Microsoft Insights from the Inventor Jeffrey Snover
December 16, 2021
Microsoft is an innovative place. The company released the precision-tuned Windows 11. The firm innovated with fresh announcements about bad actors from China. Then the Redmond giant imposed some manual work on those who wanted to use a browser like Netscape or Opera.
Thus, I was interested in reading what inventor Jeffrey Snover had to say about his utility PowerShell. Navigate to “An Interview With PowerShell Inventor Jeffrey Snover.” You can either listen to the interview or read a transcript from this page.
I want to highlight what I call “insights” from this interview.
The first item is a quote about Microsoft’s ability to manage programming work done from remote locations. (Remember, please, that there is the wonderfulness of Teams to make this process a flawless as possible.) Inventor Jeffrey Snover said:
We got funding but the bulk of the development team was in India. That was a disaster as none of us knew how to do distributed development.
Interesting. I like the colorful technical term “disaster.”
The second item concerns the value of PowerShell for “the modern world.” I quote:
The interesting thing is that the Windows approach is winning in the world and that makes PowerShell the best tool for the modern world.
I wonder if inventor Jeffrey Snover is categorizing Amazon, Apple, and Google as having developers who are not part of the modern world?
Third, I circled this fascinating passage. I must admit that I thought about the SolarWinds’ misstep when I read the sentences:
software works when it works and fails when it fails. That sounds stupid but it isn’t. Most programmers focus on success. They get a clear vision of success, they budget their time for success, and they get emotionally centered on the success of their technology. When their code works, it works. BUT, it turns out that the world is not perfect. There are problems. APIs don’t always succeed. Many engineers half-ass their error handling and in lots of cases, that error handling does not work. When their code fails, it fails. Systemically introducing ‘chaos’ into a system is the best way to find out whether your code is going to work when it fails.
Are these engineers which a not taking care of errors employed by Microsoft, or are these engineers excluded from the core of devoted PowerShell users. Those are the specialists who are part of the modern world. The others? Who knows?
Fourth, I found this statement suggestive:
Microsoft is focused on “Developers! Developers! Developers!”.
Does this explain why Microsoft partners are engaged in diagnosing, reworking, and fixing up Microsoft generated software and systems. The “developers’” mantra strikes me as a socially acceptable way to say, “You people can make a fortune as Microsoft certified engineers. It’s employment for life.”
Fifth, I liked this succinct statement:
You have to decide whether security is important or not. If you decide it is important, you allocate the resources and follow the well-established Security Development Lifecycle patterns and practices. Lip service doesn’t get the job done.
Microsoft and security. It is the 21st century equivalent of ham and eggs or peanut butter and jelly. Bad actors love Microsoft code. Opportunity in abundance. Wasn’t the word “disaster” used to describe Microsoft’s management expertise in the time of Covid and distributed work?
Stephen E Arnold, December 16, 2021
What Could Possibly Go Wrong: Direct Connections to MSFT SQL Servers?
December 3, 2021
One can now connect Google Data Studio directly to MSSQL servers with a new beta version. Previously, this feat required the use of either Microsoft’s Power BI or Big Query. Reporter Christian Lauer over at CodeX frames this move as an incursion in, “Google Attacks Microsoft Power BI.” He writes:
“Maybe many of you have been waiting for this. Google Data Studio now also offers a connector to MSSQL servers — at least in the beta version. But you can already use it without any problems. For me this is a milestone and a direct attack on Microsoft Power BI. Because now Data Studio is again a bit closer to the top solutions like Power BI and Qlik or Tableau. In addition, you no longer have to use MS products or load the data into a data warehouse beforehand if they come from Microsoft servers. The advantage for Google’s solution is of course that Data Studio is free of charge. … Many companies have MSSQL databases, now the widely used and free Data Studio from Google also offers a built in connector for it. Often the right and better way would be to make the data available via a Data Warehouse or Data Lake. But especially for smaller companies with only a handful of MSSQL databases, this direct way via Data Studio is probably the most efficient.”
