Microsoft Chose Profit over Security, Whistleblower Says

Original Article ↗ Hacker News Discussion ↗

Microsoft culture and priorities

  • Several commenters describe Microsoft’s culture as hubristic and “cult‑like”: strong NIH syndrome, reinvention, over‑engineering, and a belief that Microsoft has an answer for everything.
  • Others say this isn’t new; the Trustworthy Computing era improved things for a time, but recent years feel like regression, with security messaging not matching behavior (e.g., Recall, telemetry, ads in Windows).
  • Some current/ex‑employees report serious, dedicated security people inside Microsoft, but misaligned incentives and understaffed security functions (e.g., MSRC) undercut them.

Security vs profit

  • Many argue that virtually all large companies put profit ahead of security; what’s distinctive here is Microsoft publicly claiming “security first” while repeatedly choosing otherwise.
  • Discussion of “revealed preferences”: promotions and rewards favor shipping features and growth, not careful security work.
  • Some see the whistleblower story as outright malice: knowingly sitting on a high‑impact flaw for business reasons, especially with government customers. Others frame it as systemic incentive failure rather than individual evil.

Golden SAML / AD FS dispute

  • One side: Microsoft knew of a serious, high‑consequence weakness in AD FS/“seamless SSO”, resisted warning customers or recommending mitigations (like disabling seamless SSO), partly to avoid scaring governments and jeopardizing big cloud contracts. The failure is not having bugs, but ignoring known, critical ones.
  • Another side: Golden SAML is framed as an attack pattern that assumes prior full compromise of AD FS; in SSO systems, compromise of the identity provider inherently compromises everything. From this view, the story is exaggerated and the real “hack” was earlier footholds like SolarWinds.
  • There’s also debate over whether disabling seamless SSO was a realistic mitigation, given smart‑card–based 2FA in government and usability impacts.

Regulation, accountability, and markets

  • Many participants think only regulation, liability with “teeth,” or even criminal penalties for willfully ignored risks will change behavior. Others warn that simple “heads must roll” policies can backfire or be hard to define legally.
  • Comparisons are drawn to bridges, Boeing, and other safety‑critical industries where professional licensure and strong oversight exist; software lacks analogous structures.
  • Some advocate breaking up hyperscalers or nationalizing critical digital infrastructure, but others see that as politically unrealistic.

Broader security industry themes

  • Recurrent themes: security as a “cost center,” compliance as security theater, lack of user/customer demand for real security, and the rarity (but existence) of companies that genuinely trade profit for security.
  • Zero trust architectures (e.g., BeyondCorp) are cited as promising but hard to retrofit into heterogeneous, legacy‑heavy enterprises.