Microsoft Security and the Azure Cloud: Good Enough?

January 27, 2023

I don’t know anything about the cyber security firm called Silverfort. The company’s Web site makes it clear that the company’s management likes moving icons and Microsoft. Nevertheless, “Microsoft Azure-Based Kerberos Attacks Crack Open Cloud Accounts” points out some alleged vulnerabilities in what Microsoft has positioned as its present and future money machine. The article says:

Silverfort disclosed the issues to Microsoft, and while the company is aware of the weaknesses, it does not plan to fix them, because they are not “traditional” vulnerabilities, Segal says. Microsoft also confirmed that the company does not consider them vulnerabilities. “This technique is not a vulnerability, and to be used successfully a potential attacker would need elevated or administrative rights that grant access to the storage account data,” a Microsoft spokesperson tells Dark Reading [the online service publishing the report].

So a nothingburger (wow, I detest that trendy jargon). I would view Microsoft’s product with a somewhat skeptical eye. Bad actors show some fondness for Microsoft’s approach to engineering.

Shift gears, the article “Microsoft Is Beating Google at Its Own Game.” I thought, “Advertising.” The write up has a different angle:

Following the news of Microsoft’s $10 billion investment, Wedbush analyst Daniel Ives wrote that ChatGPT is a “potential game changer” for Microsoft, and that the company was “not going to repeat the same mistakes” of missing out on social and mobile that it made two decades ago. Microsoft “is clearly being aggressive on this front and not going to be left behind,” Ives wrote.

Yep, smart software. I think the idea is that using OpenAI as a springboard, Microsoft will leapfrog into high clover. The announcement of Microsoft’s investment in OpenAI provides compute resources. If the bet pays off, Microsoft will get real money.

However, what happens when Microsoft’s “good enough” engineering meets OpenAI.

You may disagree, but I think the security vulnerabilities will continue to exist. Furthermore, it is impossible to know what issues will arise when smart software begins to think for Microsoft systems and users.

Security is a cat-and-mouse game. How quickly will bad actors integrate smart software into malware? How easy will it be for smart software to trawl through technical documents looking for interesting information?

The integration of OpenAI into Microsoft systems, services, and software may require more than “good enough” engineering. Now tell me again why I cannot print after updating Windows 11? Exactly what is Google’s game? Excitement about what people believe is the next big thing is one thing. Ignoring some here-and-now issues may be another.

Stephen E Arnold, January 27, 2023

Google, Take Two Aspirin and One AlkaSeltzer: It Is Buzz Time for ChatGPT

January 17, 2023

What do you do when the “trust” outfit Thomson Reuters runs a story with this headline? “Davos 2023: CEOs Buzz about ChatGPT-Style AI at World Economic Forum.” If you are like me, you think, “Meh.”

But what if you are a Google / DeepMind wizard?

Now consider this headline: “Google’s Muse Model Could Be the Next Big Thing for Generative AI.” If you are like me, you think, “Sillycon Valley PR.”

But what if you are an OpenAI or Microsoft brainiac?

In terms of reach, I think the Reuters’ story will be diffused to a broader business audience. The subject is something perceived as magnetic. Any carpetlander can get an associate to demonstrate ChatGPT outputting a search result via or some other knowledge product from the numerous demos available with a mouse click.

But to see the Google Muse story, one has to follow a small number of Sillycon Valley outlets. And what if the carpetlander wants to see a demonstration of the magical, super effective Muse? Yeah, use your imagination.

Perhaps Google and its ineffable search team may want to crunch on another couple of aspirin and get some of that chewable antacid stuff. It is going to be a long PR day at Davos.

One doesn’t have to be a business maven to understand that ChatGPT is a nice subject when the options at Davos are war, plummeting demand for some big buck commodities, Germany’s burning lignite, China’s Covid and Taiwan fixation, and similar economically interesting topics.

What will CEO and Davos attendees take away from the ChatGPT buzz? My experience suggests some sort of action, even it is nothing more than investigating whether the technology can deal with pesky customer support inquiries.

And where is Google amidst this buzz? Google has the forward forward, next big thing. Google has academic papers which point out the weaknesses of non Google methods. Google has Muse or at least a news release story about Muse.

Will OpenAI and ChatGPT have legs? Who knows. Good bad or indifferent, ChatGPT has buzz, lots of it. I know because the “trust” outfit says ChatGPT will “transform” the security minded Microsoft. Who knew?

Thus, at this moment in time, Google may become a good customer for over-the-counter headache remedies and AlkaSeltzer. Remember that jingle’s lyrics?

Plop plop, fizz fizz

Oh, what a relief it is.

