Google and Kids: The School Push Squeezes Some New Concessions… Allegedly
August 1, 2022
I read “Chrome Use Subject to Restrictions in Dutch Schools over Data Security Concerns.” The write up reports:
Several schools and other educational organizations are having to restrict usage of Google’s software, including its Chrome browser and Chrome OS offerings over security and privacy fears. The Dutch Ministry of Education has ordered the country’s education industry to implement the changes following over fears that Google’s software is in conflict with the General Data Protection Regulation (GDPR) and other privacy-related regulations in the country.
I am not surprised. I noted that the article presents some familiar wordage; for example:
… The ministers discussed these issues with the representatives of Google, Microsoft, and Zoom, and that these companies assured the ministers that their future versions will be more transparent, and more compatible, with the country’s (and the EU bloc’s) privacy and data protection laws.
I like the “assured the ministers” phrase. It reminds me of “Senator, thank you for the question. I will forward the information to your office. And I am sorry, really, really sorry. We are constantly trying to improve.”
Improve what?
Well, in my opinion it is the collection of fine grained data, actionable intelligence, and insight into what those kiddies are doing. But that’s just my point of view. The giant technology firms just want to do good. No, really.
Do good.
Those assurances sparked an update to the original article and guess what?
… Chrome and Chrome OS are not banned in the education sector of the country, and that schools may continue using them provided that they perform certain actions themselves to strengthen data security and ensure student privacy.
Progress.
Stephen E Arnold, August 1, 2022
Microsoft Windows: Does Windows Rhyme with Woes?
July 29, 2022
Security? Weird interfaces? Fixes that terminate with extreme prejudice printers? Did I ask about security? Oh, yes, I did.
I thought about Windows, the apparently abandoned insiders, the cheerleaders, and the haters. Did I mention the pundits? Oh, yes, I did.
I read “Microsoft’s Windows OS Loses 17% of Its Market Share in the Last 10 Years.” If the write up is accurate, the Softies may have some work to do. Why not charge for extras like Notepad, following the lead of BMW and its subscription for heated seats? The MSFT variation might be for search results that match the user’s search statement?
The write up reports:
According to a StockApps.com data presentation, Windows has lost 17% of its market share in the last decade. The site has presented data showing that the OS’s market share has plunged from 90.96% in 2013 to the current 73.72%. That’s a drop of roughly 2% a year. Meanwhile, alternative OS’ have seen their cumulative stock rise in that period. StockApps’ financial expert Edith Reads has been analyzing the trends in that space. She says, “Windows’ stranglehold over the OS market is shrinking because of increased competition. Today, Microsoft is facing competition from developers of alternative OS’. They have developed software that’s appealing to some computer lovers because they’re open source, faster, safer, and simpler to use.”
Yep, Linux is trotted out. Plus there is the Chrome operating system which runs on Google’s browser, which is recycled by Microsoft! Yep, Microsoft is doing the Chrome thing. Internet Explorer died on a long, long journey. Now its is Chrome plus Edge or, as I prefer, Kredge.
What’s the fix? How can a dinobaby residing in rural Kentucky have an answer. When I did some menial work for a Softie-related outfit, no one knew what I was talking about. I remember when I mentioned Kolmogorov and my uncle Vladimir Arnold. I can see the blank faces in the audience now.
Net net: Do I have a suggestion? Heck no. I like MSFT just the way it is. It’s scrumptious. Bring on Windows 12, the second version after the “last” version of Windows was announced in 2015. Consistency? You kidding me?
Stephen E Arnold, July 29, 2022
Softie Follies: Update Signals and Waveforms
July 22, 2022
Sine waves go up. Sine waves go down. Sometimes, the tidy signal becomes chaotic. I wonder how many at Microsoft remember images like this:
The wave is nice, tidy, simple, peaks fully realized, etc.
Now what about this wave form:
Looking a little chaotic, right?
I read about two Microsoft announcements, and the result is a burst of the chaotic in my limited mental apparatus.
The first write up reports that Microsoft is shifting from updating in the most annoying way possible to a slightly less wacky method. “Goodbye Endless Updates? Report Says Microsoft Is Moving Back To The Old Schedule & Windows 12 Is Coming” states:
Back in 2015, a Microsoft employee revealed that Windows 10 would be the last OS they launch but Windows 11 is a thing now and, according to this report, Windows 12 is coming as well. After a few years where Microsoft tried to turn their OS into “Windows as a service”, deploying countless updates instead of a big release every few years, now the company seems to be changing course.
