Slashdot Mirror
Microsoft Azure Failure: SSL Certificates Were Updated... Sort Of
judgecorp writes "Microsoft has published an explanation of the failure of Windows Azure earlier this month. Users of the Azure storage saw that an SSL certificate had expired. Microsoft's explanation says that the certificate had in fact been renewed, but an update with the new certificate details was not prioritized, and hadn't actually been implemented till after the old certificate expired. There are more interesting details, but Microsoft says better alerts and more automation will stop this particular fault happening again."
Look, I know nobody cares, but Microsoft Azure has nothing to do with Windows 8. I'm also not sure it's a failure. Microsoft tried something new after getting great positive reviews for Windows 7, which is the BEST time to try something risky. Worst case, people skip one generation of Windows, and stick with... Windows. Best case, you redefine the PC interface. It is innovative, no matter how poorly implemented. Besides, Microsoft has a history of creating a shitty first version and then fixing kinks as time goes by. Was anyone expecting a good first version of Metro? The slow adoption numbers can easily be credited to how good Windows 7 is. Why would you switch? It costs $0 for me to stay on 7, and > $0 to upgrade. We won't be seeing many Windows 8 devices for a while. The timely upgrades brought about by Windows Blue might even spur more adoption (too early to tell, I think). Windows Phones I won't attempt to defend since I know nothing of them.
And Apple is dead too right? And Diet Coke.. what about that?
Unless I'm horribly mistaken, they've let certificates expire before. Why would I think they won't let it happen again?
It definitely won't happen again, instead the team responsible for keeping the automation software running will fail. Or an automatic upgrade to Windows will break it, or the libraries needed to run it will have been deprecated.
So yeh, it won't happen again, the next time it will be something else to blame.
Never of course a management that chops up roles into such small increments, dis-empowering it's workforce so much that the simple job of updating a certificate becomes a major obstacle each and every time it happens. No, never a load of BS managers, no sir!
Look, I know nobody cares, but Microsoft Azure has nothing to do with Windows 8.
Except for the fact that Windows 8 now comes with a secure bootloader.
In other words, Microsoft likes to centralize security. It doesn't matter to them if that means creating a single point of failure. They're like a large government wanting to control everything, even if that means it compromises everything else.
... managers saying "we need to get this up and running sooner ... automating it reliably is hard to do ... just get it working and update things manually for now and we will automate it later". When later comes, everyone is working on something else.
now we need to go OSS in diesel cars
I really like the OSX system, I feel it's a stronger OS overall, but Microsoft will win because they have a strong platform in one crucial area: backwards compatibility. If you write something for OSX, there is no reason to believe that it will still work in five years. On Microsoft's platform, it has a good chance of working as compiled. This is even more important to businesses than to home users.
We've seen over and over through decades that the backwards-compatible ugly system beats the pretty, usable system.
"First they came for the slanderers and i said nothing."
re Pretty sure the last one was a bug that was something to do with the cert expiring on a leap-day though. [emphasis mine]
.
$gt begin{sarcasm} Well, if it was a leap-day event, well that's totally excuseable because there's no predictable way to know that a particular year might be a leap-year with a leap-day in it, and even if there were, my goodness, you'd need some sort of computational device to carry out the algorithm (that Al Gore, he invents everything!) that would let you figure it out, and who could afford a computational device??? end{sarcasm}
;>p
Come on, you can't let Microsoft off the hook for screwing up things like that. It's supposed to be a software company. Y2k was known about well before it occured; leap-year days are well known about and recur on an amazingly well-understood and defined schedule. This is not a much deeper problem. It's just another basic problem that shows that there are not any good processes going on behind the scenes at Microsoft. And Apple screwed up their alarm clock functionality that kept messing up on iOS at the beginning of the New Year, too. That was also just as inexcuseable.
Except for the fact that Windows 8 now comes with a secure bootloader.
Which still has very little to do with Azure.
