Microsoft and Games: A Different Take

January 19, 2022

I have been monitoring the breathless write ups about Microsoft responding like a good digital soldier in Call of Duty. The news hits the cash deal for more than $65 billion in cash. There are signals from the incredibly efficient government machinery that acquisitions will be subject to scrutiny, rules, and maybe more upfront testimony. I love these preambles: “Senator, thank you for the question.” Then the crystal clear responses. Thrilling.

What’s Microsoft itself say? Here’s one example: “Microsoft to Acquire Activation Blizzard to Bring the Joy and Community of Gaming to Everyone, Across Every Device.” The words that caught my eye were the names of the company. Those entities evoke thoughts of the antics of gamers in articles like “Activision Fires More People in Sexual Harassment Probe” and “California Sues Activision Blizzard, Alleging Culture of Sexual Harassment.” Perhaps these are allegations, but the message seems clear. Then there are strategic notions like this one from Inc. Magazine’s “1 Word Explains the Biggest Challenge Facing Microsoft’s $68.7 Billion Acquisition of Activision Blizzard”:

The goal is to feed the company’s Game Pass strategy, which has failed to gain traction among developers who aren’t particularly excited about handing over their flagship properties to a subscription service when they can easily command $50 or $60 apiece. Microsoft wants to let users pay $15 a month to play any game.

We have big money, sexual harassment matters, developers, gamers, and a reorganization.

My view is different.

Think back to late 2020 when news of the SolarWinds’ supply chain misstep circulated. FireEye (now part of Norton and renamed Trellix) reported the fact that a vaunted cyber security outfit (namely FireEye itself) was compromised. In short order, security professionals issued Emergency Directives like 21-02, tried to figure out what happened, and how many entities were compromised. Microsoft suggested that the issue was a result of 1,000 programmers beavering away in Eastern Europe. Rumors surfaced that the SolarWinds’ misstep had taken place months, possibly more than a year, before the FireEye announcement in December 2021. Public disclosures about breaches appear after lawyers and public relations professionals wordsmith. How long does this take? It varies in my experience. “Troubling Trend: It Takes Nine Months to Detect and Respond to a Cyberattack” makes clear that breaches have been implemented and performing the stipulated tasks for a considerable period of time.

Many pundits, consulting firms, investment outfits, and even SolarWinds itself realized that a certain large software company’s systems and methods were the surf board the bad actors were riding across the flows of digital data.

How do some individuals and companies respond when one subject — in this case, questionable engineering, insecure systems, and a snappy security breach that left US government agencies wondering who was pawing around in their allegedly secure servers — dominated the headlines.

My view was that a distraction was needed. What was that distraction? I interpreted the launch of what is known as Windows 11 was that distraction. Pundits took the red herring and gnawed. Familiar functions were suddenly unfamiliar. The October 2021 release of Windows 11 caught some people by surprise. Hello, Windows watchers working for Leo LaPorte and the TWIT TV operation.

My view was that Windows 11 was pushed out in order to create a point of discussion of some magnitude. My view is that chatter about Windows 11 would help mute the conversation about Microsoft security and its engineering practices.

Did it work? Sort of.

What’s up with the big news about the Activision Blizzard deal is that it looks to me like another distraction. Sure, one can make a business case about games, the metaverse, and the need for adult supervision of a gamer outfit. (This is interesting in light of Microsoft’s new found interest in alleged dalliances among the Softies.)

My take, which I admit is contrarian, is that Microsoft is using what looks like a major, super deal to focus attention on matters other than the security of Azure, Exchange, and even kicked to the kerb Word application.

Many arguments can be raised to point out that Microsoft’s senior management is not trying to distract anyone from anything. Windows 11 shipping without Android app functionality is just one of those things. Buying a game outfit saddled with some potentially costly legal allegations is just a bold move.

For me, Microsoft is using a magician’s method. Get the audience looking away from the nimble fingers palming a card or removing a divider so a rabbit can be pulled from a hat.

