• Home
• About
• Writers
• Landscape
• Wizards Index
• Fraud
• Wanna Be Like Larry?

US Senator Throws Penalty Flag at Microsoft

JEDI foul? I am not sure. The bright yellow flag has been lofted and it is beginning its descent. One player has a look of disbelief, “A foul. You think I did a chop block?” That’s the image that went through my mental machinery as I read “US Senator claims Microsoft Failed to Fix Cloud Holes before SolarWinds Hack.”

The write up asserts:

Microsoft Corp’s failure to fix known problems with its cloud software facilitated the massive SolarWinds hack that compromised at least nine federal government agencies, according to security experts and the office of US Senator Ron Wyden. A vulnerability first publicly revealed by researchers in 2017 allows hackers to fake the identity of authorized employees to gain access to customers’ cloud services. The technique was one of many used in the SolarWinds hack.

The year 2017. I recall that was the time the DarkCyber research team began yammering about use of the wonderful Microsoft software update system, access control policies, and business processes to allow estimable Microsoft-friendly software to run. The idea was seamless, smooth, quick, and flawless interaction among users, software, the cloud, and assorted components. Fast. Efficient. Absolutely.

The elected official is quoted as saying:

The federal government spends billions on Microsoft software. It should be cautious about spending any more before we find out why the company didn’t warn the government about the hacking technique that the Russians used, which Microsoft had known about since at least 2017.

The write up points out that Microsoft does not agree with the senator’s observations. In the subsequent testimony (you can view it at this link), one of the top dog Microsoft professionals pointed out “only about 15 percent of the victims in the Solar Winds campaign were hurt via Golden SAML.” SAML is a a security assertion markup language. The golden part? Maybe it is the idea that a user or process signs on. If okayed somewhere in the system, the user or process is definitely okay again. Fast. Efficient.

The “golden” it turns out is a hack. Get into the SAML approved system, and bingo. Users, processes, whatever are good to go. Get administrator credentials and become an authorizing and verifying service and the bad actor owns the system. The idea is that a bad actor can pump out green light credentials and do many interesting things. Hey, being authorized and trusted is a wonderful thing, right?

Back to JEDI? Is the senator confident that the Department of Defense has not been compromised? What happens if the JEDI system is penetrated by foreign actors as the DoD wide system is being assembled, deployed, and operated? Does the vulnerability still exist in live systems?

These are good questions? I am not sure the answers are as well crafted.

Stephen E Arnold, February 27, 2021

What’s a Golden SAML?

Real News: Perhaps One Should Refine Real As Content Warranted by Existential Phenomena?

I got a kick out of the allegedly accurate story about “real” news outfits’ information. The story is called “Reuters, BBC, and Bellingcat Participated in Covert UK Foreign Office-Funded Programs to Weaken Russia, Leaked Docs Reveal.” I want to remind you, gentle reader, that Reuters’ news stories carry this footer: Our Standards: The Thomson Reuters Trust Principles. Years ago at a conference in London, a representative of the Beeb explained to me that its online behavior was governed by its Code of Conduct, which states:

OUR VALUES

We don’t just focus on what we do – we also care how we do it. So we have six values that everyone across the BBC shares. They’re what we expect from ourselves and each other. These values aren’t just words. We use them to guide our day-to-day decisions and the way we behave when we’re working with other people.

(I just heard chords from Mozart’s Requiem, did you?) And Bellingcat? A fine outfit lacking only taglines with the word “trust” and the rather thin code of conduct thing with a dead link to the “actual” code.

The write up reports in somber tones:

The UK Foreign and Commonwealth Office (FCO) have sponsored Reuters and the BBC to conduct a series of covert programs aimed at promoting regime change inside Russia and undermining its government across Eastern Europe and Central Asia… The leaked materials show the Thomson Reuters Foundation and BBC Media Action participating in a covert information warfare campaign aimed at countering Russia. Working through a shadowy department within the UK FCO known as the Counter Disinformation & Media Development (CDMD), the media organizations operated alongside a collection of intelligence contractors in a secret entity known simply as “the Consortium.”