The write-up describes the straightforward process for connecting to an MSSQL database via Google Data Studio, complete with a screenshot. For more information, he sends us to Studio’s Help file, “How to Connect to Microsoft SQL Server.” We wonder, though, whether Microsoft would agree this development amounts to an “attack.” The company may barely notice the change. Cyber criminals? We will have to wait and see.
Cynthia Murrell, December 3, 2021
About Microsoft Exchange Security?
November 12, 2021
I spotted “Microsoft urges Exchange Admins to Patch Their On-Prem Servers Now.” I like the “now.” I interpret this suggestion to mean, “Well, our much hyped security enhancements… are sort of not enough.”
The write up asserts:
[“November 2021 Exchange Server Security Updates” goes on to add that the bug only impacts on-premise Microsoft Exchange servers, including those used by customers in Exchange Hybrid mode.
With Microsoft telemetry, smart updates, and remote access controls to Microsoft systems — why are licensees hanging in the digital wind?
Net net: This type of “bulletin” is catnip to bad actors. Perhaps it is too expensive to do more than issue PR about security.
Stephen E Arnold, November 12, 2021
Microsoft: Two Different Meta-Messages or Just an Example of Microsoft Marketing?
November 4, 2021
I have heard quite a bit about the metaverse in the last week. Meh. I was more interested in two Microsoft meta-related stories.
The first was “Microsoft President Says Tech Must Compromise, Downplays Metaverse Hype.” The write up reports:
Hot on the heels of Facebook’s rebranding as Meta last week and a day after Microsoft touted its metaverse-related projects in a blog post, Smith tempered the “hype” around the metaverse, a concept overlaying digital and physical worlds. “We’re all talking about the metaverse as if we’re entering some new dimension. This is not like dying and going to heaven. We’re all going to be living in the real world with people,” Smith observed, before calling for collaboration and interoperability in the metaverse’s development.
Then I spotted “Microsoft Plans To Create A Corporate Version Of The Metaverse And It Will Have PowerPoint.” That write up stated
“This pandemic has made the commercial use cases much more mainstream, even though sometimes the consumer stuff feels like science fiction,” Microsoft Chief Executive Officer Satya Nadella said in an interview on Bloomberg Television. Nadella himself has used the technology to visit a Covid-19 ward in a U.K. hospital, a Toyota manufacturing plant, and even the international space station, he said.
Interesting. Zoom meetings are great. Microsoft Teams meetings are quite special. Making Teams meta is the greatest thing since Microsoft security vulnerabilities. Hype? Never.
Stephen E Arnold, November 4, 2021
Microsoft Search: Still Trying after All These Years
November 2, 2021
That was “FAST,” wasn’t it? You lived through LiveSearch, right? Jellyfish? Powerset? Outlook Search in its assorted flavors like Life Savers? I could go on, but I am quite certain no one cares.
Nevertheless,
Bing’s new feature may possibly prompt some workers to switch to the search-engine underdog. TechRadar Pro reports the development in its brief write-up, “One of Microsoft’s Most-Hated Products Might Actually Be Getting a Useful Upgrade.” Writer Mike Moore reveals:
“The tech giant is boosting one of its less-celebrated products to give enterprise users an easier way to search online. The update means that enterprise users will now get their historical searches as suggestions in the autosuggest pane on Bing and Microsoft Search in Bing, according to the official Microsoft 365 roadmap entry. … The new update should mean that enterprise users looking to quickly find files that they’ve searched for or opened before will no longer need to manually trawl through endless files and folders in search of the elusive location. The update is still currently in development, but Microsoft will doubtless be keen to get it out soon and help boost Bing engagement. The feature is set to be available to Microsoft Search users across the globe via the company’s general availability route, meaning web, desktop and mobile users will all be able to utilize it upon release.”
Moore notes Microsoft’s tenacity in continuing to support Bing despite Google’s astounding market share lead. He wonders whether the company may have lost some enthusiasm recently, though, when it was revealed that the most searched-for term on Bing is “Google.” A tad embarrassing, perhaps. Does Microsoft suppose its file-finding feature will turn the tide? Unlikely, but some of our readers may find the tool useful, nonetheless.
