US Senator Throws Penalty Flag at Microsoft
February 26, 2021
JEDI foul? I am not sure. The bright yellow flag has been lofted and it is beginning its descent. One player has a look of disbelief, “A foul. You think I did a chop block?” That’s the image that went through my mental machinery as I read “US Senator claims Microsoft Failed to Fix Cloud Holes before SolarWinds Hack.”
The write up asserts:
Microsoft Corp’s failure to fix known problems with its cloud software facilitated the massive SolarWinds hack that compromised at least nine federal government agencies, according to security experts and the office of US Senator Ron Wyden. A vulnerability first publicly revealed by researchers in 2017 allows hackers to fake the identity of authorized employees to gain access to customers’ cloud services. The technique was one of many used in the SolarWinds hack.
The year 2017. I recall that was the time the DarkCyber research team began yammering about use of the wonderful Microsoft software update system, access control policies, and business processes to allow estimable Microsoft-friendly software to run. The idea was seamless, smooth, quick, and flawless interaction among users, software, the cloud, and assorted components. Fast. Efficient. Absolutely.
The elected official is quoted as saying:
The federal government spends billions on Microsoft software. It should be cautious about spending any more before we find out why the company didn’t warn the government about the hacking technique that the Russians used, which Microsoft had known about since at least 2017.
The write up points out that Microsoft does not agree with the senator’s observations. In the subsequent testimony (you can view it at this link), one of the top dog Microsoft professionals pointed out “only about 15 percent of the victims in the Solar Winds campaign were hurt via Golden SAML.” SAML is a a security assertion markup language. The golden part? Maybe it is the idea that a user or process signs on. If okayed somewhere in the system, the user or process is definitely okay again. Fast. Efficient.
The “golden” it turns out is a hack. Get into the SAML approved system, and bingo. Users, processes, whatever are good to go. Get administrator credentials and become an authorizing and verifying service and the bad actor owns the system. The idea is that a bad actor can pump out green light credentials and do many interesting things. Hey, being authorized and trusted is a wonderful thing, right?
Back to JEDI? Is the senator confident that the Department of Defense has not been compromised? What happens if the JEDI system is penetrated by foreign actors as the DoD wide system is being assembled, deployed, and operated? Does the vulnerability still exist in live systems?
These are good questions? I am not sure the answers are as well crafted.
Stephen E Arnold, February 27, 2021
What’s a Golden SAML?
Real News: Perhaps One Should Refine Real As Content Warranted by Existential Phenomena?
February 26, 2021
I got a kick out of the allegedly accurate story about “real” news outfits’ information. The story is called “Reuters, BBC, and Bellingcat Participated in Covert UK Foreign Office-Funded Programs to Weaken Russia, Leaked Docs Reveal.” I want to remind you, gentle reader, that Reuters’ news stories carry this footer: Our Standards: The Thomson Reuters Trust Principles. Years ago at a conference in London, a representative of the Beeb explained to me that its online behavior was governed by its Code of Conduct, which states:
OUR VALUES
We don’t just focus on what we do – we also care how we do it. So we have six values that everyone across the BBC shares. They’re what we expect from ourselves and each other. These values aren’t just words. We use them to guide our day-to-day decisions and the way we behave when we’re working with other people.
(I just heard chords from Mozart’s Requiem, did you?) And Bellingcat? A fine outfit lacking only taglines with the word “trust” and the rather thin code of conduct thing with a dead link to the “actual” code.
The write up reports in somber tones:
The UK Foreign and Commonwealth Office (FCO) have sponsored Reuters and the BBC to conduct a series of covert programs aimed at promoting regime change inside Russia and undermining its government across Eastern Europe and Central Asia… The leaked materials show the Thomson Reuters Foundation and BBC Media Action participating in a covert information warfare campaign aimed at countering Russia. Working through a shadowy department within the UK FCO known as the Counter Disinformation & Media Development (CDMD), the media organizations operated alongside a collection of intelligence contractors in a secret entity known simply as “the Consortium.”
Let’s assume that the content in the source materials is spot on. Several observations are warranted:
- The method seems like something from a Brian Freemantle novel. Perhaps the source?
- Are the notions of “trust” and “codes of conduct” appear to be marketing yip yap?
- What constitutes real news: Fake news from real outfits or real news from leaked documents?
Interesting story if accurate.
Stephen E Arnold, February 26, 2021
Google: Personal Data Unrelated to AI Ethics?
February 26, 2021
I read “Google Finally Reveals the Terrifying Amount of Data Gmail Collects on iPhone.” I thought, “Terrifying? From the Google?” I know that the company has some management challenges, particularly in its ethics unit, but startle, petrify, awe?
