Browse > Home / Archive by category 'Microsoft'

Watching Hoops: Watching Microsoft Defensive Scramble

March 24, 2021

Air ball. I read “Microsoft Defender Will Automatically Prevent Exchange Server Exploits.” Technical foul! The write up contains this statement:

The tech giant warns, however, that this is just an interim mitigation meant to protect customers while they’re in the midst of implementing the comprehensive security update for Exchange it released earlier this month. 

Over and back!

The Redmond Wizards have great cheerleaders, but the opponents own the auditorium. The clock is ticking.

The Wizards’ coach is yelling at the officials. Oh, another technical foul.

Quick. Print out the play.

Wait, Microsoft Windows 10 updates broke the printer.

Whistle. Another technical foul.

Stephen E Arnold, March 24, 2021

Written by Stephen E. Arnold · Filed Under Microsoft, News, Security | Comments Off on Watching Hoops: Watching Microsoft Defensive Scramble 

Microsoft: Your Computer, Your Data. That Is a Good One

March 23, 2021

The online news stream is chock full of information about Microsoft’s swing-for-the-fences PR push for Discord. If you are not familiar with the service, I am not going to explain this conduit for those far more youthful than I. Like GitHub, Discord is going to be an interesting property if the Redmond crowd does the deal. If we anticipate Discord becoming part of the Xbox and Teams family, the alleged censorship of software posted to GitHub will be a glimpse of the content challenges in Microsoft’s future.

The more interesting development is the “real” news story “Microsoft Edge Could Soon Share Browsing Data with Windows 10.” The idea is that a person’s computer and the authorized users of the computing device will become one big, happy data family.

The article states:

Called share browsing data with other Windows features, it is designed to share data from Edge, such as Favorites or visited sites, with other Windows components. Search is a prime target, and highlighted by Microsoft at the time of writing. Basically, what this means is that users who run searches using the built-in search feature may get Edge results as well.

And what does Microsoft get? Possibilities include:

  • Federated, fine grained user behavior data
  • Click stream data matched to content on the user’s personal computer
  • Real-time information flows
  • Opportunities to share data with certain entities.

What happens to the user’s computer if said user does not accept such integration? The options range from loss of access to certain data to pro-active interaction to alter the functioning of the user’s computing device.

Why is this such a good idea? Microsoft, like Amazon, Facebook, and Google realize that the days of the Wild West are coming to an end. There are new sheriffs with new ideas about right and wrong.

Thus, get what one can while the gittin’ is good as the old times used to say.

But “What about security and privacy?” you ask? One response is, “That’s a good one.” Why not try stand up?

Stephen E Arnold, March 23, 2021

Written by Stephen E. Arnold · Filed Under Business strategy, Microsoft, News, Privacy | Comments Off on Microsoft: Your Computer, Your Data. That Is a Good One 

Microsoft Security: An Ominous Signification

March 22, 2021

IT News published “White House Taskforce Meets over Microsoft Software Weaknesses.” The “real news” story included a statement which I placed in the predictive bucket. Here’s the prose which caught my attention:

The security holes in the widely used mail and calendaring software leave the door open to industrial-scale cyber espionage, allowing malicious actors to steal emails virtually at will from vulnerable servers or to move elsewhere in the network.

Microsoft is pretty good at issuing magic fixes; for example, “Microsoft Releases One-Click Patch for Exchange Vulnerability” reveals:

Microsoft has released a one-click patch, the Microsoft Exchange On-Premises Mitigation tool, to help customers apply new security updates in the face of the Exchange Server cyber attack.

This IT Pro article points out:

ESET research found that Microsoft Exchange servers had been targeted by “at least ten hacker groups” and that they had managed to install backdoors on more than 5,000 servers in over 115 countries.

In this context the phrase “industrial scale cyber espionage” is doubly chilling.

Now about that JEDI contract for the US Department of Defense?

