> Federal Cyber Experts Thought Microsoft’s Cloud Was “a Pile of Shit.” They Approved It Anyway.
Steve Jobs was the last tech CEO who didn't care about wall street and only care about quality products and consumers saying that if customers are happy, then the share price will take care of itself. But most companies are share price first, customer later.
This sounds like the crux of the issue. The combination of: "tool can be used during analysis" and "analysis takes long" shifts the barrier of rejection from "is this tool safe?" to "is this tool so unsafe that we're willing to start a fight with a lot of other government agencies to remove it, find an alternative, etc?".
Not criticizing FedRAMP. Proper security review takes time. And probably more when dealing with vendors.
They know that if they get entrenched first, it's impossible to migrate away. That's basically free money from a customer that has zero cost ceiling.
Think it's very important to criticize FedRAMP. The FedRAMP board is extremely slow moving and continuously disregards industry feedback. As a result, FedRAMP is essentially a Palantir tax, where nearly every startup hoping to sell to government (including larger ones like Anthropic, xAI, Cognition AND OpenAI) is forced to pay Palantir to deploy in their FedRAMP enclave. This has a sticker price of 200-500k/y before we get into compute premiums.
Going through FedRAMP yourself requires a staff who is willing to put in a dedicated effort on the compliance paperwork (not the controls, which you could knock out in ~1mo easily, just the paperwork) for 6-8mo before getting into a line to hopefully get a 3PAO audit and then remediations followed by another audit which is followed by needing to get agency sponsorship for a FedRAMP board review. This costs $2-3M minimum including the amount of security software needed for evidencing and policy, which rules out nearly every small business. This process also can easily take 2-3 years of waiting, which forces out enterprise. So anyone entering the ecosystem is essentially forced to pay Palantir (or 2F which is a distant 2nd) a tax that is entirely enforced by government regulation.
They are not any kind of 'Federal Cyber Experts' either as that work is primarily outsourced to Schellman etc.
But couldn’t you say the same for CMMC 2.0, NIST 800-171, RMF, JSIG, STIG, etc?
It would be better to compare this to commercial, like SOC 2, which is achievable even for small startups without much effort and on much more affordable budgets.
Notably SOC 2 full service is $20k including tooling (Vanta + Workstreet + audits), NIST is $20-30k (Vanta + partners), while FedRAMP is $500k-1M (Coalfire) just for implementation before getting into tooling and audits.
Having been through FedRAMP twice, I can this is absolute fiction. What does Palantir have to do with anything?
The most secure thing I could think of is a cluster of servers running in my basement under lock and key, running a conservative set of well-tested software.
Thats why you have Windows in the Pentagon instead of something secure.
The article talks a lot about conflicts of interest, but this is the line I went looking for. A bureaucracy fighting itself over goal prioritization, and what's a necessary roadblock vs red tape is the less sexy but more meaningful problem at the core of this.
Once the government decided they wanted the product, they were going to find a patsy.
I on the other hand have no expectation, and so it's not clear whether the "bureaucracy fighting itself" is a cause or a symptom. You're implying it's a cause and the solution is "less red tape". But it could be just a symptom of conflicts of interest, and less red tape just leads to more efficient corruption.
Again, you're just reading into it what you already believe in.
Right.
You bet.
Absolutely.
Enlighten me further. How exactly will "the market" decide where the government, or a corporation, or even an individual, chooses to buy computing services? I'm very stupid, so you're going to have to explain step by step exactly how "the market" will do this. I mean, here I thought that choices like that were the inputs to the market.
Let's do it for the corporations first. I'm Microsoft. I need the market to decide for me where I should buy motherboards for my cloud data centers. Where do I apply to get "the market" to tell me that?
The government has historically, routinely, consistently, solved problems more complex than cloud computing.
The only way you'd think otherwise is if you had some other motivation to pretend otherwise... some sort of ideology.
That's a common line by conservatives who are actively sabotaging government with policies and laws which they then point to as evidence of such inefficiencies.
Public transport has been disrupted by private transportation options like Uber, Lime, etc.
Public radio and TV is unused by the vast majority of people who use private options daily like streaming services or YouTube.
The public budget is perpetually in shambles and if it was a private company would have had to go bankrupt and cease business by now.