Which part of "Microsoft product" did you not understand?
Microsoft seems to be almost entirely staffed by bumbling, incompetent fools. And it starts at the top.
uhuh. I think people, especially technology companies, forget that the easiest task to automate is one that a human can simply do.
"Executive assistant in charge of renewing certificates". Make it someone's job. It'll get done. You don't need a robot. You just need it to be in someone contract. That's it.
I always back up my cloud data to a local harddrive, just to be safe.
That sounds like vaporware.
but an update with the new certificate details was not prioritized
Reminds me of AD + Exchange: group policy changes take forever to propagate even when forced, removing attached mailboxes from exchange clients takes exchange 10 minutes to respond to let the client know it is gone. All are not prioritized. But I am sure there are better things to waste idle proc time and to screw around admins with.
You'd think after people made fun of the MS Zune for being out of action on a leap day that MS would take a bit more care before the next one.
Have you tried Windows 8? It is genuinely awful.
No, but I have tried diet coke, now that's awful...
CAPTCHA: dilute
Are the gods telling me something here?...
Please, do tell - what method do you use to update certs on tens of thousands of systems without causing an outage?
Oh wait, you don't administer anything beyond your mom's desktop PC? Well that's nice then, go back to your WoW game and leave the rest of us alone.
As an aside, it's "save for" not "safe for." That's ok though, maybe they'll cover that in your 10th grade English class next year.
Fucking PFYs. Fuck.
I've been to Google before when that happened, typically when crossing between analytics and normal google or google plus or adsense. It gets confused sometimes and just doesn't know what to do I guess? Computers can be buggy and relying on SSL isn't very smart. I understand that it makes it seem like a phishing site if there's not one but SSL expiration happens to everyone.
I haven't tried Windows Azure, which is the subject matter here...
With "azure failure was a leap year glitch", "microsoft certificate was used to sign flame malware", and now this, what of Secure boot and the (de facto) dependency upon Microsoft?
And 'New Coke'... what about that?
Yeah, I'm with Bill Cosby on that one.
soylentnews.org Go there to enjoy the people!
Yeah, all of the window phones silliness is so worth laughing at. I remember the crazy ad that came out for the windows phone last year that had QuestLove in the commercial. I believe that /. had a story about MS cancelling that phone the SAME DAY that the commercial had just aired.
.
And what the fVCk is it with the stomping and jumping and slapping around of hardware in the ms tablet ads? Is that all that the MS tablets are good for? Throwing them around and clunking them onto tables and benches? What's with the ugly mean-faced girl-scouty attired girls in that first MS tablet surface ad? I think MS just saw the Apple ipod and iPhone ads that had a single song playing in the background with cool activities and decided to copy the style without any substance. Hey, that kind of explains most of the things that they do!
When you charge an arm and a leg for an OS and your company basically has unlimited money, then there is no excuse for not delivering perfect software with no bugs. So yes I was expecting a perfect version of Metro.
the adoption rates for students who get windows 8 for free is non existant at least by the anecdotal evidence in my faculty (computer science).
even during exam season (when you suddenly get the urge to clean the room, re-check the fridge or format your laptop).
you can piss on my face but don't tell me it's raining.
It's incredible how they keep shuffling blame around, or hot-potato-ing it:
In this case, the Secret Store service notified the Windows Azure Storage service team that the SSL certificates mentioned above would expire on the given dates. On January 7th, 2013 the storage team updated the three certificates in the Secret Store and included them in a future release of the service. However, the team failed to flag the storage service release as a release that included certificate updates. Subsequently, the release of the storage service containing the time critical certificate updates was delayed behind updates flagged as higher priority, and was not deployed in time to meet the certificate expiration deadline. Additionally, because the certificate had already been updated in the Secret Store, no additional alerts were presented to the team, which was a gap in our alerting system. [source link] [bold emphasis mine]Laughable, if it were not so stupid.
