Browse > Home / Archive: December 2022

Google to Microsoft: We Are Trying to Be Helpful

December 16, 2022

Ah, those fun loving alleged monopolies are in the news again. Microsoft — famous in some circles for its interesting approach to security issues — allegedly has an Internet Explorer security problem. Wait! I thought the whole wide world was using Microsoft Edge, the new and improved solution to Web access.

According to “CVE-2022-41128: Type Confusion in Internet Explorer’s JScript9 Engine,” Internet Explorer after decades of continuous improvement and its replacement has a security vulnerability. Are you still using Internet Explorer? The answer may be, “Sure you are.”

With Internet Explorer following Bob down the trail of Microsoft’s most impressive software, the Redmond crowd the Microsoft Office application uses bits and pieces of Internet Explorer. Thrilling, right?

Google explains the Microsoft issue this way:

The JIT compiler generates code that will perform a type check on the variable q at the entry of the boom function. The JIT compiler wrongly assumes the type will not change throughout the rest of the function. This assumption is broken when q is changed from d (an Int32Array) to e (an Object). When executing q[0] = 0x42424242, the compiled code still thinks it is dealing with the previous Int32Array and uses the corresponding offsets. In reality, it is writing to wherever e.e points to in the case of a 32-bit process or e.d in the case of a 64-bit process. Based on the patch, the bug seems to lie within a flawed check in GlobOpt::OptArraySrc, one of the optimization phases. GlobOpt::OptArraySrc calls ShouldExpectConventionalArrayIndexValue and based on its return value will (in some cases wrongly) skip some code.

Got that.

The main idea is that Google is calling attention to the future great online game company’s approach to software engineering. In a word or two, “Poor to poorer.”

My view of the helpful announcement is that Microsoft Certified Professionals will have to explain this problem. Google’s sales team will happily point out this and other flaws in the Microsoft approach to enterprise software.

If you can’t trust a Web browser or remove flawed code from a widely used app, what’s the fix?

Ready for the answer: “Helpful cyber security revelations that make the online ad giant look like a friendly, fluffy Googzilla. Being helpful is the optimal way to conduct business.

Stephen E Arnold, December 16, 2022

Written by Stephen E. Arnold · Filed Under Google, Marketing, Microsoft, News, Security | Comments Off on Google to Microsoft: We Are Trying to Be Helpful 

ZincSearch: An Alternative to Elasticsearch

December 16, 2022

Recently launched ZincSearch is an Elasticsearch alternative worth looking into, despite the fact that several features are not yet fully formed. The nascent enterprise search engine promises lower complexity and lower costs. The About Us page describes its edge search and an experimental stateless server that can be scaled horizontally. The home page emphasizes:

“ZincSearch is built for Full Text Search: ZincSearch is a search engine that can be used for any kind of text data. It can be used for logs, metrics, events, and more. It allows you to do full text search among other things. e.g. Send server logs to ZincSearch for them or you can push your application data and provide full text search or you can build a search bar in your application using ZincSearch.

    • Easy to Setup & Operate: ZincSearch provides the easiest way to get started with log capture, search and analysis. It has simple APIs to interact and integrates with leading log forwarders allowing you to get operational in minutes.
    • Low resource requirements: It uses far less CPU and RAM compared to alternatives allowing for lower cost to run. Developers can even run it on their laptops without ever noticing its resource utilization. …
    • Schemaless Indexes: No need to work hard to define schema ahead of time. ZincSearch automatically discovers schema so you can focus on search and analysis.
    • Aggregations: Do faceted search and analyze your data.”

ZincSearch would not attract many conversions if it made migration difficult, so of course it is compatible with the Elasticsearch API. To a point, anyway—the application is still working on an Elasticsearch-compatible query API. ZincSearch can store data in S3 and MinIO, though that capacity is currently in an experimental phase. Sounds promising; we look forward to seeing how ZincSearch looks a year or so from now.

A blog post by ZincSearch creator Prabhat Sharma not only discusses his reasons for making his solution but also gives a useful summary of enterprise search in general. The startup is based in San Francisco.

Cynthia Murrell, December 16, 2022

Written by Stephen E. Arnold · Filed Under News, Search | Comments Off on ZincSearch: An Alternative to Elasticsearch 

Apple, the Privacy and Security Outfit, Has a New Spin for Pix

December 16, 2022

In an alarmingly hilarious situation, iCloud users are seeing photos of strangers on their devices. What sounds like a hacker’s gaff, actually proves to be a security risk. XDA Developers investigates what is going on with iCloud in, “iCloud For Windows Users Are Reportedly Seeing Random Family Photos From Strangers.”