What’s next for Microsoft search? Perhaps broader and deeper indexing of US government Web sites for a starter?
Cynthia Murrell, November 2, 2021
Are Threat Detection and Cyber Security Systems Working?
October 26, 2021
I read “Microsoft: Russian SVR Hacked at Least 14 IT Supply Chain Firms Since May.” The write up states:
Microsoft says the Russian-backed Nobelium threat group behind last year’s SolarWinds hack is still targeting the global IT supply chain, with 140 managed service providers (MSPs) and cloud service providers attacked and at least 14 breached since May 2021. This campaign shares all the signs of Nobelium’s approach to compromising a significant list of targets by breaching their service provider.
That’s interesting. At first glance, it seems as if a small number of targets succumbed.
On the other hand, it raises some questions:
- What cyber security and threat detection systems were in use at the 14 outfits breached?
- What caused the failure of the cyber security systems? Human error, lousy cyber security methods, or super crafty bad actors like insiders?
- Is a 10 percent failure rate acceptable? Microsoft seems agitated, but why didn’t Microsoft’s security protect 10 percent of the targets?
Each week I am invited to webinars to learn about advanced security systems. Am I to assume that if I receive 10 invites, one invite will be from an outfit whose technology cannot protect me?
The reports of breaches, the powers of giant software outfits, and the success of most companies in protecting themselves is somewhat cheering.
On the other hand, a known group operating for more than a year is still bedeviling some organizations. Why?
Stephen E Arnold, October 26, 2021
Microsoft and Russia: Who Does What to Whom?
October 26, 2021
Last year’s infamous Solar Winds attack really boosted Russia’s hacking community. That is one take-away from MarketBeat’s write-up, “Microsoft: Russia Behind 58% of Detected State-Backed Hacks.” Writer Frank Bajak shares some details from Microsoft’s second annual Digital Defense Report:
“Russia accounted for most state-sponsored hacking detected by Microsoft over the past year, with a 58% share, mostly targeting government agencies and think tanks in the United States, followed by Ukraine, Britain and European NATO members, the company said. The devastating effectiveness of the long-undetected SolarWinds hack — it mainly breached information technology businesses including Microsoft — also boosted Russian state-backed hackers’ success rate to 32% in the year ending June 30, compared with 21% in the preceding 12 months. China, meanwhile, accounted for fewer than 1 in 10 of the state-backed hacking attempts Microsoft detected but was successful 44% of the time in breaking into targeted networks, Microsoft said. … Only 4% of all state-backed hacking that Microsoft detected targeted critical infrastructure, the Redmond, Washington-based company said, with Russian agents far less interested in it than Chinese or Iranian cyber-operatives.”
Well, that is something. Ransomware, though, is also up, with the U.S. targeted three times as often as the next nation. Anyone who was affected by the Colonial Pipeline attack may be concerned about our infrastructure despite the lack of state-sponsored interest in sabotaging it. We are told state-backed attackers are mostly interested in intelligence gathering. Bajak cites Microsoft Digital Security Unit’s Cristin Goodwin as he writes:
“Goodwin finds China’s ‘geopolitical goals’ in its recent cyber espionage especially notable, including targeting foreign ministries in Central and South American countries where it is making Belt-and-Road-Initiative infrastructure investments and universities in Taiwan and Hong Kong where resistance to Beijing’s regional ambitions is strong.”
North Korea is another participant covered in the report. That country was in second place as a source of attacks at 23%, though their effectiveness was considerably less impressive—only 6% of their spear-phishing attempts were successful. Bajak closes by reminding us the report can only include attacks Microsoft actually detected. See the write-up or the report itself for more information.
