Michael B. Smith

@gothburz well, that's just scary.

I decide whether cloud products are secure enough to hold the federal government's data. I spent five years on Microsoft. It isn't. We authorized it anyway. In 2020, the Department of Justice deployed Microsoft's GCC High across its entire operation. Court records. Law enforcement files. National security data. This happened before my review was complete. The deployment happened while I was still reading page one. That's efficiency. The product arrived on my desk in April 2020. I have a monitor with two screens. One screen shows the security package. The other screen shows the list of agencies already using the product I haven't finished reviewing. I spent 480 hours on this package. I conducted 18 technical deep dives. My team concluded that the documentation left us with a "lack of confidence in assessing the system's overall security posture." I asked Microsoft for data flow diagrams. These are fundamental. They show where data is encrypted and where it isn't. Amazon provides them. Google provides them. Microsoft said the request was too challenging. I suggested we start with just one service. Exchange. A litmus test. Microsoft took months to respond. When they did, they submitted a white paper that discussed encryption in general terms but left out where on the journey the data actually becomes encrypted and decrypted. That's transparency. I asked again. Microsoft called it a "rock fetching exercise." Their liaison, a former deputy assistant secretary of the Army, said we should accept the assessor's findings. The assessor is a third-party firm. The third-party firm is hired by Microsoft. The third-party firm is paid by Microsoft. The third-party firm evaluates Microsoft. We set up a back-channel. We encouraged the assessment firms to confidentially report negative feedback they were unwilling to bring directly to their client. Both firms used the back-channel. Both firms told us they could not get the information they needed out of Microsoft to properly assess the product. That's the process. One of them we placed on a corrective action plan. Not Microsoft. The assessor. The firm Microsoft pays to evaluate Microsoft was told to push back harder on Microsoft. Microsoft says it is not aware of any backchanneling. That's accurate. The firms Microsoft pays prefer not to tell Microsoft what they told us about Microsoft. That's independence. In 2020, Russian hackers exploited a weakness in a Microsoft product that the company had refused to fix for years despite repeated warnings from one of its own engineers. They stole data from the National Nuclear Security Administration. They stole data from the Justice Department. In 2023, Chinese hackers infiltrated Microsoft's government cloud. They stole emails from the Commerce Secretary. They stole emails from the U.S. Ambassador to China. After that breach, the White House called my interim director. His name was Brian Conrad. He took away one message: hold all providers to the same standard, and know that if something goes wrong with an authorized product, FedRAMP takes the political heat. Within months, Conrad wrote to Microsoft. He cited three years of collaboration. 480 hours. 18 technical deep dives. Still no data flow diagrams. He told them: if you want authorization, start over. Microsoft was furious. In December 2023, there was a meeting at our headquarters in Washington. The Justice Department's Chief Information Officer sat beside Microsoft's liaison. On the opposite side of the table from my team. The Microsoft liaison interrupted our presenter mid-PowerPoint. He said we should essentially just accept the assessor's findings. The CIO backed him up and criticized our work. That was a shock. This is the same CIO who had deployed GCC High across the Justice Department three years before we finished reviewing it. The same CIO who kept pressing us to get this thing over the line. My colleagues believed she was not willing to put heat to Microsoft. The Justice Department was too sympathetic to Microsoft's claims. In 2025, she was hired by Microsoft. That's a career path. The Deputy Attorney General who launched the DOJ's cyber-fraud initiative — the program designed to hold government contractors accountable for cybersecurity failures — left government in January 2025. She was also hired by Microsoft. As president of global affairs. Microsoft says she does not work on any federal government contracts. That's a firewall. We hired a new permanent director in August 2024. He restarted the review. Put aside the diagram debate. Tried to examine the evidence directly. The new team reached the same conclusion. One member called the package a pile of shit. One reviewer described the architecture as "a pile of spaghetti pies." We couldn't map how data traveled through the system. It was like tracing a route from Washington to New York that detours by bus, ferry, and airplane when there's an Amtrak line right there. Each detour is an opportunity for hijacking. We were told the complexity is not spaghetti. It is continuous hardening. That's architecture. The new team only managed to review two of many services: Exchange Online and Teams. In those two services alone, they found issues that were fundamental. Timely remediation of vulnerabilities. Vulnerability scanning. The basics. We never got past Exchange. We never got that level of detail. We had no visibility inside. But each time we actually got visibility into a black box, we uncovered an issue. We couldn't even quantify the unknowns, which made us very uncomfortable. The package is sufficient. That's the verdict. December 26, 2024. The day after Christmas. We stamped it. We appended a cover report laying out the deficiencies. We noted it carried unknown risks. We added a buyer beware notice telling federal agencies to carefully review the package and engage directly with Microsoft on any questions. The package is sufficient. Not secure. Sufficient. Boeing uses this cloud. The Department of Energy uses this cloud. Defense contractors building weapons systems use this cloud. They adopted it because the Pentagon required FedRAMP-standard products. We became the standard. Microsoft's chief security architect celebrated the authorization in an online forum. He posted "BOOM SHAKA LAKA" with a Leonardo DiCaprio Wolf of Wall Street meme. He had previously complained that the government had been dragging their feet on it for years. The dragging was us. Reviewing. For 480 hours. In 18 deep dives. Over five years. That's dragging. Microsoft's own liaison, when our findings were read to him, said: "That's pretty damning." He said it sounded like language that would have been associated with a finding of "not worthy." Not worthy. His words. A 30-year NSA veteran looked at what we built. He said: "This is not security. This is security theater." That's a review of the reviewers. Meanwhile, Microsoft had China-based engineers maintaining government cloud systems. The Pentagon prohibits foreign persons from accessing its most sensitive data. The Justice Department requires U.S. citizens only. Microsoft's written security plan submitted to the DOJ did not mention foreign engineers. DOJ officials learned about the arrangement not from Microsoft or from us. They learned it from a journalist. That's disclosure. We approved the package because we had no choice. Not because the questions were answered. Because the product was already deployed. Across the government. Across the defense industrial base. Rejecting it would impact multiple agencies already using it. The contractors were worried about compliance. Defense Department operations could be affected. We determined it was "better value" to issue an authorization with conditions than to reject it. That's risk management. The risk was managed by transferring it to everyone who uses the cloud. The package is sufficient. My program now has 24 employees. Our annual budget is $10 million. The lowest in a decade. We have been told our role is not to determine if a cloud service is secure enough. Our role is to ensure agencies have sufficient information to make risk decisions. The package is sufficient. I decide whether cloud products are secure enough to hold the federal government's data. I spent 480 hours inside Microsoft's cloud. I conducted 18 technical deep dives. Two assessment firms told me in confidence they couldn't get the information they needed. Russian hackers breached it. Chinese hackers breached it. The new team called it a pile of shit. The old team called it a vast wilderness of untold risk. The CIO who pushed for it was hired by Microsoft. The Deputy AG who was supposed to hold contractors accountable was hired by Microsoft. The engineers maintaining it were in China. The package is sufficient. I stamped it. That's my job.

@RealJamesWoods The French have been doing that for generations.

French leader Macron discovers more efficient way to surrender: do it before you fire a single shot!

@straceX are you serious?

In C and C++, the order you write your variables can silently bloat your software's size. A struct with a char, then an int, then another char takes up more physical RAM than an int followed by two chars. The compiler secretly injects invisible, wasted padding bytes just to keep the CPU's memory alignment happy.

@SBSDiva There are carveouts for if you are ill, disabled, in the military, or traveling. That being said, it's unlikely that provision will make it to the final bill. It's not in the House version of the bill. But Trump, as any citizen, is allowed his opinion.

So the same administration that wants to encourage us to electronically pay our taxes to "modernize" wants us to get rid of mail in ballots and move back to where we only vote in person? Did I get this right? whitehouse.gov/presidential-a…

@JackPosobiec She's "something", that's for certain.

She's the best

@davepl1968 Likely far more efficient.

For my Robotron AI, I needed to do object detection so I could feed the enemy locations into the model. I finally got it working! It was challenging because the sprites are just laid out where the artist chose, rather than being anchored in a consistent fashion. So I had to walk the sprite data in the game memory to figure it out, but eventually got it! Here's a little demo... is it ironic I'm doing object detection the old school way, not with AI? :-)

@mniehaus Should be taught in every business school as an example of how NOT to do marketing communication.

Had to check -- nope, not an April Fools prank. blogs.microsoft.com/blog/2026/03/0…

@AssocAnderson Any chance of one in Charlottesville/Albemarle County?