Will there be some spicy chaos added to the Windows whatever? Of course. The write up explains:
Starting with Windows 11 version 22H2 (Sun Valley 2), Microsoft is kicking off a new “Moments” engineering effort which is designed to allow the company to rollout new features and experiences at key points throughout the year, outside of major OS releases. I hear the company intends to ship new features to the in-market version of Windows every few months, up to four times a year, starting in 2023,” reports WindowsCentral.
I thought that Microsoft said in 2015 Windows 10 was the last version of Windows. Obviously my memory is faulty, chaotic like the seemingly randomized fluctuations in Microsoft’s tactics to achieve global domination.
The second write up hits a bit closer to home. “Microsoft Patch Tuesday Update Has Broken Another Really Important Software” explains:
It seems some updates that came as part of this month’s Patch Tuesday broke MS Access runtime applications. Multiple users have reported having this issue to Microsoft, saying MS Access 2016(opens in new tab) and MS Access 2013 are having issues, post KB5002112 and KB5002121 updates. Microsoft has since acknowledged the existence of the problem, with Shane Groff, software design engineer, noting(opens in new tab), “The Access product team is investigating this issue. Thank you for the report, we will update soon.”
I think this means that Microsoft’s wizards cannot fix problems in a reliable way. But there is another twist to the story. The cited article asserts:
Right now, there is no official workaround, or a way to bypass the issue, so the only way to address the problem is to uninstall the patches. That, however, also means exposing the system to multiple known vulnerabilities…
I think this means that an outfit relying on Microsoft Access has a nifty set of options:
- Stop anything requiring Microsoft Access
- Uninstall the outstanding update and create some opportunities for bad actors
- Get rid of the crazy, often unstable and sometimes sluggish Access and embrace a more 21st century solution.
You may have some other ideas; for example, selling the business and taking a long-postponed vacation, thinking about the relationship between stress and heart failure, calling Microsoft’s ever helpful customer support team for intellectual inputs, or some other super duper fix.
Several observations:
- Microsoft appears to be unqualified to perform strategic and tactical functions their customers deserve and want; for instance, functioning systems and secure software
- Microsoft pushed out Windows 11 before the oven timer binged (no pun intended, of course). The half-baked software cookies are just not too appealing and could make some companies wary of what bad actors can and will do
- Microsoft wants to “manage” a big game company which has a wonderful legacy of treating employees in a professional manner when Microsoft cannot manage its own update coding.
Net net: I think this graph captures the outputs of the Softies and its apologists:
Stephen E Arnold, July 19, 2022
Microsoft Security Team Helps Android Users. What about Microsoft Users? Meh?
July 13, 2022
Two items caught my attention this morning (July 4, 2022).
The first is “ALERT! Microsoft warns of dangerous Android malware on your phone that intercepts OTP, SMS too.” Locating this story might be tricky. I noted it on DailyHunt, an information service in India. The url displayed for me is in this link. Your mileage may vary. Yeah, the modern Internet. The article reports:
Toll fraud malware, a subcategory of billing fraud in which malicious applications subscribe users to premium services without their knowledge or consent, is one of the most prevalent types of Android malware.
What’s the fix? Here’s a helpful suggestion:
A rule of thumb is to avoid installing Android applications from untrusted sources (side loading) and always follow up with device updates.
The second was “Android Toll Fraud malware can subscribe users to premium services without consent.” Once again, the link to my source is this information highway signpost. Good luck because this may be similar to the now long gone Burma Shave signs. The article informed me that:
The toll fraud malware… purchases subscription on behalf of the user in a way that the overall process isn’t perceivable.
So what’s the fix?
One of the easiest ways to protect yourself from this malware is by download the latest version of available software update on your smartphone. Apart from that, avoid installing Android applications from untrusted sources. In addition to that, avoid granting SMS permissions, notification listener access, or accessibility access to any applications without a strong understanding of why the application needs it.
Helpful indeed.
Here’s a quick question: What about Microsoft security for its products and services? Meh. What’s important is a little bit of negative PR for the fun loving Googlers.
Stephen E Arnold, July 13, 2022
Microsoft and the Next Fix Problem
July 11, 2022
I spotted a now routine story about a bug in Microsoft’s software. The story “Windows 11’s ‘Resolved’ Outlook Search Bug Resurfaces: When’s the Next Fix?” reveals a key insight into the software giant’s technical method.
I noted this statement in the article about an issue with search functionality in the Outlook email program, one of the original landscape apps which are pretty much orthogonal to the mobile phone’s display:
When doing a search in Outlook on Windows 11 PCs, the email program sometimes fails to provide results relevant to recent messages…
Yep, search. Microsoft. Not working.