This is what happens when you have bean counters and MBA running the IT department.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
Very few like it and use it. (Linux|Mac) desktop? less than 5% of the market share. Now that I have shown the fallacy of your statements, how about you just shut the fuck up.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
Guess what. Almost nobody cares that it comes with a secure bootloader. The only people who do care are a small number of geeks.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
When you charge an arm and a leg for an OS and your company basically has unlimited money, then there is no excuse for not delivering perfect software with no bugs. So yes I was expecting a perfect version of Metro.
The cost of certifying a modern OS totally bug-free would exceed the GDP of the entire world, hundreds of times over.
No colour or religion ever stopped the bullet from a gun
I'm not sure if Metro can ever be "fixed", it should be scrapped altogether.
I mean, I'm supposed to pay to turn a perfectly working machine into a shitty tablet?
A true coward: Nothing of worth to say and that without any grace...
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Troll = Fed.
In the future, mod him down and move on.
Good lord, last year it was a 12 hour outage on leap day, this year it was a 12 hour (as far as I can tell) outage due to expired certificates. They won't be able to claim six 9's uptime for ~274 years!
At the rate of a half day of failure every year, so far, I'm not even sure I'd trust Azure for storage no matter what the discount they offer.
They pushed the update out on Jan 7. By Feb 22, it hadn't been completed. Something is not right with this explanation. Doesn't matter how low a priority it was, it should have been pushed out within in what? Two weeks?, a month?
Almost nobody cares about a lot of things that matter a great deal.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
I have Windows 8 running on a computer that lacks the secure boot feature. So no, I don't give a damn if the secure bootloader is M$'s doomsday weapon.
Then you're retarded. Microsoft has almost never delivered a good first version of anything - it's their thing. On top of that, given all of the hate Slashdot put out about Metro, why would you expect it to be perfect. Honestly, I think you may be thet one person who, despite knowing something about Microsoft and reading Slashdot, expected a good Metro. Rethink your expectations.
I haven't tried Windows Azure, which is the subject matter here...
Neither have I. Windows 8 has been working just fine for me, though, as long as Classic Shell keeps the crappy Metro interface away from me...
As usual, we see the failure of using the closed source model for an operating system. They have to get the users to fund development somehow, so they sell them a shitty version every other time to pay for the real versions, and get the new ideas into the hands of the customers where they can tell them which ones are good and which ones are bad. It can work fine for applications where they can bring out a new version when they're ready, with incremental updates for features or fixes which must and can be hacked on to remain relevant and keep customers from jumping ship, but it's just not a good model for operating systems while the state of the art continues to change so rapidly.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
That's because most programmers suck.
OS X is actually quite compatible. Provided you stick to the public APIs. Do anything funny and yes, things will break. The presence of private headers though makes it way too easy to use a private API to do so something (as part of "get-it-working") that leads to OS version dependency.
Oh yeah, it happens on Windows too. Next time you run Process Explorer, look at the window title for explorer.exe. You'll see it's called "Program Manager". Because despite it being 2013, there are applications that STILL hard code it. Or apparently some apps hardcode resource IDs or DLL export IDs (you normally export by name, but you can export by ID) in their apps, forcing what was one auto-assigned IDs to be hardcoded IDs. (And let's not forget the apps that instead of calling an API to get the user's home directory, program files, or windows directories, they hardcode "C:\Document and Settings", "C:\Program Files" and "C:\Windows", breaking installs on computers that didn't install Windows on C drive, use localized (non-English) Windows, or... use Windows Vista and above. It's why Vista+ have symlinks to C:\Users and various directories within. Or why UAC broke everything in Vista. Or why 64-bit Windows is complex because it has to rename/virtualize C:\Program Files to C:\Program Files (x86) at runtime.