People buy Apple products for its better security and privacy settings than PC devices. While Apple has an iCloud app for PC users, the app is not working as well as its fellow Apple products:

“Based on the reports, the corrupted files seemingly revolve around videos shot on iPhone 13 Pro and iPhone 14 Pro models. The footage in some cases is showing a black screen with scan lines. Though, what’s more worrisome is the random content that is showing up for some users. While it’s not confirmed yet, these photos of families, children, and other private moments could potentially belong to other people’s iCloud libraries. If this is the case, then Apple could get in some serious trouble. Unfortunately, deleting the iCloud for Windows app seemingly doesn’t solve this, as the issues are being reflected on the server.”

No one is certain what is causing the bug, but Apple needs to get on the problem. Apple will probably blame the issue on PCs being inept devices and the compatibility between Macs and PCs could be the reason. Apple is not infallible and here is a lesson in humility.

Whitney Grace, December 16, 2022

Written by Stephen E. Arnold · Filed Under News, Profile, Security | Comments Off on Apple, the Privacy and Security Outfit, Has a New Spin for Pix 

Fried Dorsey: Soggy, Not Crispy

December 15, 2022

I noted an odd shift in Big Tech acceptance of responsibility. For now, I will  call this the Fried Dorsey Anomaly.

First, CNBC reported about a letter the MIT graduate and top dog at FTX wrote to employees.  The article has the snappy title “Here’s the Apology Letter Sam Bankman-Fried Sent to FTX Employees: When Sh—y Things Happen to Us, We All Tend to Make Irrational Decisions. The logic in this victim argument and the use of a categorical affirmative are probably interesting to someone who loved Psychology 101. Here’s the sentence which caught my eye:

“I lost track of the most important things in the commotion of company growth. I care deeply about you all, and you were my family, and I’m sorry…”

This is the “Fried” side of making or not making certain decisions. Then there’s the apology.

Now let’s shift to the Dorsey facet of the anomaly. The estimable Wall Street Journal published “Dorsey Calls Twitter Controls Too Great.” The write up appeared in the December 15, 2022, dead tree version of the Murdoch output. The online, paywalled article is at this link.  Here’s the statement I noted:

If you want to blame, direct it at me and my actions.

These quotes are somewhat different from the “Senator, thank you for the question” and “We will improve…” statements from what we can think of as the pre-Covid era of Big Tech.

Now we have individuals accepting blame and demonstrating a soupçon of remorse, regret, or some related mental posture.

Thus, the post-Covid era of Big Tech is now into mea culpa suggestions and acceptance of blame.

Will the Fried Dorsey Anomaly persist? Will the tactic work as the penitents’ anticipate. Wow, I am convinced already.

Stephen E Arnold, December 15, 2022

Written by Stephen E. Arnold · Filed Under Business strategy, Governance, News | Comments Off on Fried Dorsey: Soggy, Not Crispy 

Juicy Consulting War Stories

December 15, 2022

I have a copy of the collection of war stories which make the what and how of blue chip consulting pretty easy to understand. Of course, if you have been RIFed, reorganized to a suburban office park in Alberta, or found yourself wishing you had paid attention in MBA classes—you don’t need to read the book  When McKinsey Comes to Town: The Hidden Influence of the World’s Most Powerful Consulting Firm.

Let me suggest a gloss. Navigate to “In Clover,” an essay by a persona who assert he/she/them worked at Anderson, later Accenture. You remember the accounting outfit that signed off on the Enron confections. Yeah, that outfit.

The essay contains what I would call baby war stories. Some big blue chip consulting firm names are dropped, not just McKinsey. There is a hint of wild and wooly consulting behavior even a bit of regret. I may be imagining that, but my radar bleeped when I read:

The Andersen Consulting new hires were shipped to a programming boot camp in St Charles, a suburb of Chicago. None of us had cars, so the three weeks there were spent entirely on campus, working overtime, getting blind drunk and secretly snogging one another in the stairwells.

Classy.

But the most interesting passage in the In Clover essay in my opinion is this one:

Thanks to the hegemonic model McKinsey and other management consultants invented, these firms not only make and remake businesses and government in the image of their laissez-faire fantasies, but see homo economicus as the last word in modern selfhood.

Yep. I loved working at Booz, Allen & Hamilton. Hire a blue chip consulting firm and we will try to sell an analysis of your unit to the Board of Directors. Billing is not the spice of life; it is life. Snogging? Not so much.

Stephen E Arnold, December 15, 2022

Written by Stephen E. Arnold · Filed Under Consulting, News | Comments Off on Juicy Consulting War Stories 

Hello, Lawmakers in Greece. Have You Heard about Open Source Software?