Social security and other support programs are perpetually failing and used as a political wedge.
You can customize the way you want. After configuring it, my colleagues could not log in. Thats one way to secure your organization.
This sounds like LinkedIn.
I think LinkedIn spam is worse than being in a crash.
https://www.pcgamer.com/ctrlshiftaltwinl-is-the-most-cursed-...
I don’t understand how they have non-zero market share.
Then you've got the hell of overlapping permissions systems on the console and the Microsoft account, to get any amount of online play working on a console if you also get Bedrock. On the Playstation, especially, the error messages also love to not tell you which of the two systems is blocking you, so you get to guess. And Microsoft's site for managing those permissions is so confusingly-laid-out that even after doing it three times in a row I still felt lost on it.
I never did solve the problem of getting Minecraft Java Edition to run on a kid's MacBook with allowlist-only Web access. It wants to contact ten or so apparently-randomly-selected-from-an-enormous-pool IP addresses on every launch. I never did find documentation of which IP blocks I needed to allow, and couldn't guess at it from the IPs themselves. If they'd just used domain names... I must have manually hit "allow" a bunch of times during twenty separate launches, and it was still presenting me the same number of prompts every time, because there was no overlap in the IPs contacted (adding insult to injury is that I'm sure all but at-most two of these were spyware horse-shit that had no actual generously-necessary role in running the software, but it'd fail if it couldn't reach them)
Of course "open in incognito mode" works for this as well, just less automatic.
Youtube was always involved, somehow, for some reason, even when what I was doing wasn't connected to Youtube at all or the account I was using had never even been intentionally used with Youtube. It'd route me through a few Youtube domain names.
(Microsoft's is indeed even worse, on some of theirs [Azure Devops, looking at you] I can't use them in pinned tabs because somehow they manage to get into a totally broken state where the page won't load due to whatever's happening with their auth flow in the background, and no method of reloading the tab fixes it, and it does this every couple days—but copy-pasting the same URL to a new tab does work)
Having Microsoft on your resume is a huge red flag.
- FB's move fast and break things. Constantly launching new libs.
- Linus's we do not break user space. Great commitment to backwards compatibility.
- Never deprecating dead products until they've been de facto abandoned for like decades.
This combination means every MS product is a labyrinth of overlapping APIs with no guidance as to which one is actually the good one. Some are abandoned garbage, some are brand new and incomplete, and some are both, and there's no way of knowing which are which even experts can mislead you.
Microsoft, you are a behemoth. There are few domains where you actually compete. Give your products a minute to breath before you cast them in stone.
To some extent, you’re/we’re the ones deciding that,
because there’s entirely different teams heading the separate offerings,
and none of them are going to offer a potential footgun like:
“hey, we’re not the best modern path into xyz type projects, check with our colleagues on the Blazor team”,
unless someone makes them.
Especially not after the last round of cuts, some of the people they let go made my jaw drop.
You're just forced to use vendors and if you actually care about the mission, it's just a different team on the same mission.
Of course you know you're being taken advantage of, and long-term maybe you should have gone to the non-technical side to fight it, but at the end of the day you just want to keep the young boys being shipped off to war safe, and you're much better suited to achieve that by remaining on the technical side.
...or so I've heard.
(That seems to be the main complaint, that Microsoft never provided the clear information required to conduct the assessment properly).
For example, our state government says "We will do X Y and Z which all require data science expertise, but we did not approve the $60k a year Data Science position, so instead we are forced to hire a Data Science contractor for $120k a year, and they can't really be fired, and they are terrible at their job"
And then people wonder why things suck all the time.
A lot of state's buy their Obamacare marketplace service from a company I am familiar with. That company is entirely incompetent. They cannot follow basic instructions. They cannot triage a bug at all. They do not read freaking tickets. They take weeks to respond to an issue. They cause bugs regularly in ways that imply they don't have functional source control. They continually fuck up basic feature requests. They change the service in ways that contravene the literal law. The law that was comprehensively explained to them by people I know.
But they can't be fired, because the state is legally compelled to provide this service, and is not really allowed to hire a few engineers to build it in house. They could go to a different software contractor, but all the options are just as bad because it's an entirely captured market.