Yes, Windows is great because it's backwards compatible. However, it also makes it extremely crufty with a lot of hacks having to stay in purely because some app needed it. (And I think WinSxS was a partial solution to that) Vista is proof - Microsoft tried a "new start" with it, and broke so many apps that it was Vista being blamed because they got rid of a lot of compatibility cruft.
You are wrong. There is nothing compiled for OSX before 2005 that still works on their most recent OS. The shift to 64 bit is further causing Apple to remove public APIs. Apple has demonstrated again and again they have no commitment to backwards compatibility, and there is nothing you can do as a programmer to avoid it.
"First they came for the slanderers and i said nothing."
Best case, you redefine the PC interface.
Best case? How is completely changing an interface around in any way "good", let alone "best"? I don't fucking want my interface to change at all, unless the changes make the machine much easier to use. From what I read, the changes are all BAD. It is no "best case". What department of Microsoft do you work for, TheRunicBard? Or are you a Windows repairman? If my bread and butter were fixing Microsoft computers and helping Microsoft users I'd certainly love them, because thir OS is fragile as hell and they go out of their way to make it as difficult as possible to use.
It is innovative, no matter how poorly implemented.
Innovative? How? Innovation is not synonymous with "randomly changed for no fucking reason whatever".
The slow adoption numbers can easily be credited to how good Windows 7 is.
Agreed, W7 was the best Windows, which is like pointing to the best Yugo. My two year old notebook runs W7 and it was actually good enough that (out of laziness) I didn't wipe it and put Linux on it. But it lacks many features I really like, features MS has never implimented, and it's starting to get slow -- this morning's almost daily "important update" for the AV made the "radio" (KSHE online) choke for three full minutes. I'm getting more and more of that, it's like the CPU is getting slower and the memory is going away. What's worse, it got really squirrley the other day and I thought I had a harware failuer, but a reboot fixed it, meaning it was NOT hardware.
I now know the reason for Patch Tuesday, it's so you'll reboot your computer monthly and not see how unstable a pile of shit Windows really is.
"Windows Seven -- the best turd Microsoft ever shat!"
It's a shame they can't write a decent, useable OS. It would save me the trouble of installing Linux.
That's because most programmers suck.
So what we need to do is make it illegal for the majority of people to become programmers. It should remain a tiny elite class, a bit like being a Catholic Cardinal, but with less sex.
To have a right to do a thing is not at all the same as to be right in doing it
[ "Azure" is a shade of blue, for those that don't know,
and why MS would go with this kind of name, given their history with things "blue" is beyond me. ]
It must have been something you assimilated. . . .
re: told us that their service, which they want you to make mission-critical, is managed with a process that would make the three stooges weep with uncontrollable laughter.
.
Miscreantsoft has so much money that they can't even afford three stooges; they have to make do with their two stooges that done brung the shit to this party: Gates and Ballmer.
I don't think so. NASA makes almost bug free code with very stringent testing at a cost of $1000 per line of code I believe, so for example Windows 7 which has about 50 million lines of code, would only cost 50 billions, and given the profits of Microsoft that would only take two or three years of their profit.
The main difference being NASA software runs on fixed hardware, but Windows has to support a near infinite variety. So you'd have to certify on an unbelievable number of systems to be sure. Also, even NASA software occasionally has bugs ;-)
No colour or religion ever stopped the bullet from a gun
Oh, you also probably meant "systemic" instead of "systematic." But that aside, how would you go about updating certs on tens of thousands of systems without causing an outage? What major online service have you helped run? It's easy to sit and criticize. It's slightly more difficult to use the proper word choice while doing it (and you're evidence enough of that). It's substantially more difficult to actually run a system with five nines uptime in the real world, and from your comments I suspect you've never contemplated what really goes into that.
My certificate authority sends me nagging emails like 6 weeks before my certificate's about to expire. Microsoft's certificate authority group needs to create a database and automated emails when certificates get near expiration. Start emailing a bunch of folks. It's very simple. Probably most CA's have such a setup.