Why? My view is that the security issues remain is certain important Microsoft software systems. How did 2022 begin? “Microsoft Kicks Off 2022 With 96 Security Patches” explains that 89 of these were important. And what about virtual private network support? Oh, right, fixed now. And what about Windows Server vulnerabilities. There are fixes now for the issues created with those January patches. For details see “Microsoft Rolls Out Emergency Updates for Windows Server and VPN Bugs.”

But let’s talk about games, shall we? No, I would prefer to ask, “Why not apply those Microsoft billions toward addressing security issues?”

Stephen E Arnold, January 19, 2022

Microsoft: Putting Teeth on Edge

January 11, 2022

Usually a basic press release for an update to Microsoft receives little discussion, but OS News recently posted a small quip: “Update For Windows 10 And 11 Blocks Default Browser Redirect, But There Is a Workaround” and users left testy comments. The sting fighting words were:

“It seems that Microsoft has quietly backported the block, introduced a month ago in a Dev build of Windows 11, on tools like EdgeDeflector and browsers from being the true default browser in Windows 10, with the change being implemented in Windows 11 too. Starting from KB5008212, which was installed on all supported versions of Windows 10 yesterday with Patch Tuesday, it is no longer possible to select EdgeDeflector as the default MICROSOFT-EDGE protocol.”

Followed by this sarcastic line: “They spent engineering resources on this.”

Users were upset because it meant Microsoft blocked other Web browsers from becoming a system’s default. It is a corporate strategy to normalize anti-competitive restrictions, but there are users who defended Microsoft’s move. They stated that blocking other Web browsers protected vulnerable users, like the elderly, from accidentally downloading malware and adware.

The comments then turned into an argument between tech-savvy experts and the regular users who do not know jack about technology. The discussion ended with semi-agreement that users need protection from freeware that forcefully changes a system, but ultimately users have the choice on their system settings.

In the end, the comments shifted to why Microsoft wants Edge to be the system default: money and deflecting attention from its interesting approaches to security.

Whitney Grace, January 11, 2022

Windows 11: Loved and Wanted? Sure As Long As No One Thinks about MSFT Security Challenges

January 10, 2022

I hold the opinion that the release of Windows 11 was a red herring. How does one get the tech pundits, podcasters, and bloggers to write about something other than SolarWinds, Exchange, etc.? The answer from my point of view was to release the mostly odd Windows 10 refresh.

Few in my circle agreed with me. One of my team installed Windows 11 on one of our machines and exclaimed, “I’m feeling it.” Okay, I’m not. No Android app support, round corners, and like it, dude, you must use Google Chrome, err, I mean Credge.

I read “Only 0.21%, Almost No One Wants to Upgrade Windows 11.” Sure, the headline is confusing, but let’s look at the data. I believe everything backed by statistical procedures practiced by an art history major whose previous work experience includes taking orders at Five Guys.

The write up states:

According to the latest research by IT asset management company Lansweeper, although Windows 10 users can update Windows 11 for free, it is currently only 0.21%. Of PC users are running Windows 11.

I am not sure what this follow on construction means:

At present, Windows 11 is very good. Probably the operating system with the least proportion.

I think the idea is that people are not turning cartwheels over Windows 11. Wasn’t Windows 10 supposed to be the last version of Windows?

I am going to stick with my hypothesis that Windows 11 was pushed out the door, surprising Windows experts with allegedly “insider knowledge” about what Microsoft was going to do. The objective was to deflect attention from Microsoft’s significant security challenges.

Those challenges have been made a little more significant with Bleeping Computer’s report “Microsoft Code Sign Check Bypassed to Drop Zloader.”

Is it time for Windows 12, removing Paint, and charging extra for Notepad?

Possibly.

Stephen E Arnold, January 10, 2022

The Value of Turning Off Malware Scanning: Allow Exchange to Function?

January 1, 2022

Happy New Year. Problems with Microsoft Exchange 2019? The fix is quite special and you can get  some suggestions for getting mail working again from Reddit’s sysadmin forum. Try this link to learn how to by pass the malware engine. The trick is to disable malware scanning or use the bypass method described in the Reddit post.