Let’s assume that the content in the source materials is spot on. Several observations are warranted:

• The method seems like something from a Brian Freemantle novel. Perhaps the source?
• Are the notions of “trust” and “codes of conduct” appear to be marketing yip yap?
• What constitutes real news: Fake news from real outfits or real news from leaked documents?

Interesting story if accurate.

Stephen E Arnold, February 26, 2021

Google: Personal Data Unrelated to AI Ethics?

I read “Google Finally Reveals the Terrifying Amount of Data Gmail Collects on iPhone.” I thought, “Terrifying? From the Google?” I know that the company has some management challenges, particularly in its ethics unit, but startle, petrify, awe?

The write up asserts:

Google’s labels indicate that its apps will collect plenty of user data for several purposes. This includes third-party advertising, analytics, product personalization, app functionality, and — the most annoying one — other purposes. These categories also contain an “other data types” section that suggests the apps can collect even more information than they’re ready to disclose.

Several questions:

• Will Google’s definition of ethics allow some interesting cross correlation of user data?
• How does iPhone data collection components compare to Android device data collection components? More data? Less data?
• How will Google’s estimable, industry leading, super duper artificial intelligence make use of these data to deliver advertising?

Worth monitoring the Google, its data collection, and its use of those data.

Stephen E Arnold, February 26, 2021

Microsoft Concludes SolarWinds Hack Internal Investigation

After first denying it may have been a victim of the SolarWinds hack, and that hackers may have used its software to attack others, Microsoft launched an internal investigation to be sure. It now tells us the truth is somewhere in between. Reports SiliconAngle, “Microsoft Finds SolarWinds Hackers Downloaded Code But Didn’t Mount Attacks.” Writer Duncan Riley summarizes:

“Microsoft’s researchers found was that there was no case where all repositories related to any single product or service were accessed and no access was gained to the vast majority of source code. In the event where code repositories were accessed, only a few individual files were viewed. For a small number of repositories, there was additional access including in some cases the downloading of component source code. The repositories contained code for a small subset of Azure, Intune and Exchange components. The researchers notes that search terms used by the hackers indicate that they were attempting to find secrets but were not successful as Microsoft’s development policy prohibits secrets in code, using automated tools to verify compliance.

We noted:

“In terms of Microsoft tools being used to attack others, the researchers found no indication of that taking place. They further added that because of so-called defense-in-depth protections, the hackers were also not able to gain access to privileged credentials. To avoid attacks in the future, the researchers recommended that a zero-trust ‘assume breach’ philosophy be adopted as a critical part of defense as well as protecting credentials being essential.”

So they weren’t already taking those basic precautions? That does not inspire confidence. We also do not find the bit about defense-in-depth protections reassuring after the intrusion was missed for months on end. As one outside professional cited by the article notes, we must think twice about how much we trust each link in every supply chain. Including longstanding, supposedly solid players like Microsoft.

Cynthia Murrell, February 26, 2021

Facebook Found Lax in Enforcement of Own Privacy Rules

Facebook is refining its filtering AI for app data after investigators at New York’s Department of Financial Services found the company was receiving sensitive information it should not have received. The Jakarta Post reports, “Facebook Blocks Medical Data Shared by Apps.” Facebook regularly accepts app-user information and feeds it to an analysis tool that helps developers improve their apps. It never really wanted responsibility for safeguarding medical and other sensitive data, but did little to block it until now. The write-up quotes state financial services superintendent Linda Lacewell:

“Facebook instructed app developers and websites not to share medical, financial, and other sensitive personal consumer data but took no steps to police this rule. By continuing to do business with app developers that broke the rule, Facebook put itself in a position to profit from sensitive data that it was never supposed to receive in the first place.”

Facebook is now stepping up its efforts to block sensitive information from reaching its databases. We learn:

“Facebook created a list of terms blocked by its systems and has been refining artificial intelligence to more adaptively filter sensitive data not welcomed in the analytics tool, according to the report. The block list contains more than 70,000 terms, including diseases, bodily functions, medical conditions, and real-world locations such as mental health centers, the report said.”

A spokesperson says the company is also “doing more to educate advertisers on how to set-up and use our business tools.” We shall see whether these efforts will be enough to satisfy investigators next time around.