Cynthia Murrell, October 26, 2021
Microsoft: A Legitimate Point about Good Enough
October 20, 2021
A post by Stefan Kanthak caught my attention. The reason was an assertion that highlights what may be the “good enough” approach to software. The article is “Defense in Depth — the Microsoft Way (Part 78): Completely Outdated, Vulnerable Open Source Component(s) Shipped with Windows 10&11.” I am in the ethical epicenter of the US not too far from some imposing buildings in Washington, DC. This means I have not been able to get one of my researchers to verify the information in the Stefan Kanthak post. I, therefore, want to point out that it may be horse feathers.
Here’s the point I noted in the write up:
Most obviously Microsoft’s processes are so bad that they can’t build a current version and have to ship ROTTEN software instead!
What’s “rotten”?
The super security conscious outfit is shipping outdated versions of two open source software components: Curl.exe and Tar.exe.
If true, Stefan Kanthak may have identified another example of the “good enough” approach to software. If not true, Microsoft is making sure its software is really super duper secure.
Stephen E Arnold, October 20, 2021
Mapping the Earth: A Big Game?
October 20, 2021
I read “Was Google Earth Stolen?” I have not thought about making a map of the earth game-like for many years. I read the article by Avi Bar-Zeev, one of the individuals close to the Keyhole approach. Interesting stuff.
I want to underscore the fact that Microsoft was noodling around in this geographic earth space as well. There is a short item on the Microsoft Web site called “The Microsoft TerraServer.” The write up states:
The Microsoft TerraServer stores aerial and satellite images of the earth in a SQL Server Database served to the public via the Internet. It is the world’s largest atlas, combining five terabytes of image data from the United States Geodetic Survey, Sovinformsputnik, and Encarta Virtual Globe™. Internet browsers provide intuitive spatial and gazetteer interfaces to the data. The TerraServer demonstrates the scalability of Microsoft’s Windows NT Server and SQL Server running on Compaq AlphaServer 8400 and StorageWorks™ hardware. The TerraServer is also an E-Commerce application. Users can buy the right to use the imagery using Microsoft Site Servers managed by the USGS and Aerial Images. This paper describes the TerraServer’s design and implementation.
The link to download the 23 year old Microsoft document is still valid, believe it or not!
Other outfits were into fancy maps as well; for example, the US government entity in Bethesda and some of the folks at Boeing.
Is this germane to the Bar-Zeev write up? Nah, probably no one cares. I find stories about technology “origins” quite interesting for what each includes and what each omits. Quite game-like, right?
Stephen E Arnold, October 20, 2021
Registering Dismay: Microsoft Azure Blues
October 20, 2021
The Beyond Search team loves Microsoft. Totally.
Some are not thrilled with automated customer service. Talk to smart software. Skip the human thing. Microsoft’s customer service has been setting a high standard for decades. . Despite the company getting bigger and more powerful, Microsoft sparked a story in The Register called “WTF? Microsoft Makes Fixing Deadly OOMIGOD Flaws On Azure Your Job.”
Azure is Microsoft’s cloud platform and users using Linux VMs are susceptible to four “OMIGOD” in the Open Management Infrastructure (OMI). Linux Azure users are forced to fend for themselves with the OMIGOD bugs, because Microsoft will not assist them. What is even worse for the Linux users is that they do no want to run OMIs on their virtual machines. OMIs are automatically deployed when the VM is installed when some Azure features are enabled. Without a patch, hackers can access root code and upload malware.
The write up points out that Microsoft did some repairs:
“The Windows giant publicly fixed the holes in its OMI source in mid-August, released it last week, and only now is advising customers. Researchers quickly found unpatched instances of OMI. Security vendor Censys, for example, wrote that it discovered ’56 known exposed services worldwide that are likely vulnerable to this issue, including a major health organization and two major entertainment companies.…In other words, there may not be that many vulnerable machines facing the public internet, or not many that are easily found.”
Linux VM users on Azure are unknowingly exposed and a determined hacker could access the systems.
Is it possible Windows 11 is a red herring. OMIGOD, no.
Whitney Grace, October 20, 2021
-
- Subscribe to Beyond Search
Feature archive
News archive
-