Several thoughts:

  1. Useful issue for computer science classes in certain countries unfriendly toward the US to explore
  2. There is room for improvement in Microsoft software quality control processes
  3. This Microsoft Exchange issue matches nicely with netlogon and no-auth exchange RCE missteps.

Here’s the link to the fix: https://bit.ly/3FPNBYc

Outstanding work, Microsoft.

PS. The Register added another MSFT Happy New Year in its post “Going Round in Circles with Windows in Singapore.” There is an illustration of the helpful, detailed, extremely useful error notification. Outstanding work, price war cloud people called Redmondians.

Stephen E Arnold, January 1, 2022

Microsoft Security? Just Super Duper

December 31, 2021

I installed software on one of my test machines. Windows’ Defender tool told me I had malware. Not true. To see what would happen, I clicked the offered Defender button and Windows killed a program from a developer doing business as Chris-PC. Helpful? You bet.

I mention this because I think I am the only person in Harrod’s Creek who believes that the Windows 11 release was a way to distract people from Microsoft’s security challenges. I like words like “challenges” and “misstep” because “dumpster fire” is too colorful and “disaster” has been overused.

What’s up with Microsoft security challenges as we creep toward what will be a banner year for some actors? How about these two news stories?

First, we have “Microsoft Teams Bug Allowing Phishing Unpatched Since March.” The main idea is that nine months have bustled by. Teams users could fall victim to some missteps in Microsoft Teams. The write up states:

German IT security consultancy firm Positive Security’s co-founder Fabian Bräunlein discovered four vulnerabilities leading to Server-Side Request Forgery (SSRF), URL preview spoofing, IP address leak (Android), and denial of service (DoS) dubbed Message of Death (Android). Bräunlein reported the four flaws to the Microsoft Security Response Center (MSRC), which investigates vulnerability reports concerning Microsoft products and services. “The vulnerabilities allow accessing internal Microsoft services, spoofing the link preview, and, for Android users, leaking their IP address and DoS’ing their Teams app/channels,” the researcher said. Out of the four vulnerabilities, Microsoft addressed only the one that attackers could use to gain access to targets’ IP addresses if they use Android devices.

Second, we have “Stealthy BLISTER Malware Slips in Unnoticed on Windows Systems.” I learned:

… Blister, acts as a loader for other malware and appears to be a novel threat that enjoys a low detection rate. The threat actor behind Blister has been relying on multiple techniques to keep their attacks under the radar, the use of code-signing certificates being only one of their tricks.

Nope, let’s block Windows 11 users from installing another browser. Let’s kill Chis-PC software. The path forward is to enter 2022 with the ghost of SolarWinds laughing and the ghosts of Christmas yet to come licking their lips in glee.

Stephen E Arnold, December 31, 2021

Microsoft Has a Digital Death Star and Windows 11

December 21, 2021

If you are not familiar with Microsoft’s digital Death Star, you will want to watch the story in the December 26, 2021, Dark Cyber video news program. You can find it in the mini player at this link. More than a year after the SolarWinds’ security misstep became public, the Redmond giant can digitally slay the 1,000 malefactors responsible for some data exfiltration. Quick.

My hunch has been that Microsoft rolled out Windows 11 as part of a red herring campaign. The idea may have been that Windows 11 would capture the attention of “real” journalists, thus reducing the blow torch directed at the Microsoft enterprise software processes. It seems to have worked. No one I have spoken with knows much about the Death Star meme and quite a few people are excited about Windows 11.

ZDNet remains firmly in the camp of writing about Windows 11. Why not? Users who want to use a browser other than Edge or a specialized software to perform a specific PDF function find that some noodling is required. Windows 11 is supposed to be simpler better cheaper faster more wonderfuler, right?

8 Harsh Realities of Being a Windows 11 User” presents a distinguished lecturer’s view of some Windows 11 foibles. Let’s take a quick look at three of the eight and then circle back to the year long wait for digital retribution against the 1,000 engineers who created the SolarWinds’ misstep and made the Softies look inept and sort of silly in the security department.