But the important facet of the story appears in the story headline; specifically, “When’s the next fix?”
The Microsoft softies have experienced many issues with search and retrieval. Unlike Elizabeth Barrett Browning, I shall not count the ways. However, I will point out that there is now a fatalism about Microsoft. Stuff goes wrong. Microsoft attempts to fix the problem. Then the problem comes back
Whether it is the outstanding security systems or the brilliance of Word’s fascinating approach to automatic numbering, fixes beget more fixes.
So here we are: Unfixable code, persistent issues, and a giant theme park of opportunities for people to make bad decisions, waste time, and hunt for security flaws.
Yep, next fix. Working11ood. Which time is the charm? Third, fourth, nth? Is there a macro for excellence? Wait, let’s roll that macro thing back.
Stephen E Arnold, July 11, 2022
What Microsoft Wants: Identity System and Data for Good Purposes Of Course
June 28, 2022
Microsoft wants its new Verified ID program to move beyond social media platforms. According to Error! Hyperlink reference not valid. in the article, “Microsoft Wants Everything To Come With Its Verified Check Mark,” Microsoft wants Verified ID to validate more personal information and it is starting with verifying credentials.
Verified ID would allow people to get digital credentials that prove where they graduated, their jobs, where they bank, and if they are in good health. Microsoft says Verified ID would be good for people who need to quickly share their personal information, such as job applications. Verified ID uses blockchain-based decentralized identity standards. Microsoft plans to release its Entry Verified ID, its official name, in August. The name for Microsoft’s identity product line is Entra.
Ankur Patel is a Microsoft principal program manager for digital identity and he believes Entry Verified ID will be mainstream in three years:
“In the first year, it’s likely that Verified ID will be used by organizations in tandem with existing verification methods, both digital and analog, with a portion of their users, according to Patel. Wider adoption will depend, in part, on making sure that the service itself hasn’t “done harm,” he acknowledged.
One potential risk is that individuals might inadvertently share sensitive information with the wrong parties using the system, Patel said. ‘In the physical world, when you’re presenting these kinds of things, you’re careful — you don’t just give your birth certificate to anybody,’ he said. Microsoft is aiming to limit the issues in its own digital wallets with features meant to protect against this type of accidental exposure, Patel said.”
Microsoft wants to verify everyone’s information, but what about guaranteeing that its own products are real?
Whitney Grace, June 28, 2022
Microsoft: Helping Out Google Security. What about Microsoft Security?
June 14, 2022
While Microsoft is not among the big tech giants, the company still holds a prominent place within the technology industry. Microsoft studies rival services and products to gain insights as well as share anything to lower their standing such as a security threat, “Microsoft Researchers Discover Serious Security Vulnerabilities In Big-Name Android Apps.” The Microsoft 365 Defender Research Team found a slew of severe vulnerabilities in the mce Systems mobile framework used by large companies, including Rogers Communications, Bell Canada, and AT&T, for their apps.
Android phones have these apps preinstalled in the OS and they are downloaded by millions of users. These vulnerabilities could allow bad actors to remotely attack phones. The types of attacks range from command injection to privilege escalation.
The Microsoft 365 Defender Research Team shared the discovery:
“Revealing details of its findings, the security research team says: ‘Coupled with the extensive system privileges that pre-installed apps have, these vulnerabilities could have been attack vectors for attackers to access system configuration and sensitive information’.
In the course of its investigation, the team found the mce Systems’ framework had a “BROWSABLE” service activity that an attacker could remotely invoke to exploit several vulnerabilities that could allow adversaries to implant a persistent backdoor or take substantial control over the device.”
Vulnerabilities also affected apps on Apple phones. Preinstalled apps simplify device activation, troubleshooting, and optimize performance. Unfortunately, this gives apps control over the majority of the phone and the bad actors will exploit them to gain access. Microsoft is worked with mce Systems to fix the threats.
Interestingly, Microsoft found the security threats. Maybe Microsoft wants to reclaim its big tech title by protecting the world from Google’s spies?
Whitney Grace, June 14, 2022
Microsoft and Security: This Must Be an April Fool Joke in May, Right?
May 27, 2022
I read “Pwn2Own Hackers Just Broke Into Windows 11 and Teams in a Single Day.” Was this an Onion article? A write up from a former Punch writer? An output from Google’s almost human super capable smart software?
Nope. The source is a reliable online publication called Make Use Of or MUO to its friends.
I learned:
Day one of Pwn2Own is over, and taking a look at the bounty board shows that Microsoft’s software didn’t stand up well to the onslaught. The event saw three successful attacks on Microsoft Teams, and two against Windows 11. Each successful hack was rewarded accordingly, with the lowest bounty coming in at an impressive $40,000, and the biggest at an eye-watering $150,000.