Cynthia Murrell, February 26, 2021

Facebook: The Great Victory

“Facebook Says It Will Pay News Industry $1 Billion over 3 Years” makes clear the magnitude of Facebook’s “victory” over a mere nation state. The “real” news report reveals:

Facebook announced Wednesday it plans to invest $1 billion to “support the news industry” over the next three years and admits it “erred on the side of over-enforcement” by banning news links in Australia.

The admission does nothing to diminish the greatness of Facebook and its decision to unfriend or non-like Australia. A member of the Five Eyes, Australia did not reference Facebook’s alleged “bully boy” behavior. The country’s government was delighted to modify its laws in order to accommodate the digital nation state’s wishes.

Beyond Search’s art unit created the “new” flag for the mere nation state of Australia. Here it is:

An Australian official revealed:

The Morrison Government’s world-leading news media bargaining code has just passed the Parliament. This is a significant milestone.

Beyond Search has learned that changes to the school curricula, including replacing existing non-Facebook flags has begun immediately.

Facebook’s diplomatic skill, its management team’s acumen, and the incredible personal warmth of Mr. Zuckerberg (affectionately known as the Zuck) appear to have forced a mere nation state to reverse course.

Australia is no longer “unfriended” by the digital power house.

Stephen E Arnold, February 25, 2021

Microsoft LinkedIn: Opting and Gigging

Microsoft LinkedIn has determined that its millions of job seekers, consultants, and résumé miners can become gig workers. “LinkedIn Is Building a Gig Marketplace” asserts:

LinkedIn is developing a freelance work marketplace that could rival fast-growing gig sites Fiverr and Upwork. The two-sided marketplace will connect freelance service providers with clients in need of temporary workers for one-off projects. Like Fiverr and Upwork, it would focus on knowledge-based work that can be done remotely online…

How long has Microsoft LinkedIn been contemplating this shift? One date offered in the article is 2019. That’s when LinkedIn acquired UpCounsel. The idea is that when one needs a lawyer, one uses a legal version of Match.com. Very me-too. Thomson Reuters offers a service called FindLaw.com, which has been available since the early 2000s. But good ideas take time to gestate. This is not a me too knock off of TikTok which has inspired Facebook and Google innovation. LinkedIn innovated with ProFinder. This is a way for LinkedIn members to find “professionals.”

Sounds good, right?

Writer Joan Westenberg is over LinkedIn, and advises us we would all be better without it. The Next Web posts, “Delete LinkedIn—You’ll Have Zero F****ing Regrets.” After years of enduring countless messages from those who want to sell her something, she finally deleted her LinkedIn account. Not only did the platform fail to provide her any professional benefits, she was also disheartened by the superficial relationships with her hundreds of contacts. (At least this platform does not call them “friends.”)

Having had some success at sales for her business, Westenberg has observed that the way to sell to someone is to build a real relationship with them. Her favorite way to do so is to offer help with no agenda, to demonstrate her products have value. She writes:

“That is the antithesis of LinkedIn. Where people send you off-brand and clumsy sales pitches at best — or at worst, scrape your details for scalable and utterly useless outbound campaigns. They send pitch decks in the same breath that they introduce themselves for the first time. They want you to buy with no reason why. LinkedIn feels less like a platform for selling, and more like a platform for being sold to. A LinkedIn message is the 2020s equivalent of a cold sales call. You dread it. You hate it. You just don’t want to deal with it. … I would rather focus my attention on platforms where I know people have come to genuinely research, interact, learn and consume. Quora. Angel List. Dribble. Medium. Substack. And yes, Twitter. And I would rather remove the false sense of accomplishment we get from engaging on LinkedIn, where we log into a landfill of utter [excrement] several times a day and feel like we’ve done our bit of networking and growing, with no evidence to support that belief.”

Westenberg advises others to join her in ditching the platform. All we will lose, she concludes, are the vanity metrics of clicks, likes, shares, and comments, all of which provide nothing of value. Hmm. I for one have never gotten a job through the platform, but I do know someone who has. Then there are all the professional courses the platform acquired when it snapped up Lynda.com in 2015, many of which are quite helpful. I suppose each user must weigh the site’s role in their professional lives for themselves, but on this point I agree—LinkedIn is not fundamental to professional success.

