The SolarWinds Misstep: Who Else Walked Off the Cliff?
February 2, 2021
“Hack Said to Extend Beyond SolarWinds” is a troubling “real” news story. The idea that bad actors may have gained access to commercial and government servers for more than a year was troubling. According to the write up, the data breach has another dimension:
Close to a third of the victims didn’t run the SolarWinds Corp. software initially considered the main avenue of attack for the hackers…
What was the shared point of vulnerability?
The write up dances around the topic, but DarkCyber believes that Microsoft software is the common factor for the breaches, a fact presented at the end of the article:
Mr. Wales [US government cyber security wizard] said his [Cyber Security and Infrastructure] agency isn’t aware of cloud software other than Microsoft’s targeted in the attack.
The Wall Street Journal article reporting a government official’s public statement is located behind a paywall.
Is Microsoft capable of providing cloud and desktop services which are secure. Will a rock band craft a TikTok video based on a remake of the Platters’ hit song the Great Pretender modified to the Great Defender?
Yes I’m the great defender
Just laughin’ and gay like a clown
I seem to be what I’m not, you see
I’m showing my code like a crown
Pretending that JEDI’s still around.
Apologies to Buck Ram.
Stephen E Arnold, February 2, 2021
Microsoft Security: Perhaps Revenue Does Not Correlate with Providing Security?
February 1, 2021
I want to keep this brief. Microsoft makes money from the sale of security services. “Microsoft CEO Satya Nadella: There Is a Big Crisis Right Now for cybersecurity” reports:
For the first time on Tuesday, Microsoft disclosed revenue from its various security offerings as part of its quarterly earnings — $10 billion over the last 12 months. That amounts to a 40% year-over-year jump in the growing security business, making up roughly 7% of the company’s total revenue for the previous year.
Here’s a fascinating passage:
Microsoft itself was also hacked, though no customer data was breached. A Reuters report indicated that, as part of the hack of the National Telecommunications and Information Agency, Microsoft’s Office 365 software was attacked, allowing the intruders to monitor agency emails for months. Microsoft, however, said at the time that it has identified no vulnerabilities in its cloud or Office software.
Er, what?
I don’t want to rain on this financial parade but The Register, a UK online information service, published “Unsecured Azure Blob Exposed 500,000+ Highly confidential Docs from UK Firm’s CRM Customers.” Furthermore, the Microsoft security services did not spot the SolarWinds’ misstep, which appears to have relied upon Microsoft’s much-loved streaming update service. The euphemism of “supply chain” strikes me as a way to short circuit criticism of a series of technologies which are easily exploited by at least one bad actor involved in the more than 12 month undetected breach of core systems at trivial outfits like US government agencies.
Net net: Generating revenue from security does not correlate with delivering securing or engineering core services to prevent breaches. And what about the failure to detect? Nifty, eh?
The February 9, 2021, DarkCyber video program takes a look at another of Microsoft’s remarkable dance steps related to the SolarWinds’ misstep. Do si do, promenade, and roll away to a half sashay! Ouch. Better watch where you put that expensive shoe.
Stephen E Arnold, February 1, 2021
Old Book Illustrations: No Photoshop or Illustrator, Thank You
February 1, 2021
Here is a useful resource—Old Book Illustrations. The site began as a way for the creators to share pictures from their own collection of Victorian and French Romantic books and grew as they explored other collections online. All images are in the public domain. The site’s About page elaborates:
“Although it would have been possible to considerably broaden the time-frame of our pursuit, we chose to keep our focus on the original period in which we started for reasons pertaining to taste, consistency, and practicality: due to obvious legal restrictions, we had to stay within the limits of the public domain. This explains why there won’t be on this site illustrations first published prior to the 18th century or later than the first quarter of the 20th century. We are not the only image collection on the web, neither will we ever be the largest one. We hope however to be a destination of choice for visitors more particularly interested in Victorian and French Romantic illustrations—we understand French Romanticism in its broadest sense and draw its final line, at least in the realm of book illustration, at the death of Gustave Doré. We also focused our efforts on offering as many different paths and avenues as possible to help you find your way to an illustration, whether you are looking for something specific or browsing randomly. The many links organizing content by artist, language, publisher, date of birth, and more are designed to make searching easier and indecision rewarding.”
The site is well organized and easy to either search or browse is several ways—by artists, publishers, subjects, art techniques, book titles, and formats (portrait, landscape, tondo, or square). There is even a “navigation how-to” if one wants a little help getting started. The site also posts articles like biographies and descriptions of cultural contexts. We recommend checking it out and perhaps bookmarking it for future use.
Cynthia Murrell, February 1, 2021
MIT Report about Deloitte Omits One Useful Item of Information
February 1, 2021
This is not big deal. Big government software project does not work. Yo, anyone remember DCGS, the Obama era health site, the reinvigoration of the IRS systems, et al? Guess not. The outfit which accepted money from Mr. Epstein and is now explaining how a faculty member could possibly be ensnared in an international intellectual incident is now putting Deloitte in its place.
Yeah, okay. A blue chip outfit takes a job and – surprise – the software does not work. Who is the bad actor? The group which wrote the statement of work, the COTR, the assorted government and Deloitte professionals trying to make government software super duper? Why not toss in the 18F, the Googler involved in government digitization, and the nifty oversight board for the CDC itself?
