It's more involved than that - the US national is the person who has control of the keyboard, the non US national views the screen share and instructs them what to do.

> “If someone ran a script called ‘fix_servers.sh’ but it actually did something malicious then [escorts] would have no idea,” Matthew Erickson, a former Microsoft engineer who worked on the escort system

It sounds like you may have additional context or perspective, which makes me curious about the scope of "instructs." For example, I can imagine that the deployment sources of the public and Government clouds infrastructure are different, such that a bug fix on the shared base may need to be merged between these two branches. If a foreign national made the fix for the public version and then provided the expertise of resolving merge conflicts when applying it to the Government version, it presents an opportunity for subtle abuse unless the change is either further audited by the keyboard operator or another engineer before the merge result lands or is deployed.

Generally it's used for fixing corrupt deployments / debugging / deploying.

As far at I'm aware, there isn't a separate code base.

In general, you can't share scripts / executables via this mechanism - that's done via code review and deployment.

You could get an operator to run a script in a malicious way, but it'd need pre-written to include the malicious behaviour.

That's not really what the article supposes unless I missed something, or do you have a different source? Hilarious if true.

Edit: yes it does, I just didn't read it all the way.

Maybe it isn't displaying on mobile or something, but there's a grey box in the article that shows step-by-step what happens.

> A Microsoft engineer in China files an online “ticket” to take on the work.

> A U.S.-based escort picks up the ticket.

> The engineer and the escort meet on the Microsoft Teams conferencing platform.

> The engineer sends computer commands to the U.S. escort, presenting an opportunity to insert malicious code.

> The escort, who may not have advanced technical expertise, inputs the commands into the federal cloud system.

I didn't read the article all the way through apparently.

Makes sense, but it really does seems like a silly way to work around the security policies.

It's cost saving exercise. Microsoft does not have to hired skilled US Citizen workers who command higher salary and can use cheaper labor in both US citizen and overseas worker.

Basically, stockholders get another yacht, national security gets screwed.