The Doomsday Microsoft Government Email Data Breach
By
Duane Thresher, Ph.D. February 22, 2021
As Apscitu has been warning for years, since its inception,
particularly through
Stop IT Incompetence,
the
IT
Incompetents Hall Of Shame (
Government,
Business,
and
Media),
and
Apscitu Mail,
there has been a doomsday data breach of the federal
government's email and (then) networks, and this was due to
government IT incompetence, not the supposedly sophisticated
foreign government hackers. This doomsday data breach was
finally admitted to by the federal government starting in
December 2020 and continuing, but may have been going on
undetected for many months or even years and may still be
going on undetected.
Those who have even a clue about this data breach, which
doesn't include the
media,
are calling it the most massive — and not just
yet
another most massive — (thus worst) data breach in
history, whose vast effects will be the major national
security risk for many years into the future, if the United
States survives it at all; hence "doomsday data breach".
Numerous national security critical federal government
departments and agencies have been hacked, including but not
limited to: the Department of Defense (DOD), which includes
the
National
Security Agency (NSA); the Department of Homeland Security
(DHS), which includes Customs and Border Protection (CBP), the
Transportation Security Administration (TSA), the Federal
Emergency Management Agency (FEMA), the
Cybersecurity
and Infrastructure Security Agency (CISA), and the
Secret
Service; the Department of Energy (DOE), which is
responsible for nuclear safety; the
Department
of State, which is responsible for dealing with foreign
governments; the Department of the Treasury, which is
responsible for the currency and includes the Internal Revenue
Service (IRS); the Department of Transportation (DOT), which
includes the Federal Aviation Administration (FAA); the
Department of Agriculture (USDA), which includes the Food
Safety and Inspection Service (FSIS); the Department of Health
and Human Services (HHS), which includes the
Centers
for Disease Control (CDC) and the Food and Drug
Administration (FDA); the
Department
of Justice (DOJ), which includes the
Federal
Bureau of Investigation (FBI); and the entire
judicial branch of the federal
government, which includes the Supreme Court.
The doomsday data breach was caused by IT incompetent
foreign-run Microsoft, which has quietly become inherent in
government IT, particularly via Microsoft's email, Outlook, in
all its various guises.
If you've heard of this doomsday data breach at all, given the
IT incompetence of the media, you've probably heard it
referred to as the SolarWinds data breach. SolarWinds is an
IT incompetent business that makes Orion, which is network
monitoring software that is widely used in government,
including the NSA. Network monitoring software is the primary
way to detect hackers — for example, by looking for
large downloads of stolen data — so if the network
monitoring software itself is hacked then the hackers can't be
detected. Moreover, since network monitoring software has to
have access to the entire network being monitored, it can be
used to hack into that entire network. In short, a hacker's
dream.
The hackers hacked SolarWinds's Orion network monitoring
software by hacking the software's build system, i.e. how the
software and its updates are made (compiling, etc.) before
being delivered to customers. To make matters worse,
SolarWinds advised customers — much of the federal
government — to turn off their antivirus software before
installing their Orion software. Again, a hacker's
dream.
The hackers hacked the build system of SolarWinds's Orion
network monitoring software by hacking SolarWinds's Microsoft
email — for example, many services use email login
authentication as their login authentication — just like
they did to many departments and agencies of the federal
government, who also use Microsoft email.
So for many months and possibly years, hackers had, and may
still have, undetected access to both the email and networks
of the national security critical departments and agencies of
the federal government, including the NSA (whether they admit
it or not). From the hacked department and agency list given
in the introduction, it should be clear why this was the
doomsday data breach.
Microsoft email is a notoriously insecure email client and
email service, both now named "Outlook" in some form. The
Microsoft email client is just named Outlook and has been
included in Microsoft Office (97, 2000, XP, 2003, 2007, 2010,
2013, 2016, 2019) since the 1990's — given its
increasing notoriety, more quietly included in later years
— right up to Microsoft Office 365, today's web app
version of Office. Outlook.com is the free webmail version of
Microsoft's email service, which started as the notorious
Hotmail (similar in notoriety to Verizon's
Yahoo!