Reality 1. The Browser Lock In

Microsoft does not want a Windows 11 user to load up a non Microsoft browser. I find this amusing because Edge is not really Microsoft code. Microsoft pulled out what I call soft taco engineering; that is, the Chrome engine is wrapped in a tortilla crafted in the kitchens of Microsoft Café 34. I am a suspicious type; therefore, I think the browser lock in is designed to make darned sure the geek bloggers and the “real” journalists have something to Don Quixote.

Reality 5. Control Panel / Settings Craziness

Okay, where is the widget to have the weird File Explorer show me “details”? And what about Display controls? I have a couple of places to look now. That’s helpful. Exactly what is the difference between a bunch of icons grouped in one place under one jargonized name? I am not sure about the logic of this bit of silliness, but, hey, one has to do more than clean the microwave in the snack area or hunt for the meeting room on the campus. (Where did the alleged interpersonal abuses take place? Is there a Bing Map for that?)

Reality 8. What Runs Windows 11?

Now if there is a super sized red herring being dragged over the SolarWinds’ misstep it is this one: Will my PC run Windows 11? Lame? You bet, but we are in the distraction business, not in the useful software business. Subscribe and pay now for the greatness which may not run on your PC, you computer dolt. But why? Maybe SolarWinds’ stuff saying, “Look here, not there.”

You have to navigate to the distinguished lecturer’s cited post for Realities of 2, 3, 4, 6, and 7. There are more Dusies too.

Now the circle back: SolarWinds’s misstep is still with us and Microsoft. At least I can understand Windows 11 as a quick and dirty distraction. Can users?

Stephen E Arnold, December 21, 2021

Microsoft Insights from the Inventor Jeffrey Snover

December 16, 2021

Microsoft is an innovative place. The company released the precision-tuned Windows 11. The firm innovated with fresh announcements about bad actors from China. Then the Redmond giant imposed some manual work on those who wanted to use a browser like Netscape or Opera.

Thus, I was interested in reading what inventor Jeffrey Snover had to say about his utility PowerShell. Navigate to  “An Interview With PowerShell Inventor Jeffrey Snover.” You can either listen to the interview or read a transcript from this page.

I want to highlight what I call “insights” from this interview.

The first item is a quote about Microsoft’s ability to manage programming work done from remote locations. (Remember, please, that there is the wonderfulness of Teams to make this process a flawless as possible.) Inventor Jeffrey Snover said:

We got funding but the bulk of the development team was in India. That was a disaster as none of us knew how to do distributed development.

Interesting. I like the colorful technical term “disaster.”

The second item concerns the value of PowerShell for “the modern world.” I quote:

The interesting thing is that the Windows approach is winning in the world and that makes PowerShell the best tool for the modern world.

I wonder if inventor Jeffrey Snover is categorizing Amazon, Apple, and Google as having developers who are not part of the modern world?

Third, I circled this fascinating passage. I must admit that I thought about the SolarWinds’ misstep when I read the sentences:

software works when it works and fails when it fails. That sounds stupid but it isn’t. Most programmers focus on success. They get a clear vision of success, they budget their time for success, and they get emotionally centered on the success of their technology. When their code works, it works. BUT, it turns out that the world is not perfect. There are problems. APIs don’t always succeed. Many engineers half-ass their error handling and in lots of cases, that error handling does not work. When their code fails, it fails. Systemically introducing ‘chaos’ into a system is the best way to find out whether your code is going to work when it fails.

Are these engineers which a not taking care of errors employed by Microsoft, or are these engineers excluded from the core of devoted PowerShell users. Those are the specialists who are part of the modern world. The others? Who knows?

Fourth, I found this statement suggestive:

Microsoft is focused on “Developers! Developers! Developers!”.

Does this explain why Microsoft partners are engaged in diagnosing, reworking, and fixing up Microsoft generated software and systems. The “developers’” mantra strikes me as a socially acceptable way to say, “You people can make a fortune as Microsoft certified engineers. It’s employment for life.”

Fifth, I liked this succinct statement:

You have to decide whether security is important or not. If you decide it is important, you allocate the resources and follow the well-established Security Development Lifecycle patterns and practices. Lip service doesn’t get the job done.