Stephen E Arnold, March 22, 2021

Written by Stephen E. Arnold · Filed Under Microsoft, News, Security | Comments Off on Microsoft Security: An Ominous Signification 

Microsoft Exchange After Action Action: Adulting or Covering Up?

March 12, 2021

I read “Researcher Publishes Code to Exploit Microsoft Exchange Vulnerabilities on GitHub.” The allegedly accurate “real” news report states:

On Wednesday, independent security researcher Nguyen Jang published on GitHub a proof-of-concept tool to hack Microsoft Exchange servers that combined two of those vulnerabilities. Essentially, he published code that could be used to hack Microsoft customers, exploiting a bug used by Chinese government hackers—on an open-source platform owned by Microsoft.

What happened?

Microsoft, took down the hacking tool.  “GitHub took down it,” the researcher told Motherboard in an email. “They just send [sic] me an email.” On Thursday, a GitHub spokesperson confirmed to Motherboard that the company removed the code due to the potential damage it could cause.

Interesting.

Two questions crossed my mind:

  1. Is Microsoft showing more management responsibility with regard to the data posted on GitHub? Editorial control is often useful, particularly when the outputting mechanism provides a wealth of information and code. Some of these items can be used to create issues. Microsoft purchased GitHub and may now be forced to take a more adult view of the service.
  2. Is Microsoft covering up the flaws in its core processes? After reading Microsoft’s explanations of the Solarwinds’ misstep, the injection of marketing spin and intriguing rhetoric about responsibility open the door to a bit of Home Depoting; that is, paint, wood panel, and bit of carpet make an an ageing condo look better.

Worth watching both the breaches which are concerning and the GitHub service which can cause some individuals’ brows to furrow.

Stephen E Arnold, March 12, 2021

Written by Stephen E. Arnold · Filed Under Business strategy, Microsoft, News, Open source, Security | Comments Off on Microsoft Exchange After Action Action: Adulting or Covering Up? 

Microsoft: Stunned by Its Own Insecure Petard?

March 12, 2021

I read “10 Key Microsoft Ignite Takeaways for CIOs.” Marketing fluff except for one wild and crazy statement. Here’s the passage I found amusing:

By midyear, enterprises will also be able to control in which datacenter Microsoft stores documents shared through Teams, group by group or even for individual users, making it more useful in some regulated industries or where there are concerns about the security of data. These controls will mirror those available for Exchange and SharePoint. There will also be an option to make end-to-end-encrypted one-to-one voice or video calls, that CIOs can enable on a per-employee basis, and to limit meeting attendance only to invited participants. A future update could see the addition of end-to-end encrypted meetings, too. For companies that are centralizing their investment in such collaboration, McQuire said, “Security is arguably the number one selection criterion.”

Assume this number one selection criterion is on the money. What’s the Microsoft security posture with SolarWinds and the Exchange breaches?

That petard packs quite a wallop, and it is not from marketing hoohah. There’s nothing like a marketing oriented conference to blow smoke to obfuscate the incredible security issues Microsoft has created. But conferences and marketing talk are easier than remediating the security problems.

Stephen E Arnold, March 12, 2021

Written by Stephen E. Arnold · Filed Under Microsoft, News, Security | Comments Off on Microsoft: Stunned by Its Own Insecure Petard? 

LinkedIn: Social Media Excitement from the Softies

March 10, 2021

Microsoft is reportedly embracing the gig work mentality via LinkedIn, which it purchased in 2016. What could go wrong? Social Barrel tells us, “LinkedIn to Rival Fiverr and Upwork with Marketplaces.” The pandemic has greatly increased demand for independent workers, and it sounds like Microsoft refuses to cede the increased freelance-connection business to Upwork and Fiverr. Writer Ola Ric reveals:

“If true, the Microsoft-owned professional network service is all set to rival Fiverr and Upwork. Without a doubt, LinkedIn stands a big chance of rivaling Fiverr and Upwork considering its massive user base said to be around 740 million. The service is called Marketplaces according to The Information, and is already being developed. Apparently LinkedIn wants to explore a market, though small, but with potential for growth.”

