Another Friday, More Microsoft Security Misstep Disclosures
June 28, 2021
I think Microsoft believes no one works on Friday. I learned in “Microsoft Warns of Continued Attacks by the Nobelium Hacking Group” that SolarWinds is the gift that keeps on giving. Microsoft appears to have mentioned that another group allegedly working for Mr. Putin has been exploiting Microsoft software and systems. Will a “new” Windows 11 and registering via a Microsoft email cure this slight issue? Sure it will, but I am anticipating Microsoft marketing jabber.
The write up states:
The Microsoft Threat Intelligence Center said it’s been tracking recent activity from Nobelium, a Russia-based hacking group best known for the SolarWinds cyber attack of December 2020, and that the group managed to use information gleaned from a Microsoft worker’s device in attacks. Microsoft said it “detected information-stealing malware on a machine belonging to one of our customer support agents with access to basic account information for a small number of our customers” and that “the actor used this information in some cases to launch highly targeted attacks as part of their broader campaign.” The affected customers were notified of the breach.
The applause sign is illuminated.
I spotted this remarkable statement in the write up as well:
It’s possible that successful attacks went unnoticed, but for now it seems Nobelium’s efforts have been ineffective.
Wait, please. There is more. Navigate to “Microsoft Admits to Signing Rootkit Malware in Supply-Chain Fiasco.” This smoothly executed maneuver from the Windows 11 crowd prompted the write up to state:
Microsoft has now confirmed signing a malicious driver being distributed within gaming environments.
This driver, called “Netfilter,” is in fact a rootkit that was observed communicating with Chinese command-and-control (C2) IPs.
The write up concludes:
This particular incident, however, has exposed weaknesses in a legitimate code-signing process, exploited by threat actors to acquire Microsoft-signed code without compromising any certificates.
Amazing. The reason cyber crime is in gold rush mode is due to Microsoft in my opinion. The high tech wizards in Redmond can do rounded corners. Security? Good question.
Stephen E Arnold, June 28, 2021
TikTok: No Risk You Think?
June 28, 2021
I snipped a segment from my most recent lecture about the new Dark Web as this week’s DarkCyber video. More information about the program will appear on Tuesday, June 28, 2021. For now, I want to highlight the “real” news outfit CNBC and its take on TikTok. Remember that TikTok is harmless at least according to one Silicon Valley pundit and aspiring CIA professional.
“TikTok Insiders Say Social Media Company Is Tightly Controlled by Chinese Parent ByteDance” reports as actual factual information instantly doubted by Silicon Valley pundits:
This recruiter, along with four other former employees, told CNBC they’re concerned about the popular social media app’s Chinese parent company, which they say has access to American user data and is actively involved in the Los Angeles company’s decision-making and product development. These people asked to remain anonymous for fear of retribution from the company.
Hey, how about a quote from Jack Ma about the wonderfulness of the Chinese business methodology?
The write up adds:
Most notably, one employee said that ByteDance employees are able to access U.S. user data. This was highlighted in a situation where an American employee working on TikTok needed to get a list of global users, including Americans, who searched for or interacted with a specific type of content — that means users who searched for a specific term or hashtag or liked a particular category of videos. This employee had to reach out to a data team in China in order to access that information. The data the employee received included users’ specific IDs, and they could pull up whatever information TikTok had about those users. This type of situation was confirmed as a common occurrence by a second employee.
If you are interested in the value of data from a mere app, check out the DarkCyber program for June 28, 2021.
Stephen E Arnold, June 28, 2021
Google and Unreliable Results: Like the Jack Benny One Liner, I Am Thinking, I Am Thinking
June 25, 2021
I read a “real” news story called “Google Is Starting to Warn Users When It Doesn’t Have a Reliable Answer.” (No, I will not ask, What’s reliable mean.)
Here’s the statement which snagged my attention in the write up:
“When anybody does a search on Google, we’re trying to show you the most relevant, reliable information we can,” said Danny Sullivan, a public liaison for Google Search. “But we get a lot of things that are entirely new,” Sullivan said the notice isn’t saying that what you’re seeing in search results is right or wrong — but that it’s a changing situation, and more information may come out later.
I think Mr. Sullivan, a former search engine optimization guru and conference organizer, is the “new” Matt Cutts, a Google professional helping to point the way to the digital future at the US government. Is key word packing the path to more patents than China?