Cynthia Murrell, February 25, 2021

Telegram Appeals to Diverse Constituencies

Other than heated conflicts between US political parties, the recent coup happened because of the mass spread of conspiracy theories propagated by social media. Social media platforms, including YouTube, Facebook, Twitter, and Instagram, were used to communicate right wing extremist misinformation. In the past, it was difficult for bad acting extremists to pool their “knowledge” and meet liked minded individuals, but the Internet fixed that.

Many social media platforms kicked right wing extremists off their platform, because of crackdowns that followed post-coup. According to Vox’s article, “Why Right-Wing Extremists’ New Favorite Platform Is So Dangerous” the bad actors already found another tool to communicate. Telegram is a Dubai-based platform and only 2% of its users were US-based until the coup attempt. Now Telegram boasts 25 million new US users. Why do bad actors love Telegram?

“Telegram is currently the most downloaded app in the Google Play Store, having unseated Signal for the top spot in the United States. Telegram’s specific combination of features, however, make it especially popular among American right-wing extremists, who have joined the platform in droves after being kicked off of Twitter, Facebook, and Parler. The latter is another extremist favorite and was recently kicked off the internet, though it’s now back in a very limited form.”

Telegram has three components: private and public channels that only a limited number of people can follow, groups where up to 200,,000 can communicate, and Secret Chats-one-on-one encrypted conversations.

Some bad actors can reach larger groups to spread misinformation and they can do so anonymously. Telegram does not monitor its content, but after its been used to incite violence its developers did crackdown on some of the channels. Telegram is popular for another reason: It is a reasonably reliable app.

Since Telegram is not US-based it does not need to comply to the country’s standards, but we have heard that the company has a relationship with Mr. Putin’s telecommunications agency. Other countries may find it slightly more challenging to monitor.

Whitney Grace, February 25, 2021

Microsoft on Security

I think that some believe the SolarWinds’ misstep should be called surfing the Microsoft access control process.” I may be wrong on that, of course. I did find some of the statements and quotations in an article called “Microsoft CEO For Global Rules On Data Safety, Privacy.” On the same day that another Microsoftie was explaining the security stumble which has compromised systems at Microsoft itself and a few minor US government agencies, the CEO of the outstanding software company allegedly said:

One thing I hope for is that we don’t fragment, that we are able to, whether it’s on privacy or data safety, bring together a set of global rules that will allow all of us to both comply and make sure that what we build is safe to use.

He allegedly noted:

One of the things we are trying to ensure is how do we have that design principles and engineering processes to ensure that the products and the services are respecting privacy, security, AI ethics as well as the fundamental Internet safety but beyond that there will be regulation.

With some of the source code for Azure, Exchange, and Outlook on the loose, one hopes that those authentication and access control systems are indeed secure. One hopes that the aggressively marketed Windows Defender actually defends. That system appears to have been blind to the surfing maneuvers executed by bad actors for months, maybe a year or more.

Microsoft’s core methods for granting efficient access to trusted users or functions with certifying tokens were compromised. At this time, the scope of the breached systems and the existence if any of sleeper code is not yet quantified.

Assurances are useful in some circumstances. Foundational engineering flaws are slightly more challenging to address.

But “hope” is good. Let’s concentrate security with Microsoft procedures. Sounds good, right? Talk is easier than reengineering perhaps?

Stephen E Arnold, February 25, 2021

Artificial Intelligence: Maybe These Numbers Are Artificial?

AI this. AI that. Suddenly it’s spring time for algorithmic magic. I read “Worldwide Revenues for AI Skyrocket, Set to Reach $550B by 2024.” That’s an interesting projection. What is “artificial intelligence?” No one has a precise definition. That makes it possible to assert that in 22 months, smart software will be more than half way to a trillion dollar market. That will make the MBA proteins kick into overdrive.

The write up cites the estimable mid tier consulting firm IDC and its Worldwide Semiannual Artificial Intelligence Tracker. I believe that this may be similar to the PC Magazine editorial team sitting around a lunch table generating lists of hot products and numbers about the uptake of windows 95. There is nothing wrong with projections. And estimates which aim toward a trillion dollar market are energizing in the Age of Rona.

