Masters of the universe

Surprised? I'm not!

It took me some days to understand what happened with the Microsoft key being "stolen". People jumped on the bandwagon shouting the usual "Microsoft is insecure!!1!" mantra. While I agree that a design where multiple customers data can be accessed with a single key is bad, I also believe this design was mandated by the FBI.

I also would not be surprised, like, at all, if all the other Azure services were "suggested" to adopt such a design. This way, a subpoena and puff! Microsoft hands over the requested details.

In this case it was exchange online affected, but I believe that such thing exists also for all the other azure services, and that the various three letter agencies have free access to the related keys.

For anybody thinking that AWS or GCP are more secure on this front: not to worry! They put their master keys in a better safe, so only the good guys have access to them. Just hear the silence coming from all the other cloud providers: nobody says a word, not even to try and win some business from Microsoft. It smells like an attempt to pass without being noticed, in the hope that nobody turns an eye on them.

But believe me. The same thing will happen with all the US-based cloud providers at some point. Those NSA money aren't free.

It's just that it did not happen yet.