Maybe ChatGPT will just fade away like hangover or the tummy ache from eating the whole thing? Is it my imagination or is Microsoft chowing down on croissants whilst explaining what ChatGPT will do for its enterprise customers?

I will consult my “muse.” Oh, sorry, not available.

Stephen E Arnold, January 17, 2023

Microsoft Reveals Its Engineering Approach: Good Enough

January 5, 2023

I was amused to read “State of the Windows: How Many Layers of UI Inconsistencies Are in Windows 11?” We have Windows 11 running on one computer in my office. The others are a lone Windows 7, four Windows 10 computers, four Mac OS machines with different odd names like  High Sierra, and two Linux installations with even quirkier names. Sigh.

The article does a masterful job of pointing out that vestiges of XP, Vista, Windows 7, and Windows 8 lurk within the Windows 11 system. I have shared my opinion that Microsoft pushed Windows 11 out to customers to deflect real journalists’ attention from the security wild fire blazing in SolarWinds. Few share my viewpoint. That’s okay. I have been around a long time, and I have witnessed some remarkable executive group think when a crisis threatens to engulf a bonus. Out she goes.

But the article makes very, very clear how Microsoft approaches the engineering of its software and systems. Think of a lousy cake baked for your 12th birthday. To hide the misshapen, mostly inedible mess, someone has layered on either Betty Croker-type frosting in a can and added healthy squirts of synthetic whipped “real” cream. “Real,” of course, means that it squeaked through the FDA review process. Good enough.

Here’s one example of the treasures within Windows 11. I quote:

The Remote Desktop Connection program is still exactly the same as it was 14 years ago, complete with Aero icons and skeuomorphic common controls.

Priorities? Sure, just not engineering excellence, attention to detail, or consistency in what the user sees.

Do I think this approach is used for Azure and Exchange security?

Now the key questions, “What engineering approach will Microsoft use as it applies smart large language models to Web search?”

Stephen E Arnold, January 5, 2022

Another Lilting French Cash Register Chime

January 2, 2023

An outfit call SC Magazine reported that the French cash registers — you know the quaint one with brass letters and the cheery red enamel — has chimed again. “Microsoft Fined $64 Million by France over Cookies Used in Bing Searches” reports:

France’s privacy watchdog fined Microsoft €60 million ($64 million) for not offering clear enough instruction for users to reject cookies used for online ads, as part of the move to enforce Europe’s tightening data protection law.

The write up noted:

Microsoft has been ordered to solve the issue within three months by implementing a simplified cookie refusal mechanism, or it could face additional fines of €60,000 a day…

It seems that some US companies do not take those French and EU regulations seriously. My suggestion to the Softies: France in not the US. Get on a couple of special lists and you may find some quality time in a glass room at CDG next time you visit. The good news is that US embassy personnel can visit you without too much red tape bedecking those gray suits.

Stephen E Arnold, January 2, 2023

In France, Tipping in Restaurants, Non. Showing Appreciation to the Government, Oui

December 23, 2022

Ah, France. Land of 200 cheeses, medallion bedecked chickens, and fat American high-tech creatures. Go to a French restaurant and order (in French certaInment) a cooked bird. Chow down. Do not tip the waiter. Say “merci” and smile. But if you a very fat, super large, very unpredictable American technology company tipping is mandatory.

Don’t believe me?

Read “Microsoft Hit with €60 Million Fine by France for Not Offering Cookie Opt Out on Bing.” Mais oui. The write up reports:

In addition, CNIL will fine Microsoft €60,000 per day within three months if it doesn’t ask users for consent to use an ad fraud detection cookie.

Will Microsoft’s paying up make the governmental doubt about Microsoft become like the mist in Verdon Gorge?

Ho ho ho.

In order to do business in France, American outfits have to go through a number of hoops. Some are easy; others require some bureaucratic finesse. One example is for an American company to sell something to the French government. There are hoops for American cheese. I have been informed that canned American cheese propelled by carbon dioxide is a hoot at some French parties. Mon dieu! Aerosol fromage. Interesting.

With the EU chasing some firms who say one thing and do another, fining some big tech companies is a way to get an allowance from mom. Amazon appears to decided to just pay up.

Microsoft may enter the fascinating French legal system to explain that its tracking devices are different. Oh, well. Some French judicial officials can use a mobile phone. But the cookie thing? Maybe not so much.

What’s the sound I hear? It is ka-ching.

Finding reasons to take legal action against US big tech companies is easy. The regret, as I understand it, is that it take a long time to get the money from the Americans.

What’s the outlook for 2023? That’s a softball question. The answer is more lawyers pecking on the confused Americans. The Monaco Grand Prix is in France right?