The write up reports that IDC calculated with near infinite precision these outputs:

“the artificial intelligence (AI) market, including software, hardware, and services, are forecast to grow 16.4% year over year in 2021 to $327.5 billion… By 2024, the market is expected to break the $500 billion mark with a five-year compound annual growth rate (CAGR) of 17.5% and total revenues reaching $554.3 billion.”

Other findings (aside from the stretchy bendable fuzzy definition of “artificial intelligence” as including software, hardware, and services:

• “Software represented 88% of the total AI market revenues in 2020. However, it is the slowest growing category with a five-year CAGR of 17.3%.”
• “AI Applications took the largest share of revenue at 50% in 2020.”
• “The AI Services category grew slower than the overall AI market with 13% annual revenue growth in 2020.”
• “By 2024, AI Hardware is forecast to be a $30.5 billion market with AI Servers representing an 82% revenue share.”

Is AI a sandbox in which anyone can play? The data allegedly reveal:

In the Business Services for AI market, there were only four companies, Ernst & Young, PwC, Deloitte, and Booz Allen Hamilton, that generated revenues of more than $100 million in 1H 2020.

Okay, okay. Let’s step back:

1. The definition of AI is nebulous which means that the assumptions are not exactly as solid as those of the new leaning Tower of Pisa in San Francisco
2. The fuzzing of revenue streams, hardware, software, and the mushroom of services is confusing at least to me
3. AI appears to be another of those one percenter sectors.

Net net: AI will use you whether you are ready or not or whether the systems work or not. We could ask IBM Watson but IBM is allegedly trying to sell its fantastic health care AI business. Googlers are busy revealing the flaws in some Googley assumptions about its AI capabilities. Nevertheless, we have big numbers.

VC, consultants, and MBAs, get ready to bill. By the way, these estimates seem similar to those issued by the estimable mid tier consulting firm for the cognitive search market. Not exactly a hole in one as I recall.

Stephen E Arnold, February 25, 2021

Next Page »

• 

• Search the site

•  

  Subscribe to Beyond Search

  • 
  • 
   
  • 
   
  
  Feature archive
  News archive
   
  
  
  Stephen E. Arnold monitors search, content processing, text mining and related topics from his high-tech nerve center in rural Kentucky. He tries to winnow the goose feathers from the giblets. He works with colleagues worldwide to make this Web log useful to those who want to go "beyond search". Contact him at sa [at] arnoldit.com. His Web site with additional information about search is arnoldit.com.

• Categories

  • 3D-Printing
  • Acquisition
  • Advertising
  • Aggregation
  • AI
  • Alexa
  • algorithms
  • Amazon
  • Amazonia
  • Analytics
  • Appliance
  • Applications
  • Audio
  • Augmented Reality
  • Big data
  • Bing
  • Bitcoin
  • Bitext
  • Book review
  • Business intelligence
  • Business process
  • Business strategy
  • Censorship
  • Cloud computing
  • Company Profile
  • Conferences
  • Connectors
  • Consulting
  • Consumer
  • Content processing
  • Copyright
  • Corporate Concerns
  • Cost
  • Crawl
  • Crowdfunding
  • cryptocurrency
  • Customer support
  • Cyber OSINT
  • cybercrime
  • cybersecurity
  • Dark Web
  • DarkCyber
  • Data
  • Data mining
  • Database
  • Deepfakes
  • Digital Assistant
  • Digital Library
  • E2EE
  • ECommerce
  • EDiscovery
  • Editorial opinion
  • Education
  • Emoticons
  • Enterprise
  • Enterprise search
  • Entity extraction
  • Ethics
  • Facebook
  • Faceted search
  • Factualities
  • Feature
  • Federated search
  • Financial
  • Google
  • Governance
  • Government
  • Hackers
  • healthcare
  • IBM Watson
  • Image search
  • Indexing
  • Infrastructure
  • Innovation
  • Integration
  • intelware
  • Interface
  • Internet
  • Interview
  • Investment
  • law enforcement
  • Legal matters
  • Library automation
  • Management
  • Marketing
  • Mathematics
  • Metadata
  • Microsoft
  • Mobile
  • Natural language processing
  • News
  • NGIA
  • Online (general)
  • Open Access
  • Open source
  • OSINT
  • Osint Radar
  • Overflight
  • Palantir
  • Patents
  • Personnel
  • Podcast
  • Policeware
  • Portals
  • Predictive coding
  • Privacy
  • Profile
  • Publishing
  • Quotation
  • Real time search
  • Reference tool
  • Rich media
  • Robot Writer
  • Search
  • Search enabled applications
  • search engine
  • Search quality
  • Security
  • Semantic
  • Sentiment analysis
  • SEO
  • SharePoint
  • Short Honks
  • Smart Technology
  • Social
  • Social Media
  • software
  • Statistics
  • Taxonomy
  • Technology
  • Text analytics
  • Text processing
  • Tools
  • Tor
  • Training
  • Translation
  • Twitter
  • Uncategorized
  • Unstructured Data
  • User experience
  • User Interface
  • Vertical search
  • Video
  • visualization
  • Voice search
  • Voice technology
  • Web 3
  • Web Services
  • Webinar
  • Windows
  • Work flow
  • XML
  • Yahoo