Obama started a "Digital Services" group in the federal government to actually build systems internally and develop expertise to mitigate some of this, and they built stuff like tax filing solutions for free for Americans. So Trump killed it and hollowed out it's corpse for DOGE.
Yes, it seems pretty clear from that quote that the reviewer said the security package was a `pile of shit`, and propublica went on to extend that to the cloud itself. Not that I want to comment on the merits of Azure's security, but that sounds pretty clickbaity from propublica to me. A more appropriate title would have been
> Federal Cyber Experts Thought Microsoft’s Cloud Security documentation Was “a Pile of Shit.”
They fired all of their technical documenters, so their security critical systems, APIs, tools, and SDKs now have only auto-generated docs that are just the function names with spaces added between the words.
Like this:
Overrides the authorization for an identity.
AuthorizationOveride( string identity );
I would warn anyone far and wide to avoid Azure at all costs, especially if you are a startup. And especially if you are doing any kind of AI because the only GPUs they have available are ancient and also crazy over-priced.
If I cared more, I'd try to migrate away from Azure. But I don't, and that's probably Azure's business model at this point.
Building in house.
Outsourcing to consultants.
The alternative was AWS, which has been operating at every classification level for over a decade at this point. It's now split between Amazon, Microsoft, Oracle, and Google, which is especially amusing because Google withdrew from the original bid process when they were still pretending to give a shit that their employees don't like working for the military.
Maybe the critical question, are they making continuing improvements? Especially to merge conflicting functions.
Like when they bought Minecraft, or Skype. Each already had user management. Xbox was a mess. Merging them all took a lot of years.
I'm reminded of Storm-0558 [1] where a stolen signing key was able to forge authentication tokens for any MSA / Azure AD / Government AD user. They downplayed the severity. Just imagine if that level of access was used to pull a Stryker on a nation-wide scale. That is an economic disaster waiting to happen.
[1] https://www.microsoft.com/en-us/security/blog/2023/07/14/ana...
https://www.bleepingcomputer.com/news/security/microsoft-ent...
Microsoft goes beyond that: they've managed to have a critical vulnerability in almost every authentication product they have ever created. It's exceptional.
That we know of.
> It's exceptional.
I agree, but I look at it as a question of cost. would it make sense for Russia to spend on resources to compromise GCP or AWS? Microsoft's EntraID/AzureAD itself is an exceptional product in that organization's dependency on it, especially US government orgs, is exceptional.
If APTs target AWS, they will compromise it, period. Of course the caveat is time, skill and money which can all be acquired at cost.
Not all compromises are the same. They might get into some logging API in AWS. With Azure, the get the master keys. Both are compromises; they aren't the same. Either you have never used Azure, know nothing about security, or you work in MS marketing.
The whole point of having companies is to overcome limitations of humans acting individually.
> Microsoft on Friday revised its practices to ensure that engineers in China no longer provide technical support to U.S. defense clients using the company’s cloud services.
Ref: https://www.cnbc.com/2025/07/18/microsoft-china-digital-esco...
Just to be clear, I'm responding to the parent comment not the article.
I'm convinced Amazon has many teams crapping out new features but they don't have the political clout (or manpower) to create a comprehensive product. They are mandated by management to use existing services, and thus we the users suffer because we have to manage all this extra crap and noise just to enable basic functionality.
It's maddening. And then also it's maddening to see another service from a different team that was able to throw off these shackles and actually make a product that is self contained. You get a taste of how good things could be, and then you're thrown right back into the IAM/SQS/Cloudwatch/Cloudformation/Policy/everything else under the sun soup.
Build the rest yourself. In many cases their higher level service is just the same open source package you would run, just managed worse.
That's total "normal" for Microsoft at least from 2018, the year I started working with some of their products (Power BI mostly). They adopted a development model that is early release, fast iteration, and users as testers. No wonder everything feels experimental until much later.
Back then I just couldn't use Power BI. But fast forward a few years, I think it got a lot better since maybe 2020. You just have to stick with it for a few years.
So, you have to be a paying tester? Incredible that MS can keep enough businesses as hostage to be able to operate like that.
People who take Azure up without previous MS product experience...not sure about those.
For everyone else, it's like you said. "Eh, we are already knee deep in the Microsoft stack, why would we pick anything else?"
