Cyberespionage group stolen Microsoft vulnerabilities DB back in 2013

This breach happened in 2013 and now just revealed??? What''s wrong with this picture. Microsoft has to be embarrassed for the lack of security.

Let me defend Microsoft a bit here even though they are out of my security plans for now. Limit your damage - that is your job. Fix their software - that is their job.
 
IMO our problem in the world is extremism - left/right good/evil microsoft/apple/samsung etc. I now believe that if just one person in the world suffers, then all of us suffer. We need more balance and a better world for all of us. The Internet can be for good (communication trade) or evil (conflict oppresion) and we together will decide which.
 
It is a tricky decision for an enterprise to decide how much information to reveal especially when there is little to be done or it is a glaringly difficult hole to patch. If a patch fixes something then a quiet news release might be warrented, however, if the entire internet could be compromised, it is not good generally to announce it in the headlines. Sometimes, there is no good fix because it has people involved as well. (hysteresis)
 
One of the stupidist comments I heard a CEO say was: we will layoff until problems in the company appear (and boost his salary at the same time) and then hire a couple of people back to be sure we are operating effectively. Those who know of hysteresis will realize immediately there is a problem with this logic. The CEO is not likely to take criticism well. The CEO is never there at 3 in the mornind when your computer phoned you and reported an impending problem. No one will see you prevent something from happening on your performance evaluation.
 
I used to tell my team, call me a moron (not in public but close my door and talk to me), just have facts to back it up. Part of your job (your duty) is to keep me and everyone on the team honest and on the right track - if you see something, say something. Once team members knew that was absolutely true and I would take the heat from the business for them, they could out-perform other teams dramatically. Politics wastes huge money! The only stipulation was that whatever  I said to do, after hearing their argument, they would do immediately, peacefully, and without further question. Do armies or companies run like that anymore? If not, IMO, the internet will break them given time. The world is changing.
 
All hostile military infections constantly test to see if they have been detected. Announcing that you know they are there can impair your ability to respond and study the attackers. This is not a game or something to be ashamed of. The world is in this together or apart (our choice) - sink or swim. If you tip the attackers off, you lose valuable information.
 
I still carry information that I can't say almost 20 years later. That is why integrity, honesty, and the "first do no harm" rules apply. Eventually the corporate politicians will "get you" partly because they are exposed in silly decisions, beating their chest, emotions and partly because you will make errors only apparent after going down a road. Sometimes you are not above this either. Errors are a good thing if you remember to switch and fix it and soothe your ego. Errors are fixable but emotional arrogance may not be. There is none so blind as he who will not see. Some will quit knowing its going to break but they got their share out in time. One actually told me over coffee, he put rogue code in his project and we laughed at how silly things were. ( I made a mental note for future and checked it out!)
 
I was often seen as arrogant (sometimes extreme confidence based on experience is seen as arrogant) but I didn't care, I had a job to do as best I could and took bullets at times for my company. That is what a marine does. Nothing makes more enemies than being shown later on to be right in my experience. Some will judge you but you are in the hot seat and must make a decision affecting many applications and people you have never met.
 
Imagine this: you are responsible for every middleware piece of software for a large company. Security is only one concern, upgrades, internal rogue actions, normal patching, rush patching. You never have enough resources because there are not enough resources. Every decision.you make could cost you your job. Your enemies turn you into the problem often by quarterbacking after the fact. You meet weekly on a board of 6 domain specialties that can order 500 webservers updated within a few days reviewing every threat coming in and its impact and its proposed solution to your domain.
 
Sometimes lots of heated arguments, but those people trade favors and trust each other fully or it can't possibly work. They  know more about the operational business than the VP of IT or some of the division managers who has an amazingly short shelf life and different goals. They know the skunkworks and who will not do a good job due to sloppiness or enemy action. When parts of your infrastructure fail, you need to respond decisively for the good of the WHOLE company and not for climbing the ladder or profiting. You play the outfield. If the ball gets past you, then it is going to be a homerun. So you act to minimize the ball getting past you.
 
Microsoft supports how many millions of good people and a couple of thousand really bad ones. No matter what they do, someone will be really unhappy. Until you have sat in their seat and done that work, I would recommend cutting them some slack. There may be other issues that they can't say.
 
No offense meant. Just some ideas to think a bit differently about security. It is why I said security means never having to say your sorry (if you did the best you can do).
 
Off my soapbox now.