The write up “What Went Wrong with America’s $44 Million Vaccine Data System?” analyzes this all-too-common standard operating result from big technology projects. I noted:
So early in the pandemic, the CDC outlined the need for a system that could handle a mass vaccination campaign, once shots were approved. It wanted to streamline the whole thing: sign-ups, scheduling, inventory tracking, and immunization reporting. In May, it gave the task to consulting company Deloitte, a huge federal contractor, with a $16 million no-bid contract to manage “Covid-19 vaccine distribution and administration tracking.” In December, Deloitte snagged another $28 million for the project, again with no competition. The contract specifies that the award could go as high as $32 million, leaving taxpayers with a bill between $44 and $48 million. Why was Deloitte awarded the project on a no-bid basis? The contracts claim the company was the only “responsible source” to build the tool.
Yep, the fault was the procurement process. That’s a surprise?
The MIT write up relishes its insights about government procurement; for example:
“Nobody wants to hear about it, because it sounds really complicated and boring, but the more you unpeel the onion of why all government systems suck, the more you realize it’s the procurement process,” says Hana Schank, the director of strategy for public-interest technology at the think tank New America. The explanation for how Deloitte could be the only approved source for a product like VAMS, despite having no direct experience in the field, comes down to onerous federal contracting requirements, Schank says. They often require a company to have a long history of federal contracts, which blocks smaller or newer companies that might be a better fit for the task.
And the fix? None offered. That’s helpful.
There is one item of information missing from the write up; specifically the answer to this question:
How many graduates of MIT worked on this project?
My hunch is that the culprit begins with the education and expertise of the individuals involved. The US government procurement process is a challenge, but aren’t institutions training the people in consulting firms and working government agencies supposed to recognize a problem and provide an education to remediate the issue. Sure, it takes time, but government procurement has been a tangle for decades, yet outfits like MIT are eager to ignore the responsibility they have to turn out graduates who solve problems, not create them.
Now about that Epstein and Chinese alleged double dipping thing? Oh, right. Not our job?
Consistent, just like government procurement processes it seems to me.
Stephen E Arnold, February 1, 2021
Dashboards Evil? Worth a Thought. Nah, Just Take What Is Output
February 1, 2021
Business intelligence (BI) is jargon for the technologies and strategies used to manage business data analytics. It is a fancy term for standard operating procedures and looks good on a resume, but one IT CEO wants to make it obsolete. Diginomica discusses how BI could head to the recycling bin in the article: “ThoughtSpot CEO-‘I Want To Kill BI And I Want All Dashboards To Die.’”
COVID-19 has changed global business practices and technology experts spent 2020 investigating ways to aggregate business data. ThoughtSpot CEO Sudheesh Nair explained in the article that traditional aggregation patterns do not apply anymore and companies need to change in order to maintain their customers. Nair believes his ThoughtSpot platform, described as ‘Google for numbers,’ will deliver key insights the same way Google provides information.
Nair pointed out that opinions are easily accessible via a Google search, but facts are harder to find in the endless search results. Nair wants his ThoughSpot platform to make facts as easily accessible as opinions. ThoughtSpot combines hardened facts with a NLP interface to make finding facts easier, think Windows 95 versus the old command land interface:
“ThoughtSpot does this by allowing users to search enterprise data with hyper-personalized questions using natural language processing. It aims to not only give a result for the question you ask, but then also uses AI to offer up alternative questions and results that may be helpful. This is very different to traditional BI, which typically offers you a template for which to present historical, aggregate data.”
In other words, Nair wants to sift the information noise from facts. Today’s BI dashboards offer a plethora of information, but lack personalization notes that could win new customers and retain older ones.
ThoughtSpot will supposedly combine old data with new data to push out BI dashboards and create a new data analytics space for businesses. Nair’s description of ThoughtSpot is an interesting pitch, but it sounds more like a new way to search information. Instead of explaining how ThoughtSpot works it would be better to offer demonstrations of its capabilities.
But thinking? Not the core competency of the thumb typing generations.
Whitney Grace, February 1, 2021
Microsoft: Maybe Quantum Computing Can Help Out Defender?
February 1, 2021
The February 9, DarkCyber video news program contains a short item about Microsoft’s January 20, 2021, explanation of the SolarWinds’ misstep. Spoiler: Hey, Microsoft was not responsible. If you are interested in the MSFT explanation with some remarkable self promotion for its security prowess, navigate to this link. But to the matter at hand. Microsoft security will no doubt benefit from its latest technical innovation. “Microsoft Claims Breakthrough in Quantum Computing” reports:
This [MSFT and University of Sydney] team has developed a cryogenic quantum control platform that uses specialized CMOS circuits to take digital inputs and generate many parallel qubit control signals. The chip that powers this control platform is called Gooseberry.
Does this beg the inclusion of the Intel Horse Feathers — no, strike that — Intel Horse Ridge technology?
The write up continues:
There’s no doubt that both Gooseberry and the cryo-compute core represent big steps forward for quantum computing, and having these concepts peer-reviewed and validated by other scientists is another leap ahead.
I hope the technology innovators surge ahead to apply the “breakthrough” to the Redmond giant’s security for Azure and Windows 10, which of course were not the SolarWinds’ problem. The gilded lily language “supply chain” was maybe, a little, sort of tangentially involved.
Supply chain? Gooseberries and horse feathers perhaps?
Stephen E Arnold, February
-
- Subscribe to Beyond Search
Feature archive
News archive
-