The write up asserts:
Google’s labels indicate that its apps will collect plenty of user data for several purposes. This includes third-party advertising, analytics, product personalization, app functionality, and — the most annoying one — other purposes. These categories also contain an “other data types” section that suggests the apps can collect even more information than they’re ready to disclose.
Several questions:
- Will Google’s definition of ethics allow some interesting cross correlation of user data?
- How does iPhone data collection components compare to Android device data collection components? More data? Less data?
- How will Google’s estimable, industry leading, super duper artificial intelligence make use of these data to deliver advertising?
Worth monitoring the Google, its data collection, and its use of those data.
Stephen E Arnold, February 26, 2021
Microsoft Concludes SolarWinds Hack Internal Investigation
February 26, 2021
After first denying it may have been a victim of the SolarWinds hack, and that hackers may have used its software to attack others, Microsoft launched an internal investigation to be sure. It now tells us the truth is somewhere in between. Reports SiliconAngle, “Microsoft Finds SolarWinds Hackers Downloaded Code But Didn’t Mount Attacks.” Writer Duncan Riley summarizes:
“Microsoft’s researchers found was that there was no case where all repositories related to any single product or service were accessed and no access was gained to the vast majority of source code. In the event where code repositories were accessed, only a few individual files were viewed. For a small number of repositories, there was additional access including in some cases the downloading of component source code. The repositories contained code for a small subset of Azure, Intune and Exchange components. The researchers notes that search terms used by the hackers indicate that they were attempting to find secrets but were not successful as Microsoft’s development policy prohibits secrets in code, using automated tools to verify compliance.
We noted:
“In terms of Microsoft tools being used to attack others, the researchers found no indication of that taking place. They further added that because of so-called defense-in-depth protections, the hackers were also not able to gain access to privileged credentials. To avoid attacks in the future, the researchers recommended that a zero-trust ‘assume breach’ philosophy be adopted as a critical part of defense as well as protecting credentials being essential.”
So they weren’t already taking those basic precautions? That does not inspire confidence. We also do not find the bit about defense-in-depth protections reassuring after the intrusion was missed for months on end. As one outside professional cited by the article notes, we must think twice about how much we trust each link in every supply chain. Including longstanding, supposedly solid players like Microsoft.
Cynthia Murrell, February 26, 2021
Facebook Found Lax in Enforcement of Own Privacy Rules
February 26, 2021
Facebook is refining its filtering AI for app data after investigators at New York’s Department of Financial Services found the company was receiving sensitive information it should not have received. The Jakarta Post reports, “Facebook Blocks Medical Data Shared by Apps.” Facebook regularly accepts app-user information and feeds it to an analysis tool that helps developers improve their apps. It never really wanted responsibility for safeguarding medical and other sensitive data, but did little to block it until now. The write-up quotes state financial services superintendent Linda Lacewell:
“Facebook instructed app developers and websites not to share medical, financial, and other sensitive personal consumer data but took no steps to police this rule. By continuing to do business with app developers that broke the rule, Facebook put itself in a position to profit from sensitive data that it was never supposed to receive in the first place.”
Facebook is now stepping up its efforts to block sensitive information from reaching its databases. We learn:
“Facebook created a list of terms blocked by its systems and has been refining artificial intelligence to more adaptively filter sensitive data not welcomed in the analytics tool, according to the report. The block list contains more than 70,000 terms, including diseases, bodily functions, medical conditions, and real-world locations such as mental health centers, the report said.”
A spokesperson says the company is also “doing more to educate advertisers on how to set-up and use our business tools.” We shall see whether these efforts will be enough to satisfy investigators next time around.
Cynthia Murrell, February 26, 2021
Facebook: The Great Victory
February 25, 2021
“Facebook Says It Will Pay News Industry $1 Billion over 3 Years” makes clear the magnitude of Facebook’s “victory” over a mere nation state. The “real” news report reveals:
Facebook announced Wednesday it plans to invest $1 billion to “support the news industry” over the next three years and admits it “erred on the side of over-enforcement” by banning news links in Australia.
The admission does nothing to diminish the greatness of Facebook and its decision to unfriend or non-like Australia. A member of the Five Eyes, Australia did not reference Facebook’s alleged “bully boy” behavior. The country’s government was delighted to modify its laws in order to accommodate the digital nation state’s wishes.
Beyond Search’s art unit created the “new” flag for the mere nation state of Australia. Here it is:
An Australian official revealed:
The Morrison Government’s world-leading news media bargaining code has just passed the Parliament. This is a significant milestone.
Beyond Search has learned that changes to the school curricula, including replacing existing non-Facebook flags has begun immediately.