Also see: SharePoint
Man, what a horrendous pile of crap Teams was back then. The Slack teams were griping that they should just buy Slack, but Teams was the "enterprise solution." The problems were amplified during remote COVID work. Teams is fine now, but how many corporations went through years of frustration just because some IT decision maker said "Teams. Because it's enterprise."
The UI is an overengineered mess and I'd rather use literally anything else, but to say it's still unusable is disingenuous.
and indeed your entire workplace,
for as little as a steak dinner.
When they started flying people in the beg that I buy 100 Surface Laptops, that was the confirmation of everything I had been thinking. All I could think of was IBM flying a dude from Italy in to talk for 15 minutes about their version of TeamViewer back in the day. We ended up talking about shoes.
They can afford people who would do better. Windows 11 is trash. Azure is trash. Onedrive is trash. Outlook is trashier than it has ever been before, but it's not quite trash yet. Word is trash. Excel is rapidly enshittifying. Copilot is hot flaming radioactive tar cancer.
Does microslop even have a single thing left that isn't either completely terrible or worse than it used to be a mere 5 years ago?
Which one? There’s two now! Lol
But yes, normal Office users, where the company pays the bills, pay the price.
We have an internal system called Cosmos[0] that does a great job of processing huge quantities of data very fast. And we sat on it for years while the rest of the industry moved to Spark and its derivatives. We finally released it as Azure Data Lake Analytics (ADLA) but did a shit job of supporting/promoting it.
We built Synapse, and it's garbage. We've now got Fabric which I guess is the new Synapse. I wouldn't really know because I probably have five different systems that I use that basically do large-scale data processing, and yet Fabric isn't one of them; who knows, maybe it will become the sixth?
We've had numerous internal systems for orchestrating jobs, and it wasn't until Azure Data Factory that we finally released something externally that we sort-of-kind-of-but-not-really use internally. (To be fair, some teams do use it internally, but we're not all rowing in the same direction.)
I regularly deal with multiple environments with different levels of isolation for security. I don't even know how it's all supposed to work -- I have my regular laptop and a secure workstation and three accounts that work on the two. Yet I have to do some privileged account escalation to activate these roles; when I'm done, there's no apparent way to end the activation early, so I just let it time out.
These things are but a fraction of the Azure offerings, but literally everything I have used in Azure makes me absolutely HATE working in the cloud. There's not a single bright side to it AFAICT. As best as I can tell, the only reason why Azure makes so much damn money is because Microsoft is huge and can leverage its size into growth. We're very much failing up here.
[0] https://www.microsoft.com/en-us/research/publication/big-dat...
All the corporate stuff is behind Okta, so that easy enough.
But all the dev/test systems are a mix of SSO, individual logins, etc. At least they're all behind the same VPN (except when they aren't, but that's less common).
And of course, if you're a cloud engineer (vs "normal" software engineer), you also have to deal with AWS access, which is a whole different can of worms.
(excluding things like administration of organization-wide infrastructure key material)
You’re using a legacy v3 series that is being removed from the data centres in an era where you could be using v6 or newer instances that are being freshly deployed and are readily available.
If you can’t be bothered to keep an eye on these absolute basics, you’re going to have a rough time with any public cloud, no matter their logo design.
Right now you're paying more for less compute and having to deal with low availability too! Go read the docs and catch up to the last decade of virtual hardware changes.
Or, just run this and pick a size:
Get-AzBatchSupportedVMSku -Location 'centralus' | `
? Name -like 'Standard_E*v[67]'This is the story of Microsoft - five different ways to do the thing, none of which do everything, and all of which are in various states of disrepair ranging from outright deprecation on up through feature-incomplete preview. Which one do you use? Who knows, but by the time you get everything moved over to that one and make allowances for all the stuff the one you chose doesn't support, there will be a new more logical choice for "that one" and you'll have to start over again. Wheee.
If I were the microslop god for 6 weeks, I would force everyone to go to a boot camp and use Windows 7 for 4 of those weeks so they could see what made it so good.
No invasiveness, an OS that felt like yours. Just enough eye candy to not be distracting but to also feel like a clean modern system. Low system usage at idle. Calm, clean, and ready to roll when you clicked a button.