December 15, 2022

I read a story from an outfit which makes quoting one of the stories risky business. The write up in question is “As Wiretap Claims Rattle Government, Greece Bans Spyware.” The article presents as real news — allegedly the old fashioned kind when newspapers were arbiters of truth via stringers — that Greece outlaws what it calls commercial spyware. For a number of years, I have used the term “intelware” to describe the specialized services and software provided to government agencies by commercial enterprises and open source developers.

The article does the normal handwaving associated with products and services which have been available since the mid 19th century. Those early systems chugged along within products from Bell, Systems Development Corporation, and others. I have found the bland names fascinating. Systems Development Corporation? What could be better? If you read Jill Lepore’s techno-noir history, you will know more than you ever wanted to know about Simulmatics. There’s a descriptive company name for you, right?

What happens when a government bans specialized services and software? Some interesting things; for example, it may be tough to know when warships from a friendly country are converging on a critical island. What if a country on Greece’s border gets frisky with its Soviet era tanks and artillery? The answer is, “License those specialized software and systems. Now!”

In terms of the ban on commercial intelware, what’s Greece going to do with the open source version of Maltego or one of dozens of other tools which can ingest digital content and output useful facts. What happens when one of those open source intelware tools requires an extension of functions?

The answer is to hire a consulting firm, hopefully not one affiliated with a certain jewelry store in Athens, to create bespoke code. Once that’s done, won’t government entities use these tools to protect citizen and monitor potential threats?

The answer is, “You bet your life.” The secret word is “politicians.” I am not sure of Greek’s elected officials or the people reporting on the world of intelware understand the difference between handwaving and getting a particular job done.

And the story. Oh, objective and an example of publicizing the considered viewpoints of elected officials.

Stephen E Arnold, December 15, 2022

Written by Stephen E. Arnold · Filed Under intelware, law enforcement, News | Comments Off on Hello, Lawmakers in Greece. Have You Heard about Open Source Software? 

What Does Poor Performer Mean? Loser, Lousy Personnel Processes, or Crawfishing

December 15, 2022

Google is not afraid to fire anyone who ignites controversy within the company related to diversity and women. Sometimes it is not bad press that causes Google to lay off its employees, instead it is the economy. The Daily Hunt reports that, “Google Asked Managers To Fire 10,000 ‘Poor Performers’ As Mass Layoffs Hit Tech Sector.”

The US federal government’s raising interest rates and tech companies that make a large portion of their profits from ads are feeling the pain. Meta, Google, Amazon, Twitter, and more companies are firing more workers. Alphabet is telling its managers to lay off all employees who are rated as “poor performers.” The hope is to get rid of at least 10,000 workers and there might be some subterfuge behind it:

“As per a report from Forbes, Google might even bank on these rankings to avoid paying bonuses and stock grants. Google’s managers have been reportedly asked to categorize 10,000 employees as “poor performers” so that 10,000 people can be fired. Alphabet has a total workforce of 187,000 people, which is one of the largest workforces in tech.”

Google’s workforce is described as bloated and pays its employees 70% more than Microsoft compensates its staff or 153% compared to the top twenty big tech companies. Google pays more than its competition to hoard talent and increases its stranglehold on the tech industry.

My thought is that Google is into the lifetime labeling approach to handling RIFed professionals. There’s nothing like a lifetime albatross around the neck of a job seeking Xoogler used to Foosball and snacks.

Whitney Grace, December 15, 2022

Written by Stephen E. Arnold · Filed Under Uncategorized | Comments Off on What Does Poor Performer Mean? Loser, Lousy Personnel Processes, or Crawfishing 

Using Microsoft? Lucky You in 2023

December 14, 2022

Several days ago, I had a meeting with an executive representing a financial services firm. In the course of confirming the meeting, the person told me, “We use only Microsoft Teams. Our security group has banned our use of Zoom and other video chat services.”

That’s why I found myself sitting at a sticky table in a coffee shop talking with this executive about a notification procedure which caught my attention. In that meeting, I mentioned that for each email sent to my official email by this person I received a notice that the individual was out of the office until mid-September 2022. Since we were meeting in the first week of December 2022, I found the emails from this person confusing.

I asked, “Why are you sending me an email and when I reply, I receive a notification from your corporate email system which tells me you are out of the office until September 2022.”

The response was, “Really? I will get IT to help me.”

Wow. Really.

Many organizations have embraced Microsoft systems and services. My hunch is that people want to use Excel. With full time employees in corporate information technology departments getting crushed by fixes, user issues, and software which does not do what the IT professional expects, companies want an fix.

Enter the cloud, certified consultants who can arrive like Wonder Woman, and big time engineers from a regional office to make everything work. Perfect. What could go wrong?