Facebook’s diplomatic skill, its management team’s acumen, and the incredible personal warmth of Mr. Zuckerberg (affectionately known as the Zuck) appear to have forced a mere nation state to reverse course.
Australia is no longer “unfriended” by the digital power house.
Stephen E Arnold, February 25, 2021
Microsoft LinkedIn: Opting and Gigging
February 25, 2021
Microsoft LinkedIn has determined that its millions of job seekers, consultants, and résumé miners can become gig workers. “LinkedIn Is Building a Gig Marketplace” asserts:
LinkedIn is developing a freelance work marketplace that could rival fast-growing gig sites Fiverr and Upwork. The two-sided marketplace will connect freelance service providers with clients in need of temporary workers for one-off projects. Like Fiverr and Upwork, it would focus on knowledge-based work that can be done remotely online…
How long has Microsoft LinkedIn been contemplating this shift? One date offered in the article is 2019. That’s when LinkedIn acquired UpCounsel. The idea is that when one needs a lawyer, one uses a legal version of Match.com. Very me-too. Thomson Reuters offers a service called FindLaw.com, which has been available since the early 2000s. But good ideas take time to gestate. This is not a me too knock off of TikTok which has inspired Facebook and Google innovation. LinkedIn innovated with ProFinder. This is a way for LinkedIn members to find “professionals.”
Sounds good, right?
Writer Joan Westenberg is over LinkedIn, and advises us we would all be better without it. The Next Web posts, “Delete LinkedIn—You’ll Have Zero F****ing Regrets.” After years of enduring countless messages from those who want to sell her something, she finally deleted her LinkedIn account. Not only did the platform fail to provide her any professional benefits, she was also disheartened by the superficial relationships with her hundreds of contacts. (At least this platform does not call them “friends.”)
Having had some success at sales for her business, Westenberg has observed that the way to sell to someone is to build a real relationship with them. Her favorite way to do so is to offer help with no agenda, to demonstrate her products have value. She writes:
“That is the antithesis of LinkedIn. Where people send you off-brand and clumsy sales pitches at best — or at worst, scrape your details for scalable and utterly useless outbound campaigns. They send pitch decks in the same breath that they introduce themselves for the first time. They want you to buy with no reason why. LinkedIn feels less like a platform for selling, and more like a platform for being sold to. A LinkedIn message is the 2020s equivalent of a cold sales call. You dread it. You hate it. You just don’t want to deal with it. … I would rather focus my attention on platforms where I know people have come to genuinely research, interact, learn and consume. Quora. Angel List. Dribble. Medium. Substack. And yes, Twitter. And I would rather remove the false sense of accomplishment we get from engaging on LinkedIn, where we log into a landfill of utter [excrement] several times a day and feel like we’ve done our bit of networking and growing, with no evidence to support that belief.”
Westenberg advises others to join her in ditching the platform. All we will lose, she concludes, are the vanity metrics of clicks, likes, shares, and comments, all of which provide nothing of value. Hmm. I for one have never gotten a job through the platform, but I do know someone who has. Then there are all the professional courses the platform acquired when it snapped up Lynda.com in 2015, many of which are quite helpful. I suppose each user must weigh the site’s role in their professional lives for themselves, but on this point I agree—LinkedIn is not fundamental to professional success.
Cynthia Murrell, February 25, 2021
Telegram Appeals to Diverse Constituencies
February 25, 2021
Other than heated conflicts between US political parties, the recent coup happened because of the mass spread of conspiracy theories propagated by social media. Social media platforms, including YouTube, Facebook, Twitter, and Instagram, were used to communicate right wing extremist misinformation. In the past, it was difficult for bad acting extremists to pool their “knowledge” and meet liked minded individuals, but the Internet fixed that.
Many social media platforms kicked right wing extremists off their platform, because of crackdowns that followed post-coup. According to Vox’s article, “Why Right-Wing Extremists’ New Favorite Platform Is So Dangerous” the bad actors already found another tool to communicate. Telegram is a Dubai-based platform and only 2% of its users were US-based until the coup attempt. Now Telegram boasts 25 million new US users. Why do bad actors love Telegram?
“Telegram is currently the most downloaded app in the Google Play Store, having unseated Signal for the top spot in the United States. Telegram’s specific combination of features, however, make it especially popular among American right-wing extremists, who have joined the platform in droves after being kicked off of Twitter, Facebook, and Parler. The latter is another extremist favorite and was recently kicked off the internet, though it’s now back in a very limited form.”
Telegram has three components: private and public channels that only a limited number of people can follow, groups where up to 200,,000 can communicate, and Secret Chats-one-on-one encrypted conversations.