• Archives

  Archives Select Month April 2024 March 2024 February 2024 January 2024 December 2023 November 2023 October 2023 September 2023 August 2023 July 2023 June 2023 May 2023 April 2023 March 2023 February 2023 January 2023 December 2022 November 2022 October 2022 September 2022 August 2022 July 2022 June 2022 May 2022 April 2022 March 2022 February 2022 January 2022 December 2021 November 2021 October 2021 September 2021 August 2021 July 2021 June 2021 May 2021 April 2021 March 2021 February 2021 January 2021 December 2020 November 2020 October 2020 September 2020 August 2020 July 2020 June 2020 May 2020 April 2020 March 2020 February 2020 January 2020 December 2019 November 2019 October 2019 September 2019 August 2019 July 2019 June 2019 May 2019 April 2019 March 2019 February 2019 January 2019 December 2018 November 2018 October 2018 September 2018 August 2018 July 2018 June 2018 May 2018 April 2018 March 2018 February 2018 January 2018 December 2017 November 2017 October 2017 September 2017 August 2017 July 2017 June 2017 May 2017 April 2017 March 2017 February 2017 January 2017 December 2016 November 2016 October 2016 September 2016 August 2016 July 2016 June 2016 May 2016 April 2016 March 2016 February 2016 January 2016 December 2015 November 2015 October 2015 September 2015 August 2015 July 2015 June 2015 May 2015 April 2015 March 2015 February 2015 January 2015 December 2014 November 2014 October 2014 September 2014 August 2014 July 2014 June 2014 May 2014 April 2014 March 2014 February 2014 January 2014 December 2013 November 2013 October 2013 September 2013 August 2013 July 2013 June 2013 May 2013 April 2013 March 2013 February 2013 January 2013 December 2012 November 2012 October 2012 September 2012 August 2012 July 2012 June 2012 May 2012 April 2012 March 2012 February 2012 January 2012 December 2011 November 2011 October 2011 September 2011 August 2011 July 2011 June 2011 May 2011 April 2011 March 2011 February 2011 January 2011 December 2010 November 2010 October 2010 September 2010 August 2010 July 2010 June 2010 May 2010 April 2010 March 2010 February 2010 January 2010 December 2009 November 2009 October 2009 September 2009 August 2009 July 2009 June 2009 May 2009 April 2009 March 2009 February 2009 January 2009 December 2008 November 2008 October 2008 September 2008 August 2008 July 2008 June 2008 May 2008 April 2008 March 2008 February 2008 January 2008 November 5

• Recent Posts

  • AI Does Prediction about Humans: What Could Go Wrong
  • Not Only Those Chasing Tenure Hallucinate, But Some Citations Are Wonky Too
  • AI Girlfriends: The Opportunity of a Lifetime
  • Telegram Barks, Whines, and Wants a Treat
  • AI Versus People? That Is Easy. AI

• Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org