Of course, many besides the self-employed are working remotely now, and many predict the trend will continue after the pandemic is in our rear view. This new reality means many new challenges for HR, and several employee management applications are being used to cope. Microsoft is also moving into this territory with its Viva platform, we learn from “The Arrival of ‘Enterprise Social’” at India’s BusinessWorld. Reporter Pradeep Kar elaborates:

“The opportunity is so big that Microsoft’s Chief Executive Satya Nadella went public, saying that the COVID-19 crisis would result in employee management applications that would outlast the pandemic. His company has quickly unveiled a new category of technology solutions called employee experience platforms (EXP) with Viva that ‘provides a single-entry point for employee engagement and internal communications.’ Microsoft calls Viva a gateway to the digital workplace. It includes human resource functions like payroll, tools to track employee performance, career development initiatives, etc. We know these employee engagement applications are not just good-to-have. They are critical. They allow organizations to keep employees connected, binding them to company goals and culture, improving productivity and loyalty.”

Microsoft’s Viva is not the only option, Par informs us. He lists Darwinbox, ADP Workforce Now, ZohoPeople, and PeopleStrong as just a few of the many alternatives.

We note Microsoft continues to explore its options as new things come along, a practice that has kept it in business since 1975. We wonder, though: Could this timing be a way to distract from the company’s part in the SolarWinds fiasco?

Cynthia Murrell, March 10, 2021

Written by Stephen E. Arnold · Filed Under Microsoft, News, Social Media | Comments Off on LinkedIn: Social Media Excitement from the Softies 

Microsoft Outlook Users: Maybe Proton Mail?

March 8, 2021

I spotted another write up about the security issues with the Azure, Defender, and Office365 services. Wow, nation states and groups of allegedly China-aligned hackers are making Microsoft look worse than Jackie Smith when he dropped a game winner for the Dallas Cowboys years ago. It seems as if bad actors are trying to out do one another in exposing the vulnerabilities of the Redmond construct. Wowza.

I read “White House Warns of Active Threat Following Microsoft Outlook Breach.” The write up states:

“We can’t stress enough that patching and mitigation is not remediation if the servers have already been compromised, and it is essential that any organization with a vulnerable server take measures to determine if they were already targeted,” the White House official said.

Several observations:

  1. If I were involved in the JEDI procurement, I would not be too enthusiastic about Microsoft technology being the plumbing for the Department of Defense. Hey, I know PowerPoint is the go to tool in many DoD units, but it appears that there may be some bad actors able to get their digital paws on the PPTX attachments to Outlook email.
  2. Microsoft is fighting an after action situation. The bad actors are forcing Microsoft to rush code fixes to large, already compromised organizations. If the bad actors are indeed “inside” certain entities, the bad actors are likely to have access to these speedy fixes and be able to exploit them. Why not substitute a “real” MSFT fix with a certified malware infused fix. Sounds like something bad actors might consider.
  3. In my lecture to a group of US government cyber security professionals in 48 hours, I use the analogy of radiation poisoning for the SolarWinds’ and Microsoft Exchange breaches. Once the polonium is in the target, the fix is neither quick, simple, or ultimately likely to work.

Net net: Other bad actors will learn from these breaches and launch their own initiatives. That’s not good because there are quite a few bad actors eagers to make a mockery of US technology. I think one might characterize the Microsoft “repair after the barn burns down” as bad optics.

It’s bad something, for sure. Remember. It is the White House sounding the alarm, not an alphabet soup agency.

Stephen E Arnold, March 9, 2021

Written by Stephen E. Arnold · Filed Under Business strategy, Microsoft, News, Security | Comments Off on Microsoft Outlook Users: Maybe Proton Mail? 