Some bad actors can reach larger groups to spread misinformation and they can do so anonymously. Telegram does not monitor its content, but after its been used to incite violence its developers did crackdown on some of the channels. Telegram is popular for another reason: It is a reasonably reliable app.
Since Telegram is not US-based it does not need to comply to the country’s standards, but we have heard that the company has a relationship with Mr. Putin’s telecommunications agency. Other countries may find it slightly more challenging to monitor.
Whitney Grace, February 25, 2021
Microsoft on Security
February 25, 2021
I think that some believe the SolarWinds’ misstep should be called surfing the Microsoft access control process.” I may be wrong on that, of course. I did find some of the statements and quotations in an article called “Microsoft CEO For Global Rules On Data Safety, Privacy.” On the same day that another Microsoftie was explaining the security stumble which has compromised systems at Microsoft itself and a few minor US government agencies, the CEO of the outstanding software company allegedly said:
One thing I hope for is that we don’t fragment, that we are able to, whether it’s on privacy or data safety, bring together a set of global rules that will allow all of us to both comply and make sure that what we build is safe to use.
He allegedly noted:
One of the things we are trying to ensure is how do we have that design principles and engineering processes to ensure that the products and the services are respecting privacy, security, AI ethics as well as the fundamental Internet safety but beyond that there will be regulation.
With some of the source code for Azure, Exchange, and Outlook on the loose, one hopes that those authentication and access control systems are indeed secure. One hopes that the aggressively marketed Windows Defender actually defends. That system appears to have been blind to the surfing maneuvers executed by bad actors for months, maybe a year or more.
Microsoft’s core methods for granting efficient access to trusted users or functions with certifying tokens were compromised. At this time, the scope of the breached systems and the existence if any of sleeper code is not yet quantified.
Assurances are useful in some circumstances. Foundational engineering flaws are slightly more challenging to address.
But “hope” is good. Let’s concentrate security with Microsoft procedures. Sounds good, right? Talk is easier than reengineering perhaps?
Stephen E Arnold, February 25, 2021
Artificial Intelligence: Maybe These Numbers Are Artificial?
February 25, 2021
AI this. AI that. Suddenly it’s spring time for algorithmic magic. I read “Worldwide Revenues for AI Skyrocket, Set to Reach $550B by 2024.” That’s an interesting projection. What is “artificial intelligence?” No one has a precise definition. That makes it possible to assert that in 22 months, smart software will be more than half way to a trillion dollar market. That will make the MBA proteins kick into overdrive.
The write up cites the estimable mid tier consulting firm IDC and its Worldwide Semiannual Artificial Intelligence Tracker. I believe that this may be similar to the PC Magazine editorial team sitting around a lunch table generating lists of hot products and numbers about the uptake of windows 95. There is nothing wrong with projections. And estimates which aim toward a trillion dollar market are energizing in the Age of Rona.
The write up reports that IDC calculated with near infinite precision these outputs:
“the artificial intelligence (AI) market, including software, hardware, and services, are forecast to grow 16.4% year over year in 2021 to $327.5 billion… By 2024, the market is expected to break the $500 billion mark with a five-year compound annual growth rate (CAGR) of 17.5% and total revenues reaching $554.3 billion.”
Other findings (aside from the stretchy bendable fuzzy definition of “artificial intelligence” as including software, hardware, and services:
- “Software represented 88% of the total AI market revenues in 2020. However, it is the slowest growing category with a five-year CAGR of 17.3%.”
- “AI Applications took the largest share of revenue at 50% in 2020.”
- “The AI Services category grew slower than the overall AI market with 13% annual revenue growth in 2020.”
- “By 2024, AI Hardware is forecast to be a $30.5 billion market with AI Servers representing an 82% revenue share.”
Is AI a sandbox in which anyone can play? The data allegedly reveal:
In the Business Services for AI market, there were only four companies, Ernst & Young, PwC, Deloitte, and Booz Allen Hamilton, that generated revenues of more than $100 million in 1H 2020.
Okay, okay. Let’s step back:
- The definition of AI is nebulous which means that the assumptions are not exactly as solid as those of the new leaning Tower of Pisa in San Francisco
- The fuzzing of revenue streams, hardware, software, and the mushroom of services is confusing at least to me
- AI appears to be another of those one percenter sectors.
Net net: AI will use you whether you are ready or not or whether the systems work or not. We could ask IBM Watson but IBM is allegedly trying to sell its fantastic health care AI business. Googlers are busy revealing the flaws in some Googley assumptions about its AI capabilities. Nevertheless, we have big numbers.
VC, consultants, and MBAs, get ready to bill. By the way, these estimates seem similar to those issued by the estimable mid tier consulting firm for the cognitive search market. Not exactly a hole in one as I recall.
Stephen E Arnold, February 25, 2021