOP, it tends not to "scale" to large development teams for single applications. It's great for CLI tools, small web apps, etc... but after some scale it runs out of steam.
This is exacerbated by its glacial compile times compared to other languages, even C++, let alone C#.
I just can't imagine something the size of SharePoint being developed entirely in Rust!
I contributed to a Tcl/Tk library that I was using at work that had a specific issue with some image files, so I fixed it internally, and contributed the fix back to the FOSS project (with permission from work).
But SharePoint is the linchpin for Microsoft 365. Well technically SharePoint and Exchange. You can’t use any Microsoft 365 products without SharePoint.
OneDrive uses SharePoint. Outlook Groups and Teams Channels create Microsoft 365 Groups. Every Microsoft 365 Group creates a SharePoint site. Microsoft Loop uses Microsoft SharePoint Embedded.
SharePoint is now a “file and document management system suitable for use in any application”.
So, if you want an alternative to SharePoint you would need an alternative to any M365 Product, including Outlook and OneDrive.
Fun Fact: Teams messages are actually stored via Exchange Mailboxes.
https://learn.microsoft.com/en-us/sharepoint/dev/embedded/ov...
It's just conflating needs. Document editing and file storage are two different tasks. It's weird that people want everything integrated. It's not much effort to just drag and drop a file into G-Drive, OneDrive, Dropbox, box.com...
Not really, that's managers' speak. All things SharePoint is just a data swamp.
See, there’s the problem. Once you touch anything M365, you’re using SharePoint.
People see SharePoint as a document collaboration tool. But, in reality, it’s real use is as a data storage platform.
Not if you want to enable multiple users to be live editing the document at the same time.
We’re on Microsoft 365 and technically fall into the camp of “uses SharePoint”, but only for “shared network folder” usage which OneDrive seamlessly synchronizes should you dislike the web interface. We don’t actively use any other features of it.
Also worth mentioning that realtime collaboration and automatic versioning of Office documents is seamless for files on SharePoint, even if opened on a desktop on a OneDrive synchronized folder.
Files shared over Teams as well as meeting recordings are also stored on SharePoint.
My point is that SharePoint is used a lot but possibly not in the way one might have assumed.
I don’t know if self hosted SharePoint can do all this.
In 50 % of the time.
What trapped a lot of orgs is making use of the whole PowerPlatform around sharepoint. There's a lot of crusty old LoB apps built with MS's no code tools (PowerAutomate, PowerApps) which run on SharePoint as the delivery platform. Some of these even hook into Excel files stored in the various document libraries, etc. There are entire, large business processes being handled by this platform, and so migrating will require actual dev time, which automatically makes it a non-starter for most, unfortunately. Doubly so when you consider that a lot of these "solutions" were built by non-devs, long since gone from the company and no one knows how deep the tentacles go.
Genuinely asking - is there a Microsoft alternative to eBPF, k8s, nginx?
The answer is NO. Alternative to SharePoint is SharePoint. I would argue such project just not needed in general and therefor there is no 'alternative'.
Of course it's quite a poor replacement but it does exists.
The reason orgs use Sharepoint is they are forced to if they use Microsoft. One drive is sharepoint, teams is sharepoint, sharepoint sites is sharepoint, etc...
I'm sure all those things have better alternatives, but Microsoft shoves them down your throat when you license with them.
You’ve got it backwards. Everything M365 is an amalgamation of Entra, SharePoint, and Exchange.
I'm not saying that wouldn't be better, but it makes sense why an org would be reluctant. Again, not a fan of Sharepoint myself, but from an org's viewpoint, moving to Linux raises more problems than it solves.
To some extent I think Microsoft is largely in the business of building solutions for problems that don't exist.
Most orgs are probably perfectly fine with a document management system + desktop word application and then a commercial NAS for bulk storage / backups.
Granted there are countries that act like a Criminal Org., but if you live there you have more issues than your data.
With proprietary software, it is a much larger chance that backdoors exist than in Open Source. Many of us heard of 1 issue where it was claimed a project had a Gov sponsored BH in it. They did a long audit and found that was false.