Windows is NEVER going to be MacOS, but the dev teams seem obsessed with macifying windows while also wedging that AI abomination copilot into every line of code, so windows is getting a tag team of rapid enshittification on top of already having been massively enshittified, and at least some portion of it is due to the people being paid to make it not understanding what it is supposed to be, the niche it held, and the reason for windows existence.
With no soul, windows has to go.
I'm a c++ developer and I wouldn't use anything other than Windows to develop software, for one reason alone - Visual Studio is a fantastic tool that is better than any IDE I have ever tried it and imho it's the best product Microsoft makes. It just works and works well. And most console toolchains are only on Windows, so outside of iOS development I don't really have a choice.
If it is true, wonder what the proportion is then: 25%, 50%?
Then again, Microsoft themselves directly dispute your statement:
Across the landscape of more than 750,000 devices in use at Microsoft, we support Windows, Android, iOS, and macOS devices. Windows devices account for approximately 60 percent of the total employee-device population, while iOS, Android, and macOS account for the rest. Of these devices, approximately 45 percent are personally owned employee devices, including phones and tablets. Our employees are empowered to access Microsoft data and tools using managed devices that enable them to be their most productive.
https://www.microsoft.com/insidetrack/blog/evolving-the-devi...
Not to mention that most app designers use OSX for the design tools, which means that there is going to be by default some bleed between the two systems on design choices alone.
Pretty much everyone has an android or iOS device in their pocket. A lot of those devices are enrolled into Microsoft MDM in order to access email/teams/etc. These phones are part of the stats. Dev work in general is done on Windows boxes, unless you are in specific teams that have other requirements. Default is Windows, specifically Windows laptop.
200,000+ phones.
Worst case somewhere around 50,000-150,000 tablets.
That leaves ~200,000 unaccounted for devices with only macOS on the table. I think the saturation is higher than you have experienced, although I'll give that it's entirely possible that the areas you worked in were not one of them.
This is specifically done to show that Microsoft tech eg .net is not tied to Windows.
Decades ago, Lotus 1-2-3 on top of MSDOS was the lever; today it’s GCC High.
Hah. First time looking at FedRAMP?
The real reason for this, of course, is accounting, it moves it off of the government's books.
It's unfortunate that people have to claim the authenticity, rather than the users of AI having to disclose use of AI/LLM. I wish it was the other way around.
Azure's success as a cloud provider is mostly a result of their sales team and having an existing relationship with non-technical leadership. "We already pay them for Office and Exchange, let's just buy this new 'cloud' thing from them too".
Azure is barely considered an option at all within tech companies, yet is surprisingly widely adopted by non-technical companies that don't know any better (ie, that don't have a technical / engineering voice or representation within leadership).
AWS = Likely technically the best, for now. Mostly unreasonable pricing, and less motivation to seriously negotiate given they are the 'default' cloud provider for most of the industry. Kind of feels like they have peaked though, and are slipping more recently. Inevitable, or bad leadership changes?
OCI = New-comer, attractive pricing and hungry for business. Might be able to avoid mistakes other providers have made? Reliability struggles though. Parent company has a bad reputation in some circles - but probably not with decision makers. Making huge (unwise?) investments - that will either come crashing down in 5 years, or seriously pay off. Layoffs, but going for massive growth...huh?
GCP = Notably different underlying technical choices than other providers. Folks are maybe a bit less pragmatic, and more academic. This helps them in unique services (Spanner?) but hurts in most other areas. They've matured, and are btwn AWS and OCI in reliability. They are probably not as hungry for business as they should be given how far behind they are.
it isn't the best but it's really great at a lot of things feature-wise. top-notch documentation as well (despite what these "experts" said).
Most companies literally run on Azure these days. Persistent hackers will get into any network, that's a guarantee, that's APT 101. It's law of averages. If it truly is "a pile of shit" given how it is probably the most used cloud platform by the most customers, including governments, and endless plethora of features and services it offers, shouldn't there be more compromises? 2-3 in a decade is hardly above what you expect for law of averages right?
Screw ups happen, but if it is systemic, you can't use one instance as evidence, you must establish a pattern of mishaps.
Azure was hands down, obvious to everyone involved the worst technically. In capabilities, bugs/correctness, availability and support.