I read an article which may be accurate or may be presenting an incomplete report. Let’s proceed assuming that there is a kernel of truth in “Ransomware Discovered Carrying Legitimate Windows Certificates.” The write up states:

Cyber security company Sophos has issued a warning over antivirus-nullifying malware it discovered bearing legitimate digital certificates, including signatures from Microsoft’s own digital verification service.

The drivers, found paired with a ‘loader’ executable that was used to install the driver, carried the digital signature of Windows Hardware Compatibility Program (WHCP), and appeared to be specially designed to limit the functions of endpoint detection and response (EDR) security programs.  Code signatures are cryptographic certificates that indicate a program has not been altered since its release by its manufacturer. WHCP signatures are only intended to be given to software that Microsoft has checked over and given its personal seal of approval, and therefore seen as trustworthy files to run by Windows systems. Researchers say that the find shows that threat actors are working harder to move up the ‘trust chain’, employing increasingly sophisticated methods to sign malware with legitimate cryptographic signatures so that it can be installed on systems without detection.

The article is in my opinion content marketing; that is, the information is designed to cause someone to license Sophos technology.

The idea is that bad actors can exploit systems and methods set up my Microsoft to make certain their systems are secure. People have struggled with getting Windows to print; others have found that Exchange Server (probably the email system which baffled the financial executive) vulnerabilities have caused some sleepless nights.

Several observations are warranted in my view:

  • Microsoft like Google is a Leviathan. It is a target, and is may be that the Softies are in over their heads. Perhaps too big to make secure?
  • Users are baffled with fairly simple operations of widely used software. What interesting security issues does this pose? Phishing works for a reason: Users click without th8inking.
  • Corporations perceive their decisions to be good ones. The continuing increase in cyber aggression is not something people want to discuss in a meeting of suits, sales professionals, and worker bees.

Net net: Good enough software and systems, PowerPoint presentations from certified partners, and customer cluelessness suggest an exciting 2023. Legitimate Windows Certificates? Oxymoron maybe?

Stephen E Arnold, December 14, 2022

Written by Stephen E. Arnold · Filed Under cybercrime, cybersecurity, News, Windows | Comments Off on Using Microsoft? Lucky You in 2023 

On the Path of a Super App for Crime

December 14, 2022

I know I am in the minority. In fact, I may the only person in Harrod’s Creek, Kentucky, thinking about Telegram and its technical evolution. From a humble private messaging service, Telegram has become the primary mechanism for armchair experts to keep track of Russia’s special operation, send secret messages, and engage in a range of interesting pursuits. Is it possible to promote and sell CSAM via an encrypted messaging app like Telegram? Okay, that’s a good question.

I noted another Telegram innovation which has become public. “No-SIM Signup, Auto-Delete All Chats, Topics 2.0 and More” explains that a person can sign up for the encrypted messaging service without having a SIM card and its pesky identifiers tagging along. To make sure a message about a special interest remains secret, the service allegedly deletes messages on a heartbeat determined by the Telegram user. The Telegram group function makes it possible for those who join a group to discuss a “special” interest to break up a group into sub groups. The idea is that a special interest group has special special interests. I will leave these to your imagination in the event you are wondering where some of the i2p and Tor accessible content has gone in the last few years.

As Telegram approach super app status for certain types of users, keep in mind that even the Telegram emoji have some new tricks. That little pony icon can do much more.

Stephen E Arnold, December 14, 2022

Written by Stephen E. Arnold · Filed Under cybercrime, cybersecurity, News, Privacy | Comments Off on On the Path of a Super App for Crime 

Sisyphus, The EU Has a Job For You

December 14, 2022

I read an article which may be mostly accurate. Its title is “Google Must Delete Search Results about You If They’re Fake, EU Court Rules.” The write up reports:

People in Europe can get Google to delete search results about them if they prove the information is “manifestly inaccurate,” the EU’s top court ruled Thursday [December 8, 2022].

Okay, prove that information is “manifestly inaccurate.”

The article continues:

People who want to scrub inaccurate results from search engines have to provide sufficient proof that what is said about them is false. But it doesn’t have to come from a court case against a publisher, for instance. They have “to provide only evidence that can reasonably be required of [them] to try to find,” the court said.

When legal eagles get into a discussion of what is accurate and what is not accurate, the logic will be fascinating. Then once accuracy has been addressed, the sage birds will deal with the definition of manifestly. You know: What is is?

Justice and billing will be served with word salad.

Stephen E Arnold, December 10. 2022

Written by Stephen E. Arnold · Filed Under Government, Legal matters, News | Comments Off on Sisyphus, The EU Has a Job For You 

« Previous PageNext Page »

  • Archives

  • Recent Posts

  • Meta