I loved this statement which I know is pretty Tasmanian devil like: “Most relevant, reliable information we can.” I did a query for garage floor epoxy coating in Louisville. I gathered about 20 businesses display on the first two pages of Google search results. Two companies were in this business. Others were out of business. One “company” called me back and said, “My loser son has been gone for two years.”
I have other examples as well of search either being out of date, spoofed, or just weird.
Let’s look at some of the reasons why Google made a statement about “reliable answers.”
First, I think the difficulty of providing real-time indexing is beyond three Google capabilities: Outfits with real time content won’t play ball with Google unless Google pays up and works out a mechanism to move the content to a Google indexing queue. (Yep, queue as in long line at the McDonald’s drive through.)
Second, Google is not set up to do real time. I think the notion of having a short list of “must ping frequently sites” may be a hold over from the distant past. The reason? As the cost of indexing, updating, and making the Google indexes “consistent” – some of the practices no longer fit the current iteration of “relevant” and “reliable.” Google is not Twitter, and it is not Facebook. Therefore, the pipelines for real time content simply don’t exist. Googlers tried but seemed to be better at selling ads than dealing with new content types.
Third, hot info appears in non text form on Instagram, TikTok, and even places like DailyMotion and Vimeo sometimes days before the content plops into YouTube. Ever try to locate a video using the creator assigned index terms. That’s an exercise in futility. Ads, gentle reader, not relevant and reliable information.
From my vantage point on the porch overlooking a mine drainage pond, I have some hypotheses:
- Google is under financial pressure, a competitive pressure from Amazon and Facebook, and a legal pressure. Almost any nation state with an appetite to drag the Google into court is in gear.
- Google is just not able to handle the real time flows of content, either textual or imagery. Too bad, but that’s the excitement of Hegel’s these, antithese, synthese which “real” Googlers learn along with search engine optimization marketing methods.
- Google’s propagandistic and jingoistic assurances that it returns relevant and reliable results is more and more widely seen as key word spam.
- Google’s management methods are not tuned for the current business environment. I may be alone in noticing that high school science club thinking and management from assumed superiority is out of favor. (If Sergey Brin were to ride a Russian rocket into space, wou8ld he attract more signatures that Jeff Bezos. The quasi referendum did not want Mr. Bezos to return to earth. Mr. Brin’s ride did not materialize, so I won’t know who “won” the most votes.)
Net net: Relevant and reliable. That’s a line worthy of Jack Benny when he is asked about Fred Allen. I give up, “What does ‘reliable’ mean, Googlers.” My suggestion is marketing hoo haa with metatags.
Stephen E Arnold, June 25, 2021
A $2 Trillion Market Cap and Tops at Diversity and Inclusion
June 25, 2021
Forget the Windows 10 (the last version of Windows once). Forget the SolarWinds’ misstep. Forget the complexity of Teams for a consultant used to Zoom. Think about this milestone. Fortune has named the Redmond outfit the big dog in diversity and inclusion.
For a big tech firm, the company is refreshingly free of discrimination-based scandals. Windows Central reports, “Microsoft Tops Fortune 500 Charts for Diversity and Inclusion.” Writer Sean Endicott shares some data from this year’s Fortune 500 report on the subject:
Fortune and Refinitiv partnered together to gather data and rank organizations based on 14 key metrics, including the percentage of minorities on a company’s board, the percentage of employees that are women, and the percentage of employees with disabilities. This list also includes Measure Up, a ranking of the most progressive companies based on diversity and inclusivity. Microsoft measures well in several key areas. Fortune highlights that it provides day-care services and has an employee resource group voluntarily formed by workers. The company also has targets for diversity and inclusion and policies regarding gender diversity. According to Fortune, 39.7% of Microsoft’s board is made up of racial and ethnic minorities. Overall, Microsoft’s workforce is 49.8% racial or ethnic majorities. 41.3% of managers at Microsoft are racial or ethnic minorities. While Microsoft has positive figures regarding racial and ethnic diversity, it falls behind in gender diversity. According to 2020 data reported by Microsoft, only 28.6% of its employees were women. 26.3% of managers at Microsoft were women in the same timeframe.”
The Windows cheerleaders may see some room for improvement. The write-up reminds us Microsoft makes a habit of emphasizing diversity and inclusion, linking to examples here, here, here, and here. Perhaps Google could learn a thing or two from that company. For example, reduce the management goofs that lead to global awareness of stuff like the Timnit Gibru and ethical AI matter. And Fortune knows a lot about diversity and inclusion, right?