Microsoft and security. It is the 21st century equivalent of ham and eggs or peanut butter and jelly. Bad actors love Microsoft code. Opportunity in abundance. Wasn’t the word “disaster” used to describe Microsoft’s management expertise in the time of Covid and distributed work?

Stephen E Arnold, December 16, 2021

What Could Possibly Go Wrong: Direct Connections to MSFT SQL Servers?

December 3, 2021

One can now connect Google Data Studio directly to MSSQL servers with a new beta version. Previously, this feat required the use of either Microsoft’s Power BI or Big Query. Reporter Christian Lauer over at CodeX frames this move as an incursion in, “Google Attacks Microsoft Power BI.” He writes:

“Maybe many of you have been waiting for this. Google Data Studio now also offers a connector to MSSQL servers — at least in the beta version. But you can already use it without any problems. For me this is a milestone and a direct attack on Microsoft Power BI. Because now Data Studio is again a bit closer to the top solutions like Power BI and Qlik or Tableau. In addition, you no longer have to use MS products or load the data into a data warehouse beforehand if they come from Microsoft servers. The advantage for Google’s solution is of course that Data Studio is free of charge. … Many companies have MSSQL databases, now the widely used and free Data Studio from Google also offers a built in connector for it. Often the right and better way would be to make the data available via a Data Warehouse or Data Lake. But especially for smaller companies with only a handful of MSSQL databases, this direct way via Data Studio is probably the most efficient.”

The write-up describes the straightforward process for connecting to an MSSQL database via Google Data Studio, complete with a screenshot. For more information, he sends us to Studio’s Help file, “How to Connect to Microsoft SQL Server.” We wonder, though, whether Microsoft would agree this development amounts to an “attack.” The company may barely notice the change. Cyber criminals? We will have to wait and see.

Cynthia Murrell, December 3, 2021

About Microsoft Exchange Security?

November 12, 2021

I spotted “Microsoft urges Exchange Admins to Patch Their On-Prem Servers Now.” I like the “now.” I interpret this suggestion to mean, “Well, our much hyped security enhancements… are sort of not enough.”

The write up asserts:

[“November 2021 Exchange Server Security Updates” goes on to add that the bug only impacts on-premise Microsoft Exchange servers, including those used by customers in Exchange Hybrid mode.

With Microsoft telemetry, smart updates, and remote access controls to Microsoft systems — why are licensees hanging in the digital wind?

Net net: This type of “bulletin” is catnip to bad actors. Perhaps it is too expensive to do more than issue PR about security.

Stephen E Arnold, November 12, 2021

Microsoft: Two Different Meta-Messages or Just an Example of Microsoft Marketing?

November 4, 2021

I have heard quite a bit about the metaverse in the last week. Meh. I was more interested in two Microsoft meta-related stories.

The first was “Microsoft President Says Tech Must Compromise, Downplays Metaverse Hype.” The write up reports:

Hot on the heels of Facebook’s rebranding as Meta last week and a day after Microsoft touted its metaverse-related projects in a blog post, Smith tempered the “hype” around the metaverse, a concept overlaying digital and physical worlds. “We’re all talking about the metaverse as if we’re entering some new dimension. This is not like dying and going to heaven. We’re all going to be living in the real world with people,” Smith observed, before calling for collaboration and interoperability in the metaverse’s development.

Then I spotted “Microsoft Plans To Create A Corporate Version Of The Metaverse And It Will Have PowerPoint.” That write up stated

“This pandemic has made the commercial use cases much more mainstream, even though sometimes the consumer stuff feels like science fiction,” Microsoft Chief Executive Officer Satya Nadella said in an interview on Bloomberg Television. Nadella himself has used the technology to visit a Covid-19 ward in a U.K. hospital, a Toyota manufacturing plant, and even the international space station, he said.

Interesting. Zoom meetings are great. Microsoft Teams meetings are quite special. Making Teams meta is the greatest thing since Microsoft security vulnerabilities. Hype? Never.

Stephen E Arnold, November 4, 2021

Next Page »

  • Archives

  • Recent Posts

  • Meta