Ah, Windows 11 and the feature-spawning Teams!
My view of Windows 11 is that it was pushed out to distract some Silicon Valley type news reporters from the massively bad SolarWinds’ misstep. Few agree with me.
Be that as it may, Windows 11 does not seem to be the paragon of security that I thought Microsoft explained. You know, the TPM thing and the idea that certain computers were not able to deal with the the Millie Vanillie approach to security. Catchy lyrics, but not exactly what paying customers expected.
The article cited concludes with this statement:
With hackers putting up big wins against Microsoft’s apps at Pwn2Win, it shows that the company’s software is perhaps not as secure as it should be. Hopefully, Microsoft can publish fixes for these exploits before they fall into the wrong hands.
Will Microsoft, like Netgear, find that it cannot “fix” certain issues with its software and systems.
Stephen E Arnold, May 27, 2022
Some Criticism of Microsoft? Warranted or Not?
May 13, 2022
Microsoft’s LinkedIn comes out on top—in one regard, anyway. IT-Online reports, “LinkedIn the Brand Most Imitated for Phishing.” In its Brand Phishing Report for the first quarter of 2022, Check Point Research found the professional network was imitated in more than half of all phishing attempts during January, February, and March. The write-up tells us:
“Dominating the rankings for the first time ever, LinkedIn accounted for more than half (52%) of all phishing attempts during the quarter. This represents a dramatic 44% uplift from the previous quarter, where the professional networking site was in fifth position accounting for only 8% of phishing attempts. LinkedIn overtook DHL as the most targeted brand, which is now in second position and accounted for 14% of all phishing attempts during the quarter.”
Social media platforms in general jumped in popularity as phishing spots. Shipping companies like DHL, which became attractive targets with the rise in e-commerce, are now in second place. Apparently different types of companies make juicy bait for different kinds of attacks. The article quotes Check Point’s Omer Dembinsky:
“Some attacks will attempt to gain leverage over individuals or steal their information, such as those we’re seeing with LinkedIn. Others will be attempts to deploy malware on company networks, such as the fake emails containing spoof carrier documents that we’re seeing with the likes of Maersk.”
Of course, a phishing attack can only work if someone falls for it. Do not be that person. Dembinsky advises:
“The best defense against phishing threats, as ever, is knowledge. Employees in particular should be trained to spot suspicious anomalies such as misspelled domains, typos, incorrect dates and other details that can expose a malicious email or text message. LinkedIn users in particular should be extra vigilant over the course of the next few months.”
In Check Point’s list of the top ten companies to find themselves on phishing hooks, LinkedIn and DH are followed by Google (at 7%), Microsoft (6%), FedEx (6%), WhatsApp (4%), Amazon (2%), Maersk (1%), AliExpress (0.8%), and Apple (0.8%).
Cynthia Murrell, May 13, 2022
Cyber Security: Oxymoron?
May 9, 2022
I read an interesting article called “Botnet That Hid for 18 Months Boasted Some of the Coolest Tradecraft Ever.” I am not sure I would have described the method as “cool,” but as some say, “Let many flowers bloom.”
The main point of the article is a sequence of actions which compromise a target without calling attention to the attack or leaving size 13 digital footprints. The diagrams provide a broad overview of the major components, but there are no code snippets. That’s a plus in my book because many cyber revelations are cookbooks with easy-to-follow recipes for dorm room cyber snacks.
What caught my attention is this statement in the excellent write up:
One of the ways the hackers maintain a low profile is by favoring standard Windows protocols over malware to move laterally. To move to systems of interest, UNC3524 used a customized version of WMIEXEC, a tool that uses Windows Management Instrumentation to establish a shell on the remote system.
I also noted:
“Once UNC3524 successfully obtained privileged credentials to the victim’s mail environment, they began making Exchange Web Services (EWS) API requests to either the on-premises Microsoft Exchange or Microsoft 365 Exchange Online environment,” the Mandiant researchers wrote. “In each of the UNC3524 victim environments, the threat actor would target a subset of mailboxes….”
With the core functionality of the Microsoft software and services the pivot on which the system and methods of the attacker pivot, what does this suggest about cyber security going forward?
My answer: There is an attack surface of significant scope. Plus, undetectable but for specialized analyses. The ball is in the hands of Microsoft. The bad actors just toss it around.
Stephen E Arnold, May 9, 2022
-
- Subscribe to Beyond Search
Feature archive
News archive
-