Mail). "Outlook on the web" is the business webmail
version of this and part of Office 365.
In addition to Outlook email being notoriously insecure to
hackers, Microsoft made an extensive and vigorous effort to
provide built-in easy access to Outlook email to the NSA
— and thus the CIA, FBI, etc. — as proven by
documents stolen from the
NSA
and CIA when they were hacked by
Edward
Snowden (in what was then called the worst data breach in
history). While Microsoft advertised to the public that it
was going to use encryption in Outlook, to counter Outlook's
terrible security reputation, Microsoft was secretly
conspiring with the NSA and FBI to make sure they could get
around this encryption. And if they can get around this
encryption, other hackers can get around this
encryption.
(As it says in the Legal Notes section of the
About Apscitu
Law page on the
Apscitu Law website: "Apscitu
Mail does not and will not allow built-in easy access by the
NSA (and so the FBI, CIA, etc.) to Apscitu Mail email server
computers. All demands for access to Apscitu Mail email
server computers will be fought in court. A precedent case
for this is long overdue and I am willing to do
this.")
I have experience — bad — with most of the
versions of Outlook. Most recently, my alum.mit.edu email
account is now an Office 365 "Outlook on the web" account; I
access its webmail at outlook.office.com. This account was
hacked by a leftist lawyer, Jason Baletsa, at MIT and is the
subject of a lawsuit and a national security investigation,
since MIT is a major defense contractor. (You can use this
account for authenticating me but don't send sensitive
information through it; see Apscitu's
Secure Contact
page.)
By doing a Domain Name System (DNS) lookup and examining the
name of the associated email server, it is sometimes possible
to tell from the domain of a government email address
(e.g. @dhs.gov) whether it is using Microsoft Outlook email.
I research government email extensively and know from this
that the following federal government departments and agencies
use Microsoft Outlook email: the Department of Homeland
Security (@dhs.gov), the
Federal
Election Commission (@fec.gov), the
United
States Postal Service (@usps.gov), the Department of
Transportation (@dot.gov), the Department of Agriculture
(@usda.gov), the Department of Education (@ed.gov), and the
Department of Housing and Urban Development (@hud.gov). Of
these, those not listed in the introduction and/or not having
admitted to having been hacked, may indeed have been hacked as
well.
(Other federal government departments and agencies use Google
and Proofpoint email, which are their own major security
risks; see
Google:
Invasion of the Email Snatchers and
Proofpoint
Investigation: Fraud and Government Email
Tampering.)
Unfortunately, it's not always possible to tell from the
domain of a government email address whether it is using
Microsoft Outlook email, and government will often not even
give out the email addresses they really use; see
FOIA:
That's Some Exemption, That Exemption 6. This is the case
for the Department of the Treasury, which in the doomsday data
breach was one of the first federal government departments to
admit it had Microsoft Outlook email, had been hacked, and had
had its high-level emails secretly read by hackers for many
months or even years.
It's obvious from
Stop IT Incompetence
and the
IT
Incompetents Hall Of Shame that the government is too IT
incompetent to do its own email, but it's even too IT
incompetent to outsource its email; see the IT Hiring articles
in
Principles of
IT Incompetence. With just a little knowledge of IT and
Microsoft, the federal government would have known not to
outsource their email to them.
Like
Dell,
Microsoft long ago realized it was more profitable and far
easier to sell to government than individuals, because
individuals are careful about how much they pay and complain
about poor quality — i.e. incompetence — unlike
government. And Microsoft has had longer than other
companies, like Dell or Google, to insinuate itself in
government, and learn to keep quiet about it. Once inherent
in government, Microsoft was able to keep a low profile even
when it was also implicated, as described above, in what the
NSA was doing in collusion with high-profile companies like
Google and Facebook.