Microsoft: Yeah, about Those Distributed Systems and the Wonderful Exchange Systems

March 8, 2021

I found the information about the most recently disclosed Microsoft Exchange breaches troubling. The “1,000 bad actors” comment from the Softies seemed to say:

Hey, how can a company like Microsoft defend itself against a 1,000 programmers focused on undermining out approach to building, deploying, and servicing our software?

Yep, 1,000 bad actors were allegedly needed to create the issues associated with SolarWinds and the assorted silly names attached to malware available via certain “dark” channels?

How many bad actors does it take to create issues for what is it? 20,000 or more organizations. One news service based in India did its level best to maintain an even tone in “Over 20,000 U.S. Organizations Compromised through Microsoft Flaw.” See the number? 20,000. Maybe India does not buy into a larger number; for example, Krebs on Security states: “At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software.”

Just a delta of 10,000? Hey, no big deal.

Now who pulled off this hack in the midst of the SolarWinds’ misstep? China. The country is larger than Russia which managed an estimated 18,000 compromised systems.

Okay, it is time to face up to reality:

  1. The oh-so-nifty distributed systems which rely on libraries which may or may not be secure is a big, fat sitting duck
  2. There is no quick fix. Microsoft’s rush rush patches don’t seem to be working if the sources I have reviewed are on the money
  3. Microsoft’s method of shoving software to licensees creates problems; for example, check out KIR, a tool that undoes updates which kill or impair licensees’ systems.

Who spotted the breach? Microsoft Defender, the Azure security system, Microsoft’s own security teams? Nope, allegedly an outfit call Volexity.

Exactly what was being monitored by the hundreds of super duper security sleuthers who sell threat intelligence, AI infused cyber security systems, and special entities which perform checks on crucial systems?

Pretty much checking out YouTube, sending text messages about pizza, and posting to Twitter about the perils of Facebook and Google.

The scale of the Exchange misstep is interesting.

What happens if one of the groups undermining the computer systems of the US decide to terminate the systems for finance, travel, and mobile communications?

Here’s my answer: Find a donkey and a cart. Life will change quickly and no quick patch for deeply flawed Microsoft technical processes will arrive to make everything better again.

Microsoft’s methods are the problem. And what about the 1,000 programmers? That’s Microsoft speak for flaws which a small group of focused bad actors can achieve. The only coding that takes a 1,000 people is Microsoft’s Teams unit. Those folks are adding features while core functions are stripped bare, exploited, and turned into weapons.

It will be interesting to learn what Microsoft apologists involved in the JEDI program say about this misstep.

Keep in mind. No one knows exactly how many systems have been and remain compromised by by the SolarWinds’ and the most recently revealed Exchange fumble.

What will Brad Smith say? I can hardly wait assuming that my systems are not zapped by bad actors who are surfing on shoddy solutions.

Stephen E Arnold, March 8, 2021

Written by Stephen E. Arnold · Filed Under Microsoft, News, Security | Comments Off on Microsoft: Yeah, about Those Distributed Systems and the Wonderful Exchange Systems 

An Existential Question: LinkedIn or LinkedOut?

March 5, 2021

Writer Joan Westenberg is over LinkedIn, and advises us we would all be better without it. The Next Web posts, “Delete LinkedIn—You’ll Have Zero F****ing Regrets.” After years of enduring countless messages from those who want to sell her something, she finally deleted her LinkedIn account. Not only did the platform fail to provide her any professional benefits, she was also disheartened by the superficial relationships with her hundreds of contacts. (At least this platform does not call them “friends.”)