Stephen E Arnold, June 25, 2021
Mitre and Its Mad Ave Inspired Naming
June 25, 2021
I keep a list of neologisms, jargon, and odd ball phrases. Examples include anting (crows which allow ants to clean up the feathery friends of horror movie script writers), industrial athlete (a Bezos bulldozer rah rah for warehouse workers who are sometimes allowed to visit the facilities), and pillbillies (residents of West Virginia and Kentucky who are addicted to opioids). I have others too including AIM (asymmetric information management) which I don’t understand at all.
Now I have a new one: ATT&CK. This is a coinage from a wordsmith at Mitre (the old MIT Research outfit) and its “Engenuity” unit. Those folks are heirs to assorted Boston poets I think. I am not sure what the letters mean, but here’s the explanation in “Tool Lets Users Supplement Mitre ATT&CK Knowledge Base with Their Own Threat Intel”:
Called ATT&CK Workbench, the free and open-source tool was designed to reduce the barriers preventing defenders from aligning their aggregated TTP intel with Mitre ATT&CK’s content. Officially announced today via press release and blog post, Workbench is a creation of Mitre Engenuity’s Center for Threat-Informed Defense, with contributions from Center members AttackIQ, HCA Healthcare, JPMorgan Chase, Microsoft and Verizon.
I want to point out that as far as my DarkCyber research team has been able determine, exactly none of the threat intelligence outfits alerted their customers to the SolarWinds’ misstep.
I have a buzzword for this in my collection too: Nonperformative. I think this means, “May not work.”
Stephen E Arnold, June 24, 2021
Google: So Darned Useful to Good and Bad Actors
June 25, 2021
Never underestimate hackers’ adaptability and opportunism. E Hacking News reports, “Threat Actors Use Google Drives and Docs to Host Novel Phishing Attacks.” For the first time, security firm Avanan has found, attackers are able to bypass link scanners and other security protections and use Google’s standard document tools to deliver malicious, credential-stealing links. Previously, bad actors have had to lure their victims to a legitimate website in order to exploit its security flaws. Now they can do so right from users’ inboxes. The article cites a recent report from Trend Micro as well as the research from Avanan:
“According to researchers, once the hacker publishes the lure, ‘Google provides a link with embed tags that are meant to be used on forums to render custom content. The attacker does not need the iframe tags and only needs to copy the part with the Google Docs link. This link will now render the full HTML file as intended by the attacker and it will also contain the redirect hyperlink to the actual malicious website.’ The hackers then use the phishing lure to get the victim to ‘Click here to download the document.’ Once the victim clicks, the page redirects to the actual malicious phishing website through a web page designed to mimic the Google Login portal. Friedrich said Avanan researchers also spotted this same attack method used to spoof a DocuSign phishing email. In this case, the ‘View Document’ button was a published Google Docs link that actually was a fake DocuSign login page that would transmit the entered password to an attacker-controlled server via a ‘Log in’ button.”
Stolen login credentials are the most effective way to infiltrate any organization, and with a little social engineering hackers can attract many of them with this approach. It is a good reminder that educated users who do not fall for phishing schemes provide the best protection against such attackers. Alternatively, just download some interesting apps from the Google Play Store.
Cynthia Murrell, June 25, 2021
The Google: EU Action Generates a Meh
June 24, 2021
I read “Europe Is Finally Hitting Google Where It Hurts Most.”
Here’s a passage I found interesting:
The fact that it owns the biggest search engine, video streaming website and e-mail client isn’t the top cause for concern — it’s that the finances of all three are tied together through the ads that pay for them.
Yep, but I would suggest that Google is doing the synergy thing better than most mom and pop outfits.
Here’s another interesting statement:
The problem is that Google holds all of the power. In the auction house analogy, the company is the buyer’s agent, the seller’s agent and often the seller too. It has both the opportunity and incentive to A) overcharge advertisers who have no visibility into the value of competing bids; and B) send more revenue toward its own websites. It can decide to direct my advertising spend towards YouTube, rather than another video site.
I think Google is holding the cards in the online ad game. To make the game more profitable, Google can pull cards from its other data decks. Will the EU try to end the game or just walk out of the Googlegarch’s casino?
Stephen E Arnold, June 24, 2021
Google and Its Engineering Residency: Problem Solved or Is It?
June 24, 2021
I read “Google Drops Engineering Residency after Protests over Inequities.” That means unfair, right? Maybe discriminatory? Nope, more of the good old Google management method in action. Remarkable, but the Google is consistent. Controversy and glitches every which way but loose.