Stephen E Arnold, December 23, 2022

Microsoft Software Quality: Word Might Stop Working. No Big Deal

December 20, 2022

I read a short item which underscores my doubts about Microsoft’s quality methods. l have questions about security issues in Microsoft’s enterprise and cloud products and services. But those are mostly “new” and the Big Hope for future revenues. Perhaps games will arrive to make the Softies buy Teslas and beef up their retirement accounts, just not yet.

Microsoft Confirms Taskbar Bugs, Broken File Explorer, and App Issues in Windows 10” reports:

If you use Windows 10, you might experience the following symptoms:

  • ?The Weather or News and Interests widget or icons flickers on the Windows taskbar
  • ?The Windows taskbar stops responding
  • ?Windows Explorer stops responding
  • ?Applications including Microsoft Word or Excel might stop responding if they are open when the issue occurs

The weather and news are no big loss in my opinion. Microsoft believes that Windows 10 users want weather and news despite the mobile phone revolution. (Remember Microsoft and its play to create a mobile phone? Yeah, that was spun as fail early and fail fast. I think of that initiative as a basic fail, not a fast or early fail. Plain old fail.)

The Taskbar and file manager are slightly more interesting. A number of routine functions go south for some lucky Windows 10 users.

But the zinger fail is that Microsoft Word or Excel die. Now that’s just what’s needed to make the day of a person who is working on a report at a so-so consulting firm like one of the blue-chip outfits in Manhattan, a newbie at a big law firm with former government officials waiting for the worker bees to deliver a document for the bushy eyebrow set to review, or a Wall Street type modifying a model to make his, her, thems partners lots of money.

These happy users are supposed to be able to handle stress and pressure.

I wonder if Microsoft executives have been in a consulting firm, law firm, or financial services company when a must have app stops responding. Probably not because these wizards are working on improving Microsoft’s quality control processes. Could Redmond’s approach to quality be blamed on an intern, a contractor, or a part time worker? My hunch is that getting blamed is not a component of the top dogs’ job description.

Stephen E Arnold, December 20, 2022

Google to Microsoft: We Are Trying to Be Helpful

December 16, 2022

Ah, those fun loving alleged monopolies are in the news again. Microsoft — famous in some circles for its interesting approach to security issues — allegedly has an Internet Explorer security problem. Wait! I thought the whole wide world was using Microsoft Edge, the new and improved solution to Web access.

According to “CVE-2022-41128: Type Confusion in Internet Explorer’s JScript9 Engine,” Internet Explorer after decades of continuous improvement and its replacement has a security vulnerability. Are you still using Internet Explorer? The answer may be, “Sure you are.”

With Internet Explorer following Bob down the trail of Microsoft’s most impressive software, the Redmond crowd the Microsoft Office application uses bits and pieces of Internet Explorer. Thrilling, right?

Google explains the Microsoft issue this way:

The JIT compiler generates code that will perform a type check on the variable q at the entry of the boom function. The JIT compiler wrongly assumes the type will not change throughout the rest of the function. This assumption is broken when q is changed from d (an Int32Array) to e (an Object). When executing q[0] = 0x42424242, the compiled code still thinks it is dealing with the previous Int32Array and uses the corresponding offsets. In reality, it is writing to wherever e.e points to in the case of a 32-bit process or e.d in the case of a 64-bit process. Based on the patch, the bug seems to lie within a flawed check in GlobOpt::OptArraySrc, one of the optimization phases. GlobOpt::OptArraySrc calls ShouldExpectConventionalArrayIndexValue and based on its return value will (in some cases wrongly) skip some code.

Got that.

The main idea is that Google is calling attention to the future great online game company’s approach to software engineering. In a word or two, “Poor to poorer.”

My view of the helpful announcement is that Microsoft Certified Professionals will have to explain this problem. Google’s sales team will happily point out this and other flaws in the Microsoft approach to enterprise software.

If you can’t trust a Web browser or remove flawed code from a widely used app, what’s the fix?

Ready for the answer: “Helpful cyber security revelations that make the online ad giant look like a friendly, fluffy Googzilla. Being helpful is the optimal way to conduct business.

Stephen E Arnold, December 16, 2022

Microsoft and the London Stock Exchange: Lock In Maybe?

December 12, 2022

I believe everything I read on the Internet. That’s one way I keep in touch with my inner GenZ self. Sometimes, however, stories ring true; for example, “Microsoft buys Near 4% Stake in London Stock Exchange As Part of 10 Year Cloud Deal.” I read the title via my dinobaby translation system and understood, “Yep, lock in, kiddo. Oh, Amazon AWS and Google Cloud professionals. Do not bother to call us. We will call you, okay.”