Having had some success at sales for her business, Westenberg has observed that the way to sell to someone is to build a real relationship with them. Her favorite way to do so is to offer help with no agenda, to demonstrate her products have value. She writes:

“That is the antithesis of LinkedIn. Where people send you off-brand and clumsy sales pitches at best — or at worst, scrape your details for scalable and utterly useless outbound campaigns. They send pitch decks in the same breath that they introduce themselves for the first time. They want you to buy with no reason why. LinkedIn feels less like a platform for selling, and more like a platform for being sold to. A LinkedIn message is the 2020s equivalent of a cold sales call. You dread it. You hate it. You just don’t want to deal with it. … I would rather focus my attention on platforms where I know people have come to genuinely research, interact, learn and consume. Quora. Angel List. Dribble. Medium. Substack. And yes, Twitter. And I would rather remove the false sense of accomplishment we get from engaging on LinkedIn, where we log into a landfill of utter [excrement] several times a day and feel like we’ve done our bit of networking and growing, with no evidence to support that belief.”

Westenberg advises others to join her in ditching the platform. All we will lose, she concludes, are the vanity metrics of clicks, likes, shares, and comments, all of which provide nothing of value. Hmm. I for one have never gotten a job through the platform, but I do know someone who has. Then there are all the professional courses the platform acquired when it snapped up Lynda.com in 2015, many of which are quite helpful. I suppose each user must weigh the site’s role in their professional lives for themselves, but on this point I agree—LinkedIn is not fundamental to professional success. No one should feel they have to use it by default.

Cynthia Murrell, March 5, 2021

Written by Stephen E. Arnold · Filed Under Microsoft, News, Social Media | Comments Off on An Existential Question: LinkedIn or LinkedOut? 

Cloud or Not? Fighting Words for Sure

March 5, 2021

I read “SolarWinds Hack Pits Microsoft against Dell, IBM over How Companies Store Data.” Ah, ha, a dispute with no clear resolution. The write up suggests that some big dogs in technology will be fighting over the frightened gazelles. Will the easily frightened commercial buyers take off when the word “cloud” is voiced. Or, will the sheep-inspired animals head for the perceived security of computers in the farm house?

The write up states:

[The dispute over where to put data] pits Microsoft Corp., which is urging clients to rely on cloud-computing systems, against others including Dell Technologies Inc. and International Business Machines Corp., who argue customers want to mix the cloud with the more traditional on-premise data-storage systems in a construct called hybrid-cloud.

Do you want pickle on top of a hamburger or underneath the juicy patty? Which method? Come on. Decide.

The write up reports:

Microsoft, one of the world’s biggest cloud vendors, has said cloud services offer customers the most robust data protection. A mixed approach “creates an additional seam that organizations need to secure. A consequence of this decision is that if the on-premises environment is compromised, this creates opportunities for attackers to target cloud services,” Microsoft said in a blog post on its investigation of the hack.  The notion that the hybrid cloud is less secure is inaccurate, said Paul Cormier, chief executive of Red Hat, the business IBM acquired two years ago in part in a bet on the growing demand for hybrid cloud services. “Any software could get broken into. The cloud providers could get broken into as well,” he told The Wall Street Journal.

Plus the article points out:

Microsoft itself was a victim in the attack and had some of its source code used to write software downloaded. The hackers viewed software linked to Microsoft’s Azure cloud, the company said. Mr. Smith, at the Senate hearing on the hack on Tuesday, called for a “full examination of what other cloud services and networks the Russians have accessed.”

I don’t think any computer data are secure, but that’s just me. Here in Harrod’s Creek, professional etch secrets on lumps of boghead. Once the message has been read, one burns it. Good for secrecy, not so good for the environment.

Who will win this battle? The key is marketing. Security is a slippery fish particularly when the boats are owned by Dell, IBM, and Microsoft. The SolarWinds’ attack exploited the cloud and on premises devices. How does one spell “insider threat”? One can unplug computing devices. Put them in a locked room. Don’t let anyone enter the room. Is that a solution?

Stephen E Arnold, March 5, 2021

Written by Stephen E. Arnold · Filed Under Microsoft, News, Security | Comments Off on Cloud or Not? Fighting Words for Sure 

« Previous PageNext Page »

  • Archives

  • Recent Posts

  • Meta