Microsoft software — e.g. Windows, including its
notorious web browser Internet Explorer (now renamed Edge),
and Office, including Outlook email — has always been a
security nightmare. Microsoft claims it only seems this way
because they are the largest software company so are targeted
by hackers the most, but hackers would stop targeting them if
it was at all difficult to succeed. No, as strange as it may
seem on the face of it, Microsoft is IT incompetent; Microsoft
is successful for non-IT reasons, like unfair competition,
working for the government, etc. If you are IT knowledgeable
and have a lot of experience with Microsoft software, as I do,
you will know Microsoft is IT incompetent all too painfully
well.
Bill Gates
, a founder and former CEO of
Microsoft and no IT expert himself — he was a pre-law
major in college and dropped out after two years — loves
India (giving away a lot of his taxpayer-provided wealth to
it) and hired a lot of cheap IT incompetent programmers from
there, skirting U.S. immigration laws (e.g. H-1B visas) to do
so, as well as outsourcing a lot of programming to India, home
of cheap IT incompetent programmers. See
No
IT Education: Foreigners and
IT
Hiring: Foreigners in
Principles of
IT Incompetence.
Finally, Bill Gates made the CEO of Microsoft a cheap IT
incompetent programmer from India.
Satya Nadella
has been CEO of Microsoft since
2014. He was born, raised, and educated in India and did not
come to the U.S. until he was 22. Nadella got his bachelor's
in electrical engineering from the Manipal Institute of
Technology in India. He then came to the U.S. and got a
master's in computer science from the University of Wisconsin
– Milwaukee.
As I say a lot — e.g.
The
Most Important IT Credential: An IT Education in
Principles of
IT Incompetence — an IT expert should ideally have
degrees in both electrical engineering and computer science
... from good universities.
The Manipal Institute of Technology is way way down at #1056
in Best Global Universities according to U.S. News, the
premier college ranker. Satya Nadella probably deceitfully
put on his Microsoft application that he was from "MIT", since
this is an abbreviation for Manipal Institute of Technology,
but of course to everyone else, particularly Microsoft, "MIT"
means the top-rated
Massachusetts
Institute of Technology, where I got my degree in
Electrical Engineering and Computer Science.
The University of Wisconsin – Milwaukee is in the bottom
25% of Best National Universities according to U.S. News.
It's essentially just a glorified community college
(see
No
IT Education: For-Profit and Community Colleges in
Principles of
IT Incompetence); for example, it accepts over 95% of
those who apply, basically anyone.
Of course, with its CEO now being a cheap IT incompetent
programmer from India, Microsoft hires even more cheap IT
incompetent programmers from India.
Foreigners doing IT for the federal government is an obvious
inherent national security risk; see
IT
Hiring: Foreigners in
Principles of
IT Incompetence and all the foreigners in the
IT Incompetents
Hall Of Shame. In fact, it is clear that the doomsday
data breach was done by foreign hackers, although to avoid
detection their command-and-control hacking servers were
domestic cloud computers provided by ... wait for it
... Microsoft (as well as
GoDaddy
and
Amazon).
Satya Nadella was head (executive vice president) of
Microsoft's cloud computing division before he became CEO of
Microsoft.
As part of their effort to hide their IT incompetence,
government is calling, like they always deceitfully do, the
doomsday data breach a "sophisticated" hacking — see
Data
Breaches on
Stop IT Incompetence
— done, as supposedly only such a "sophisticated"
hacking could be, by a foreign government. Whether Russia or
China is blamed depends not on any real evidence but only on
the particular government official and what country he/she has
business ties with (the other country is then blamed). Even
if the hackers are Russia or China, the U.S. tries to do the
same to them and can only complain that it is too IT
incompetent to defend itself.
But given the Microsoft connection described and other
evidence, the hackers may have been from India. One of the
most effective hacking methods is "spear phishing", which is
emailing particular important people and tricking them into
giving up passwords by using their personal information to
lull them into believing the hackers are someone they know,
like their system administrators. India already knows the
names, addresses, telephone numbers, credit card info,
purchase histories, etc. — and possibly much more, like
spouses, children, jobs, incomes, Social Security
numbers,
credit
ratings,
medical
histories, etc. — of many Americans, including those
in government, from being customer service for many American
businesses (and other organizations), particularly
Amazon.