Eventually Open Source backdoors will found in Open Systems. Proprietary you are SOL unless you do very expensive and very hard testing. Even then it is doubtful you will find a backdoor.
Plenty of closed source products will happily backdoor their products on request, without a warrant, if they are confident they will never be found out. That's the point. Not that FOSS source is somehow inviolable to nation-states with virtually infinite resources, many of which sponsor or contribute to the finance of a huge percentage of the development of FOSS themselves.
It's easier to find backdoors in FOSS if you're looking, because you're allowed to look. But somebody has to be looking.
I don't understand how often this design has to blow up in people's faces until they stop doing this and use something dumb and safe instead.
Countries are run by politicians. The ability of a politician to remember something is inverse proportional to the sum of money landed in its account.
Related:
ToolShell Mass Exploitation (CVE-2025-53770) - https://research.eye.security/sharepoint-under-siege/ | https://news.ycombinator.com/item?id=44629133
If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and taking the intended spirit of the site more to heart, we'd be grateful.
It was misconfigured software running inside the kernel.
The issue was this misconfiguration was "urgently pushed" from Crowdstrike and depending on who you believe it overrode customer testing policies.
That said, that was the EU's fault, as the EU in 2009 forced Microsoft to fully expose their OS internals to outside vendors during an anti-trust settlement, and with little ability to enforce vendor standards:
""Microsoft shall make available to interested undertakings Interoperability Information that enables non-Microsoft server Software Products to interoperate with Windows Server Operating System on an equal footing with other Microsoft Server Software Products.
"Microsoft shall ensure on an ongoing basis and in a Timely Manner that the APIs in the Windows Client PC Operating System and the Windows Server Operating System that are called on by Microsoft Security Software Products are documented and available for use by third-party security software products that run on the Windows Client PC Operating System and/or the Windows Server Operating System.
These APIs will be documented on the Microsoft Developer Network, unless open publication would create security risks. In such circumstances, Microsoft will provide third-party security vendors with access to such APIs pursuant to a royalty-free license and on fair, reasonable and non-discriminatory terms." [0]
This meant that by offering Microsoft Defender for Endpoint, Microsoft needs to give similar access to the underlying kernel to competing vendors like CRWD and S1.
[0] - https://news.microsoft.com/download/archived/presskits/eu-ms...
It's the exact same thing as with Google Maps in Google Search. The EU did NOT say "Remove Google Maps" it said "Give competitors equal opportunity". The most user-hostile choice was removing the Google Maps integration entirely (because "no access" is still "equal access"), instead of offering users the choice.
Personally, the digital policies are one of the few things the EU generally gets right, and (as unrealistic as it is) I hope all the Googles and Apples go choke on it and di...solve.
This also wasn't Microsofts fault. It was bad kernel code, and don't say you would like microsoft to audit everyone else's code before it can be deployed somewhere.
Any vendor's legal team worth their mettle could then argue that any additional validation on vendors is unfair given that MS would always have significant internal knowledge about how the Windows Kernel operated.
It's yet another example of the EU getting in the way of itself.
https://www.muellershewrote.com/p/the-epstein-cover-up-at-th... | https://archive.is/RZqU0
> The process of reviewing the Epstein and Maxwell files was chaotic, and the orders were constantly changing - sometimes daily. One person I spoke to on the condition of anonymity said that many agents spent more time waiting for new instructions than they did processing files. But here’s what caught my attention: the files were stored on a shared drive that anyone in the division could access. Normally, access is only granted to those working on a project, but because of the hurried nature of the exercise, the usual permission restrictions were not in place. Additionally, the internal SharePoint site the bureau ended up using to distribute the files toward the end did not have the usual restricted permissions. This left the Epstein and Maxwell files open to viewing by a much larger group of people than previously thought.
Microsoft was pushing companies to use its Azure cloud services. Now everything is in the cloud. And accessible to WWW.
IIS which SharePoint runs atop of is written in presumably primarily C.
You can decompile most of SharePoint if you ever need to peek at the code. That's a huge advantage to figure out how it works.