The write up states:
The Google residency, often referred to as “Eng Res,” has since 2014 given graduates from hundreds of schools a chance to work on different teams, receive training and prove themselves for a permanent job over the course of a year. It offered a cohort of peers for bonding, three former residents said. Residents were Google’s “most diverse pool” of software engineers and came “primarily from underrepresented groups,” according to a June 2020 presentation and an accompanying letter to management that one source said over 500 current and former residents signed. Compared with other software engineers, residents received the lowest possible pay for their employment level, a smaller year-end bonus and no stock, creating a compensation deficit “in the mid tens of thousands of dollars,” the presentation said. Nearly all residents converted to regular employees, according to the presentation. Many alumni years later have continued to feel the “negative effect” of their starting pay on their current salary, it said. Google said it worked to eliminate long-term disparities when hiring residents permanently.
Interesting. The protest thing seems to be one way to catch the attention of the president of the digital science club working overtime to deliver quantum supremacy.
Stephen E Arnold, June 24, 2021
AI: Multi Modal Wu Dao
June 24, 2021
Last summer OpenAI’s GPT-3 text generator was the impressive AI of the season, creating passages of text most could not discern from human-penned prose. Now we are told a model out of the Beijing Academy of Artificial Intelligence (BAAI) has surpassed that software. According to Yahoo, “China’s Gigantic Multi-Modal AI is No One-Trick Pony.” The new deep learning model, named Wu Dao, can emulate human writers as well as GPT-3 and then some. Reporter Andrew Tarantola asserts:
“First off, Wu Dao is flat out enormous. It’s been trained on 1.75 trillion parameters (essentially, the model’s self-selected coefficients) which is a full ten times larger than the 175 billion GPT-3 was trained on and 150 billion parameters larger than Google’s Switch Transformers. In order to train a model on this many parameters and do so quickly — Wu Dao 2.0 arrived just three months after version 1.0’s release in March — the BAAI researchers first developed an open-source learning system akin to Google’s Mixture of Experts, dubbed FastMoE. This system, which is operable on PyTorch, enabled the model to be trained both on clusters of supercomputers and conventional GPUs. This gave FastMoE more flexibility than Google’s system since FastMoE doesn’t require proprietary hardware like Google’s TPUs and can therefore run on off-the-shelf hardware — supercomputing clusters notwithstanding. With all that computing power comes a whole bunch of capabilities. Unlike most deep learning models which perform a single task — write copy, generate deep fakes, recognize faces, win at Go — Wu Dao is multi-modal, similar in theory to Facebook’s anti-hatespeech AI or Google’s recently released MUM.”
Tarantola checked out the researchers’ recent demo. While OpenAI taught us that software can now mimic news stories and similar content, Wu Dao takes language further by generating essays, poems, and couplets in traditional Chinese. It can also take clues from static images to write relevant text and can create almost photorealistic images from natural-language descriptions. With the help of Microsoft’s XiaoIce, Wu Dao can also power virtual idols and predict 3D protein structures a la AlphaFold. Talk about use cases from different ends of the spectrum. BAAI chair Dr. Zhang Hongjiang declares the key to AI’s future lies in “big models and a big computer.” Perhaps those models can divine a way to minimize their own power consumption and work without alleged biases toward everyone not in CompSci 410.
Cynthia Murrell, June 24, 2021
Facebook Has a Supreme Court and Now Amazon Has a Legal System
June 24, 2021
Nothing makes me laugh quicker than the antics of big technology high school management methods. I get a hoot out of the Facebook content supreme court. My hunch is that nice lunches are provided. The Amazon jury thing is a knee slapper too. Navigate to “Amazon Organizes Internal Juries to Consider the Final Fate of Employees at Risk of Being Fired.” Note: You will have to pay to read this real news article.
The write up says:
Amazon employees who are close to being fired can plead their case to an internal jury that’s partly selected by the company, according to documents reviewed by Insider and interviews with people familiar with the process. These appeals are part of Pivot, an Amazon performance-improvement program that some employees say is stacked against them.
Well, sure. The write up says:
… Employees are not allowed external legal support, people who have been through the program said. “You go in by yourself not understanding what you’re up against,” one person told Insider. The people spoke on condition of anonymity for fear of retribution from Amazon.
And what if one wins? No job guarantee.
Question: Who from the science club has a date for the prom? Answer: No one.
Stephen E Arnold, June 24, 2021