Of all 3 CSPs azure has the best identity management system. they're the worst in terms of charging for critical security measures that should be free, but when you pay for it, none of the other providers even come close to that capability.
The main reason people use Azure is easy integration. You're probably right when it comes to availability, no argument there, except maybe how AWS region outages seem to be a bi-annual holiday.
In practical terms, different CSPs might annoy people differently, but availability aside, I think they all suck in their own special way from a user experience perspective. AWS had to recently tell their devs/engs to have a senior dev review their vibe code because of all the outages it was causing.
Microsoft can be abhorrent. They will always get the contracts. Why? Corporate welfare.
Microsoft will drive the rules. Why? Too big to fail.
Microsoft will push their slop. Why? Cause they have contractors after contractors in the federal government pushing MS solutions. Doesnt matter if they're bad.
And, who'd pay for a 3PAO audit of a Linux distro? Ubuntu and Redhat have. Its a $120k moat.
when someone says they work at microsoft, they get weird looks, and people assume they're incompetent
Want a VM? You'll also need this network security group, network interface, network manager, ip, virtual network... and maybe it'll be connected to the internet so you can SSH in? Compare to GCP or EC2 -- you just pick an instance and start it. You can SSH in directly, or even do it in the browser.
Billing also a nightmare: if you're running a startup, AWS and Google make it relatively easy to see how many credits you have left. The Azure dashboard makes you navigate a maze, and the button to click that says "Azure Credits" is _invisible_ for 30s until ostensibly some backend system finds your credits, then it magically shows up. Most people don't wait around and just assume there's no button.
And if you click it, maybe you will happen to be in the correct billing profile, maybe not! Don't get confused: billing profile and billing scope are different concepts too! And in your invoice, costs just magically get deducted, until they don't. No mention of any credits. Credits inaccessible through API (claude tried everything).
VMs, bucket storage, and copying data are the _simplest_ parts of the stack. Why would anyone bother trying to use other services if they can't get these right?
They literally give startups 2x the credits as GCP, 20x the credits of AWS and nobody wants to use them.
Its documentation title is "Copy or move data to Azure Storage by using AzCopy v10" but it can’t actually do trivial operations like “move” because the devs are too scared to write code that deletes files: https://github.com/Azure/azure-storage-azcopy/issues/1650#is...
I recommend switching to “rclone” instead to avoid the frustration. It won't fill your entire system disk up with unnecessary log files unlike azcopy, which is a significant source of production server outages where I work because of this default behaviour.
“GCC High reviewers saw problems everywhere, both in what they were able to evaluate and what they weren’t. To them, most of the package remained a vast wilderness of untold risk. Nevertheless, FedRAMP and Microsoft reached an agreement, and the day after Christmas 2024, GCC High received its FedRAMP authorization.”
- Market monopolies reducing options/leverage
- Outsourcing
- AI automation
- Complexity explosion
These days, every company which has money is using some horrible clunky platform/infra and we spend 99% of our time just working around limitations of those platforms; Problems which were created artificially and don't need to exist... And at the same time we're expected to meet deadlines while almost all of the challenges we face involve certain critical aspects that are totally outside of our control and require us to wait for someone else to fix stuff while we work around it with some crappy solution and we can't just switch platforms or write it from scatch (which would be easier for a lot of us) because the organization forces us to use a particular platform because of the pretext that they are SOC2 compliant. It's total BS!
Not only we have to worry about threats to our jobs, when you look at who is being rewarded in this industry; it's essentially people who create bloat/unnecessary complexity and build these horrible products.
The industry is full of horrible products that everyone uses. There is no incentive for software engineers to be competent because look at what the market rewards!
This in turn affects organization politics; everyone who has some leverage over the platforms is (at least subconsciously) looking for ways to sabotage the tech to maximize billable hours to fix it later... Fixing the platform is their bread and butter so of course they never want to fix it completely. Anyone who tries to do the right thing runs into issues with managers for missing deadlines which they have ZERO control over due to underlying constraints of the platforms they are forced to use. The people 'maintaining' the platforms don't have deadlines do they? They can keep making money from the shit they produce by ensuring they stay shitty and ensuring that the people who actually have deadlines and actually try to get stuff done can't meet them!
No editorializing guys! :)