You may disagree with my dinobaby translator. That’s okay. I let many flowers bloom, unlike the London Stock Exchange which goes at life in what appear to be 10 year contracts. That’s a long time in techno-cloud land in my opinion.

The write up says:

Scott Guthrie, Microsoft’s executive vice president for the Cloud and AI Group, will be appointed as a non-executive director of LSEG.

I wonder if he will demo Microsoft Teams egames features and the security systems for Microsoft Exchange Server? Will he offer helpful inputs to those who might want to give an off the shelf AWS Sagemaker system a spin? What about the ever reliable Google VPN service which is super reliable and in demand right now?

The answer to these questions strike me as obvious. Azure is better, faster, cheaper, more reliable, and easier. I wonder if these benefits entered into the negotiation. (Personally I like the security angle and the cheaper plus.) My instinct has a tiny voice too. It is whispering to me, “Microsoft will deliver premier service to the London Stock Exchange when (which is unlikely) the system Azure system hiccups.

I noted this passage too:

Microsoft and LSEG will also work together in developing new professional collaboration tools. LSEG has developed a product called Workspace, a data and analytics platform. The two companies will be working on advancing this product and integrating it with Microsoft Teams, the firm’s messaging app.

I am tempted to reference the source of the stake, but I won’t. The parties involved make content marketing hay around the “trust” word.

I have a couple of observations:

  1. Microsoft has added a neon underline to the old marketing concept of “lock in.”
  2. The Redmond security giant can point to a big time financial customer and market its secure cloud solutions. Well, they are secure… at this time.
  3. The Amazon and Google cloud professionals will definitely find a way to respond.

Net net: Isn’t it wonderful that big tech innovation involves owning financial plumbing and access?

Stephen E Arnold, December 12, 2022

France and US Businesses: Semi Permanent Immiscibility?

November 30, 2022

Unlike a pendulum, the French government and two US high-technology poster kids don’t see eye to eye. However, governments, particularly those in France, are not impressed with the business practices of some US firms. The tried and true “Senator, thank you for the question” and assurances that the companies in questions are following the ethical precepts of respected French philosophers don’t work. “France Directs Schools to Stop Using Microsoft Office & Google Workspace” reports:

In a recent response to an interrogation by a Member of the Parliament, the French Minister of Education clarified that French schools should not use Microsoft 365 and Google Workspace. The reasons behind the Ministry’s position are twofold. First, the Ministry is concerned about the confidentiality and lawfulness of data transfers. Second, reliance on European providers is coherent with the government’s “cloud at the center” policy.

The write up explains that France’s view of privacy and the practices of Apple and Google are not in sync. Then there is the issue of the cloud and where data and information “are.” Given modern network and data center technology, the “there” is often quite tricky to pin down. Tricky is not a word the current French government feels comfortable using when talking about schools, teachers, students, and research conducted by French universities.

How will this play out? France will get its way. That’s why some chickens have labels which mean conformance. No label on that chicken, no deal.

Stephen E Arnold, November 30, 2022

Microsoft Fancy Dances When Activision Plays a Tune

November 29, 2022

In order to convince the European Commission it should be allowed to acquire Activision Blizzard, Microsoft is sampling some humble pie. Android Authority reports, “Microsoft Admits Xbox vs PlayStation War Is Over and It Lost.” Write Ryan McNeal tells us:

“The EU’s European Commission has announced in a press release that it has opened up an in-depth investigation into Microsoft’s proposed acquisition of Activision Blizzard. This investigation was activated after the proposed deadline EU regulators set back in September when the deal was first being looked into. According to the press release, the new inquiry now has 90 working days — until March 23, 2023 — to make a decision. The Commission claims that it is concerned Microsoft’s acquisition could upset the balance in the market, causing a reduction in competition.”

Specifically, the commission suspects Microsoft might make successful PlayStation games like “Call of Duty” into Xbox-only titles. Heavens no, the company insists, it promises to make games available on both platforms simultaneously. This is all about giving the people greater access to games, a representative asserts. And here we thought it was all about creating a distraction. McNeal continues:

“Since the first time it hit a snag with European regulators, Microsoft has attempted to utilize an underdog strategy to delegitimize Sony’s arguments against the deal. In response to today’s investigation announcement, Microsoft attempted to drive that talking point home by admitting that Sony is the market leader.”

Will this self-effacing logic work? We should find out by the end of March. Nota bene: Our team thinks that the push for Activision was possibly a way to deflect attention from some interesting Microsoft security issues. Games are big money, but the issue of Teams in Microsoft 365 may be an even more sensitive issue.

Cynthia Murrell, November 29, 2022

Next Page »

  • Archives

  • Recent Posts

  • Meta