Hacker News new | past | comments | ask | show | jobs | submit login
Microsoft Security-101: Open-Source curriculum (github.com/microsoft)
232 points by wirelesslife 9 months ago | hide | past | favorite | 43 comments



Microsoft also has similar courses on IoT, and Data Science. I found the IoT one really nice [0], and it covers a lot of ground.

[0]: https://github.com/microsoft/IoT-For-Beginners


It looks like they also have one on Generative AI: https://github.com/microsoft/generative-ai-for-beginners/


101 consuming azureopenai more likely


For those who have read it: would you recommend it?


It’s very 101 but covers sensible topics in a sensible order but yeah, lacks a lot of depth.

If you’re looking for a genuinely awesome introduction to the topic I’d recommend this lecture series https://youtube.com/@securityengineering1350?feature=shared

Which accompanies this book https://www.cl.cam.ac.uk/~rja14/book.html


Wow I had no idea this was on YouTube.

This book is the one I always recommended for someone getting started in security.


It’s probably the best book on the topic I’ve ever come across. It’s just an incredibly good mix of practical and approachable and does a great job of teaching you how to think on your own two feet about security which I think is one of the most important aspects.


Thanks, didn't know there were lectures on YouTube, too!


Consider what audience it is for.

Non technical management.


It is a basic introduction for free, there is not much to recommend or not.

If you have basic knowledge on security and topics listed there - it is waste of time. If not then not.


It's the Windows of security. You get to peak and that's about it.


This course covers:

Basic cybersecurity concepts (CIA triad, risks, threats, etc.)

Understanding security controls and their forms

Zero trust and its importance in modern cybersecurity

Key concepts and themes across identity, networking, security operations, infrastructure, and data security

Examples of tools for implementing security controls.



From the guys that got their Azure Master Key stolen due to gross incompetence. That's funny


Same company that ran it's 'container services' on an ancient version of kubernetes with broken isolation


containers are for packaging and deployment NOT for isolation


In this case, that does not prove much.

For big companies like Microsoft it is normal to have both some employees who may be security experts and also thousands of others who not only are ignorant about security but they also do not seek the advice of those who may be more knowledgeable.

So without other information, the fact that some document about security comes from Microsoft cannot be used to guess anything about whether it is valuable or not.


also the Russians got into their senior executives email accounts via some test account by brute forcing passwords

https://www.theverge.com/2024/1/26/24051708/microsoft-hack-r...


The company that had poor security practices for their Azure Cosmos DB cluster.


Haha. This. Except it wasn't stolen they flat out gave it away and sold out America to China. That's why they put so much effort into trying to spin Microsoft as some forward fighter in infosec these days even though anyone with a half of a brain knows that Microsoft is the greatest liability in security/democracy and engaged in espionage against the US. They should stick to what they do best, steal other people's ideas/concepts/some current trend in tech, try and rebrand it as a Microsoft thing and weaponize litigation to capitalize on it.


There is no doubt Microsoft is in cahoots with all US 3 letter agencies. They have connections and systems in place to make it easy for data collection.

However, I don’t think I ever heard of Microsoft engaged in espionage against the US. Elaborate?


Organization proven to use and abuse the security via obscurity model.


[flagged]


That's like judging the Blue Angles pilots to be the worst in the world, based upon the fact that they have the highest death rate per flight hour. The judgement should be a bit more nuanced than that.


It's fair to say Microsoft doesn't have a great track record over the last several decades with security of their flagship OS. A lot of the nightmares customers have suffered are a direct result of this, either inherent bugs or failing to nudge developers on their platform in the right direction with well thought out, friction-free best practices and tooling.

For sure they have a lot of insight to share but it would be nice to see them address before touting their laurels. (Yes they've gotten a lot better, but in my opinion still nowhere near as bulletproof as it should be).


A few points to address in what you're saying.

> It's fair to say Microsoft doesn't have a great track record over the last several decades with security of their flagship OS.

Nope, not fair or accurate at all. Their track record has been great, and it's likely you are judging them for transparency mixed with a reputation from >20 years ago. They have a good record of patching security holes; if we all assumed that more patches = worse security, it would only incentivize companies to be quiet.

As for development, again over the past decade, they've been completely different from the past, and are fully embracing and pushing best practices. As other commenters like to point out, this is not your grandpa's microsoft.

> but in my opinion still nowhere near as bulletproof as it should be).

Assuming that security should be bulletproof is a misunderstanding of how security works.


This feels like a take from someone frozen in 2004. Your description doesn't match my impression of present day Microsoft.


Here are few big ones from the past 12 months.

https://www.wiz.io/blog/bingbang

https://www.theverge.com/2023/7/12/23792371/security-breach-...

https://www.wiz.io/blog/midnight-blizzard-microsoft-breach-a...

I would agree, the Windows OS has really matured since XP, from a security perspective at least.

I would definitely expect better than this from a tech giant like MS. When was the last time Google, Meta, or Apple got breached like this?

Edited to add, I think them open sourcing some security training is good, it benefits everyone whether or not MS themselves are a great example of a secure company.