I am doing Virginia/Utah Classes all over Virginia. Pending classes are here - many are sold out but you can be added to a waitlist by calling 757-477-7126: (to enroll click: defensivetacticsvb.com) Va Beach 3/5 at 530 Stephens City 3/8 at 1pm Va Beach 3/10 at 530 Ivor 3/12 at 530 Scott County 3/14 at 9am Roanoke 3/14 at 6pm Russell County 3/15 at 1pm Va Beach 3/16 at 530 Chesterfield 3/17 at 530 Fredericksburg 3/19 at 530 Amherst 3/21 at 9am Roanoke 3/21 at 3pm Roanoke 3/22 at 11am Va Beach 3/23 at 530pm Northumberland 3/24 at 530pm King George 3/26 at 5pm Prince George 3/27 at 6pm Williamburg 3/28 at 9am Rockbridge 3/29 at 1pm Chesterfield 4/2 at 530 Lancaster County 4/3 at 530 Chesterfield 4/6 at 530 Chesapeake 4/7 at 6pm Newport News 4/9 at 5pm Giles County 4/10 at 530 Dickenson County 4/11 at 9am Bristol 4/11 at 530 Lunenburg 4/12 at 11am Charlotte County 4/12 at 5pm Newport News 4/16 at 6pm Norton 4/17 at 530 Pulaski 4/18 at 9am Galax 4/18 at 3pm Victoria 4/19 at 11am Gloucester 4/21 at 6pm South Boston 4/22 at 530pm Goochland 4/25 at 9am Broadway 4/25 at 5pm Rockingham 4/26 at 1pm Augusta 5/9 at 9am Radford 5/9 at 5pm Greene County 5/10 at 11am Winchester 5/27 at 530pm Page County 5/31 at 1pm Woodstock 6/6 at 9am A few places I would like to book a class: Lynchburg, Mecklenburg, Emporia, Hanover, Prince William and Loudoun. If you have a venue that will hold a big crowd - email me at timanderson@virginialawoffice.com Expect repeat classes to be scheduled this summer in Tazewell, Grayson and Roanoke.

@JackPosobiec Now do Gen Alpha.

Yoomer is the name for Gen Y-ers (elder millennials) OK Boomer OK Yoomer Ok Zoomer And so forth

@libsoftiktok @grok is this accurate? or is this from when Microsoft bought their mountain view campus?

WOW. Gavin Newsom's California just gave a $300 MILLION contract to Microsoft without offering other companies the opportunity to bid. Microsoft is under investigation after Chinese Nationals reportedly used Microsoft programs to hack into the Dept of War and steal data. Why is Newscum giving MORE taxpayer money to a company involved in allowing Chinese spies to access top secret information?

@RealJamesWoods I guarantee you that I didn't vote for it, even though I live in Virginia.

Funny how this works. You actually get what you vote for.

The @X Following tab has changed to a drop-down. Is that brand new? I think so. Anyway, the "Popular" choice I hate. "Recent" is what I've traditionally used and greatly prefer.

Is the @X "Following" algo broken? The behavior has changed this week and I REALLY don't like it.

@Slav636 @0xTib3rius @AcrossPondPod retropad by Dave Plummer FTW! github.com/PlummersSoftwa…

@0xTib3rius @AcrossPondPod Looks like the affected people are developers. Can’t they just compile Notepad++ and call it code(.exe)?

Feels like this IT team could benefit from listening to last week's episode of @AcrossPondPod. 🤦‍♂️

@SBSDiva @Acyn My opinion, and that of my broker, is that the AI software bubble is done for right now. AI hardware is still growing, for at least another year... Just look at what happened to AI software bloodbath in the last two weeks.

@Acyn It's an AI bubble folks.

O’Leary: While we bash all this stuff out why is it that the Dow keeps hitting new highs every day? Is that not an index of what people think about the economy and the future of America? McGowan: No.

Well, this is concerning: theshamblog.com/an-ai-agent-pu…

I watched this morning's Crew-12 lift-off. Still makes my heart thrill! And they treat the first stage landing as completely normal now, when I still think of it as sci-fi. Amazing!

@nir_kopp @RudyHuyn For example, if I've installed Firefox from winget, it's not visible in the store app.

@essentialexch @RudyHuyn What do you mean in not compatible? For downloading apps winget is probably the solution, it uses the MSstore and the Winget repo.

All Microsoft Store capabilities are now available directly from the command line! Originally built as an internal tool for large-scale testing and data validation, it proved too powerful and practical to remain internal, so we are now making it available to everyone! From your terminal, simply type 'store' to: 🔍 Search for apps or games 🧭 Browse categories 🏆 Explore top charts 🧵 View apps by publisher 🛠️ Install, update, and manage apps and all other features provided by the Microsoft Store app.

@nir_kopp @RudyHuyn Only does the store apps. Which is darned unfortunate that there are now two ways (from MSFT) to download and install apps from the CLI. And they aren't compatible.

@RudyHuyn How does it differ from winget?

@gisardo while I am appreciative of the store app, why the heck isn't it powershell? and why doesn't it use standard parameter patterns?

Announcing new developer tools on the Microsoft Store. Check-out what's new across developer analytics, web installer and Store CLI. blogs.windows.com/windowsdevelop… #Windows #MicrosoftStore