Another perspective is if you haven't failed and analyzed the failure, you don't really know why your current processes might be succeeding.

Or if your processes are good at all, and it's not just luck, or being less of a target, that means the holes haven't been exploited yet.


The slingshot penetrating your tank armor is not a helpful failure. Except for telling you that your processes are so wildly off base that you need to start over.

People who claim this kind of failure is useful are clueless. Failures are interesting in exploratory processes and useful when occurring within a predicted failure regime (i.e testing to failure). Unexpected failures in predicted success regimes just indicate process weaknesses. Repeated and continuous failures in similar fashions do not indicate strength, they indicate structural process deficiencies despite what cybersecurity bozos would like you to believe.


Hasn't Azure been root level compromised twice in the last 12 months?

Once involving signing keys so critical that (from rough memory) they had to restore them silently after initially deleting them?


Yes, but people forget faster than they blink. And all the ransomware putting down utilities is attributed to user error, not to the OS happily running every URL from the internet.


If only we were back to 2004...

Look at the number of vulnerabilities introduced by Windows version. It's good that they're fixing them frequently, but the fact that they need to do so in the first place (and there's more and more of them with each new version) is itself a problem.


Can you even link to a single technically competent offensive specialist that states a Microsoft system would be difficult to break into? Just to make it concrete, let’s go with a really low bar like one skilled person over one year.

For that matter, can you link to anybody technically competent at Microsoft who would dare to make a claim like that and then actually back it up with experimental evidence? No point listening to the blather of the Microsoft PR team when the silence of the technical team tells you all you need to know.


They've probably also fixed more security problems than most, and as Fred Brooks said,

"Good judgement is the result of experience. Experience is the result of bad judgement"


their flagship OS has an administrative culture of "ClickOps" and effective security is built around practices that are antithetical to that sort of culture.


Microsoft does take security pretty seriously with windows. There have been times they make mistakes, but historically, they are doing better now than they were in the early 2000s before Bill Gates sent a memo noting that they needed to take security seriously. You could argue they take security as serious as any major play like apple and google, seeing they touch a lot of private user data.

[1] https://news.microsoft.com/2000/12/07/gates-offers-new-techn...


And whats the best way to handle private user data? The thing that Microsoft have been headed away from for the last 10 years?


Not only Microsoft. Nobody cares about user data. They all take it and sell it. Permission: Storage. Not folder or file. Storage.


[flagged]


Criticising someone’s accent, “non-professional” room background comes across at best as snarky gatekeeping.

The real question is whether, for the desired audience, the presenter’s accent, the background scene, the delivery of content or anything else is a blocker.

I’m assuming that parent is not a beginner in the field, and is absolutely not the target of this fundamentals course.

Let’s welcome more and different people into the field. God knows, we need some optimists and fresh thinkers sometimes, not just the crabby people from one specific demographic squatting in their senior roles shouting at clouds.

Edits: spelling correction


Just listened to a bit of this. As a Brit listening, what accent? She's completely audible with only slight inflections on some words.


> I think she needs some training on how to speak neutral without much of an accent.

> Also, I don't understand why her background behind her is so... non-professional.

You focus on very superficial details. There's a reason true geniuses don't really fit into society, they don't care about and don't have time for petty details.

When they change the world the vultures come and package it into a pretty product for the masses to throw their money at and it inevitably turns into crap. Most of the money goes into PR, HR and Chief title officers for no other reason than to satisfy the gullible masses.

I'll give an example: crypto-currencies can change the world in many ways, but the killer feature that the masses adopted was fucking NFTs... Humans are depressing.

Choose for yourself where on this journey you want to adopt a product or idea. Do you act on ideas or shiny packaging?


>Do you act on ideas or shiny packaging?

The outward appearance and concept of something can indicate bias or quality where there may not be any. See hype around Yeezye shoes, or Kayne's white shirt, or the utilization of netlify essentially repackaging Amazon. An idea is meaningless without the ability to act.

People ripped this comment to shreds, meanwhile the brain-swell of folks here would absolutely criticism if something was posted that showed lack of due diligence and due care. Watching the videos of this content, the videos are just scripted versions of the text in the markdown files, with no slides or auxiliary content to show value. Impressive really.

Further, I don't think anyone took my comment holistically as it sits. I fondly remember seeing a lot of developer advocates talking about Azure and how wonderful the Cloud is, but they showed a demo, their own personal PC was poorly configured and managed, and they were using incorrect taxonomy for quite a few things -- leading people down the wrong path of growth and learning. So yeah, the details that are on the shiny package matter, for sure.


> I think she needs some training on how to speak neutral without much of an accent

This is an absurd expectation. I've watched plenty of videos by people with an accent. That's just how the world is and doesn't reflect on her negatively in any way.

> I'm positive the emojis all over the GitHub page would drive older folks crazy

I've seen a bunch of repos with emojis like this and I'm not a fan. I've also seen repos that are a lot worse, where the emojis can be quite distracting. That said, it's way down near the bottom on my list of things that bother me. If the documentation is otherwise useful and has all the substance I need or expect, I ignore the fluff around it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: