• Home
• About
• Writers
• Landscape
• Wizards Index
• Fraud
• Wanna Be Like Larry?

Google to Microsoft: We Are Trying to Be Helpful

Ah, those fun loving alleged monopolies are in the news again. Microsoft — famous in some circles for its interesting approach to security issues — allegedly has an Internet Explorer security problem. Wait! I thought the whole wide world was using Microsoft Edge, the new and improved solution to Web access.

According to “CVE-2022-41128: Type Confusion in Internet Explorer’s JScript9 Engine,” Internet Explorer after decades of continuous improvement and its replacement has a security vulnerability. Are you still using Internet Explorer? The answer may be, “Sure you are.”

With Internet Explorer following Bob down the trail of Microsoft’s most impressive software, the Redmond crowd the Microsoft Office application uses bits and pieces of Internet Explorer. Thrilling, right?

Google explains the Microsoft issue this way:

The JIT compiler generates code that will perform a type check on the variable q at the entry of the boom function. The JIT compiler wrongly assumes the type will not change throughout the rest of the function. This assumption is broken when q is changed from d (an Int32Array) to e (an Object). When executing q[0] = 0x42424242, the compiled code still thinks it is dealing with the previous Int32Array and uses the corresponding offsets. In reality, it is writing to wherever e.e points to in the case of a 32-bit process or e.d in the case of a 64-bit process. Based on the patch, the bug seems to lie within a flawed check in GlobOpt::OptArraySrc, one of the optimization phases. GlobOpt::OptArraySrc calls ShouldExpectConventionalArrayIndexValue and based on its return value will (in some cases wrongly) skip some code.

Got that.

The main idea is that Google is calling attention to the future great online game company’s approach to software engineering. In a word or two, “Poor to poorer.”

My view of the helpful announcement is that Microsoft Certified Professionals will have to explain this problem. Google’s sales team will happily point out this and other flaws in the Microsoft approach to enterprise software.

If you can’t trust a Web browser or remove flawed code from a widely used app, what’s the fix?

Ready for the answer: “Helpful cyber security revelations that make the online ad giant look like a friendly, fluffy Googzilla. Being helpful is the optimal way to conduct business.

Stephen E Arnold, December 16, 2022

Microsoft and the London Stock Exchange: Lock In Maybe?

I believe everything I read on the Internet. That’s one way I keep in touch with my inner GenZ self. Sometimes, however, stories ring true; for example, “Microsoft buys Near 4% Stake in London Stock Exchange As Part of 10 Year Cloud Deal.” I read the title via my dinobaby translation system and understood, “Yep, lock in, kiddo. Oh, Amazon AWS and Google Cloud professionals. Do not bother to call us. We will call you, okay.”

You may disagree with my dinobaby translator. That’s okay. I let many flowers bloom, unlike the London Stock Exchange which goes at life in what appear to be 10 year contracts. That’s a long time in techno-cloud land in my opinion.

The write up says:

Scott Guthrie, Microsoft’s executive vice president for the Cloud and AI Group, will be appointed as a non-executive director of LSEG.

I wonder if he will demo Microsoft Teams egames features and the security systems for Microsoft Exchange Server? Will he offer helpful inputs to those who might want to give an off the shelf AWS Sagemaker system a spin? What about the ever reliable Google VPN service which is super reliable and in demand right now?

The answer to these questions strike me as obvious. Azure is better, faster, cheaper, more reliable, and easier. I wonder if these benefits entered into the negotiation. (Personally I like the security angle and the cheaper plus.) My instinct has a tiny voice too. It is whispering to me, “Microsoft will deliver premier service to the London Stock Exchange when (which is unlikely) the system Azure system hiccups.

I noted this passage too:

Microsoft and LSEG will also work together in developing new professional collaboration tools. LSEG has developed a product called Workspace, a data and analytics platform. The two companies will be working on advancing this product and integrating it with Microsoft Teams, the firm’s messaging app.

I am tempted to reference the source of the stake, but I won’t. The parties involved make content marketing hay around the “trust” word.

I have a couple of observations:

1. Microsoft has added a neon underline to the old marketing concept of “lock in.”
2. The Redmond security giant can point to a big time financial customer and market its secure cloud solutions. Well, they are secure… at this time.
3. The Amazon and Google cloud professionals will definitely find a way to respond.

Net net: Isn’t it wonderful that big tech innovation involves owning financial plumbing and access?

Stephen E Arnold, December 12, 2022

France and US Businesses: Semi Permanent Immiscibility?

Unlike a pendulum, the French government and two US high-technology poster kids don’t see eye to eye. However, governments, particularly those in France, are not impressed with the business practices of some US firms. The tried and true “Senator, thank you for the question” and assurances that the companies in questions are following the ethical precepts of respected French philosophers don’t work. “France Directs Schools to Stop Using Microsoft Office & Google Workspace” reports:

In a recent response to an interrogation by a Member of the Parliament, the French Minister of Education clarified that French schools should not use Microsoft 365 and Google Workspace. The reasons behind the Ministry’s position are twofold. First, the Ministry is concerned about the confidentiality and lawfulness of data transfers. Second, reliance on European providers is coherent with the government’s “cloud at the center” policy.

The write up explains that France’s view of privacy and the practices of Apple and Google are not in sync. Then there is the issue of the cloud and where data and information “are.” Given modern network and data center technology, the “there” is often quite tricky to pin down. Tricky is not a word the current French government feels comfortable using when talking about schools, teachers, students, and research conducted by French universities.

How will this play out? France will get its way. That’s why some chickens have labels which mean conformance. No label on that chicken, no deal.

Stephen E Arnold, November 30, 2022

Microsoft Fancy Dances When Activision Plays a Tune

In order to convince the European Commission it should be allowed to acquire Activision Blizzard, Microsoft is sampling some humble pie. Android Authority reports, “Microsoft Admits Xbox vs PlayStation War Is Over and It Lost.” Write Ryan McNeal tells us:

“The EU’s European Commission has announced in a press release that it has opened up an in-depth investigation into Microsoft’s proposed acquisition of Activision Blizzard. This investigation was activated after the proposed deadline EU regulators set back in September when the deal was first being looked into. According to the press release, the new inquiry now has 90 working days — until March 23, 2023 — to make a decision. The Commission claims that it is concerned Microsoft’s acquisition could upset the balance in the market, causing a reduction in competition.”

Specifically, the commission suspects Microsoft might make successful PlayStation games like “Call of Duty” into Xbox-only titles. Heavens no, the company insists, it promises to make games available on both platforms simultaneously. This is all about giving the people greater access to games, a representative asserts. And here we thought it was all about creating a distraction. McNeal continues:

“Since the first time it hit a snag with European regulators, Microsoft has attempted to utilize an underdog strategy to delegitimize Sony’s arguments against the deal. In response to today’s investigation announcement, Microsoft attempted to drive that talking point home by admitting that Sony is the market leader.”

Will this self-effacing logic work? We should find out by the end of March. Nota bene: Our team thinks that the push for Activision was possibly a way to deflect attention from some interesting Microsoft security issues. Games are big money, but the issue of Teams in Microsoft 365 may be an even more sensitive issue.

Cynthia Murrell, November 29, 2022

LinkedIn Helps Users Spot Fake Accounts it Lets Slip Through

Fake LinkedIn accounts are a fact of life. One might wonder how it is a professional social media site does not require member verification. It seems like a must have, but then LinkedIn is a Microsoft property after all. Now the site is making at least a show of doing something about the issue. No, not increasing efforts to prevent or remove fake profiles; don’t be silly. This is a case of user beware. According to CNN, “LinkedIn Knows There Are Fake Accounts on Its Site. Now It Wants to Help Users Spot Them.” Reporter Clare Duffy writes:

“LinkedIn is rolling out to some users the opportunity to verify their profile using a work email address or phone number. That verification will be incorporated into a new, ‘About this Profile’ section that will also show when a profile was created and last updated, to give users additional context about an account they may be considering connecting with. If an account was created very recently and has other potential red flags, such as an unusual work history, it could be a sign that users should proceed with caution when interacting with it. The verification option will be available to a limited number of companies at first, but will become more widely available over time, and the ‘About this Profile’ section will roll out globally in the coming weeks, according to the company. The platform will also begin alerting users if a message they have received seems suspicious — such as those that invite the recipient to continue the conversation on another platform including WhatsApp (a common move in crypto currency-related scams) or those that ask for personal information.”

We are told detecting and removing bots or fake accounts is just too tricky and subjective to expect LinkedIn to get it right. It is funny how “empowering users” often translates to “passing the buck.” So for those who must use LinkedIn, just remember it is up to you to verify others are who they say they are.

Cynthia Murrell, November 11, 2022

A Flashing Yellow Light for GitHub: Will Indifferent Drivers Notice?

I read “We’ve Filed a Law­suit Chal­leng­ing GitHub Copi­lot, an AI Prod­uct That Relies on Unprece­dented Open-Source Soft­ware Piracy. Because AI Needs to Be Bair & Eth­i­cal for Every­one.” The write up reports:

… we’ve filed a class-action law­suit in US fed­eral court in San Fran­cisco, CA on behalf of a pro­posed class of pos­si­bly mil­lions of GitHub users. We are chal­leng­ing the legal­ity of GitHub Copi­lot (and a related prod­uct, OpenAI Codex, which pow­ers Copi­lot). The suit has been filed against a set of defen­dants that includes GitHub, Microsoft (owner of GitHub), and OpenAI.

My view of GitHub is that it presents a number of challenges. On one hand, Microsoft is a pedal-to-the-metal commercial outfit and GitHub is an outfit with some roots in the open source “community” world. Many intelware solutions depend on open source software. In my experience, it is difficult to determine whether cyber security vendors or intelware vendors offer software free of open source code. I am not sure the top dogs in these firms know. Big commercial companies love open source software because these firms see a way to avoid the handcuffs proprietary code vendors use for lock in and lock down without a permission slip. These permissions can be purchased. This fee irritates many of the largest companies which are avid users of open source software.

A second challenge of GitHub is that it serves bad actors in two interesting ways. Those eager to compromise networks, automate phishing attacks, and probe the soft underbelly of companies “protected” by somewhat Swiss Cheese like digital moats rely on open source tools. Second, the libraries for some code on GitHub is fiddled so that those who use libraries but never check too closely about their plumbing are super duper attack and compromise levering vectors. When I was in Romania, “Hooray for GitHub” was, in my opinion, one of the more popular youth hang out disco hits.

The write up adds a new twist: Allegedly inappropriate use of the intellectual property of open source software on GitHub. The write up states:

As far as we know, this is the first class-action case in the US chal­leng­ing the train­ing and out­put of AI sys­tems. It will not be the last. AI sys­tems are not exempt from the law. Those who cre­ate and oper­ate these sys­tems must remain account­able. If com­pa­nies like Microsoft, GitHub, and OpenAI choose to dis­re­gard the law, they should not expect that we the pub­lic will sit still. AI needs to be fair & eth­i­cal for every­one.

This issue is an important one. The friction for this matter is that the US government is dependent on open source to some degree. Microsoft is a major US government contractor. A number of Federal agencies are providing money to companies engaged in strategically significant research and development of artificial intelligence.

The different parties to this issue may exert or apply influence.

Worth watching because Amazon- and Google-type companies want to be the Big Dog in smart software. Once the basic technology has been appropriated, will these types of companies pull the plug on open source support and god cloud commercial? Will attorneys benefit while the open source community suffers? Will this legal matter mark the start of a sharp decline in open source software?

Stephen E Arnold, November 9, 2022

Microsoft and Security: Customers! Do Better

I have a hunch that cyber security is like Google in the early 2000s. Magic, distractions, and blather helped disguise the firm’s systems and methods for generating revenue. Now (November 4, 2022) the cyber security sector may be taking a page or two from the early Google game plan. Who can blame the cyber security vendors, all 3000 to 7000 of them in the US alone. The variance is a result of the methodology of the business analysts answering the question, “How many companies are chasing commercial, non profit, and government prospects. Either number makes it clear that cyber security is a very big business.

Now stick with me: What operating system and office software is used by about two thirds of the organizations in the United States. The answer, if I can believe the data from my research team, is close enough for horse shoes. Personally, I would peg the penetration of Microsoft software at closer to 90 percent, but let’s go with the 67 percent, plus or minus five percent. That means that cyber security vendors have to provide security for companies already obtaining allegedly secure software and services from Microsoft.

With cyber crime, breaches, zero days, etc, etc going up with dizzying speed, what’s the message I carry away? The answer is, “Cyber security is not working.”

I read “Microsoft Warns Businesses to Up Their Security Game against These Top Threats.” The article then identifies security as a problem. The solution, if I understand the article, is:

Microsoft suggests throughout the MDDR that organizations implement a number of its products into its tech stack to protect against and deal with threats, such as its Security Service Line for support throughout a ransomware attack, and Microsoft Defender for Endpoint for cloud-based protection.

If you are not familiar with MDDR the acronym stands for the Microsoft Digital Defense Report. Presumably Microsoft’s crack security experts and the best available cyber consultants crafted the methods summarized in the article.

The irony is that Microsoft’s own products and services create a large attack surface. Microsoft’s own security tools seem to have chinks, cracks, and gaps which assorted bad actors can exploit.

Net net: Perhaps Microsoft should do security better. Aren’t customers buying solutions which work and do in a way that protects business information and processes? Perhaps less writing about security and more doing security could be helpful?

Stephen E Arnold, November 7, 2022

Microsoft Downplays Revelation of Massive Data Leak

Microsoft customers have reason to be annoyed despite the company’s insistence there is nothing to see here. “Microsoft Under Fire After Leaking 2.4TB of Data from Customers Including Contracts, Emails, and More,” reveals Tech Times. Citing a report by cybersecurity firm SOCRadar, writer Joseph Henry tells us:

“According to SOCRadar post, 2.4TB of confidential data from more than 65,000 entities has been leaked because of the misconfiguration in the data bucket. The cybersecurity firm confirms that the data involved in the leak include State of Work (SoW) documents, PII (Personally Identifiable Information) data, Proof-of-Execution (PoE) data, customer emails, project details, product offers, and more. SOCRadar also notes that the above mentioned data spanned five years, particularly from 2017 to August 2022. It should be noted that Microsoft did not include the number of affected customers in its announcement. Unfortunately, instead of acknowledging SOCRadar’s finding, the Redmond giant downplayed the statement by disapproving of its post. Microsoft added that its investigation showed that no customer accounts were compromised in the process.”

Really? What a stroke of good fortune. Henry goes on to share some customer comments regarding the data leak as collected by Ars Technica. Apparently few are reassured by the company’s insistence SOCRadar is exaggerating. If nothing else, some note, this incident highlights Microsoft’s policy of retaining sensitive information in perpetuity. That is not exactly a security best practice. See the SOCRadar post for its description of the misconfiguration that caused this kerfuffle and its potential ramifications.

Which big tech giant will be the next one to get an F in security? My hunch is that it is Amazon’s turn to lose the game of cyber security musical chairs.

Cynthia Murrell, November 1, 2022

Microsoft Goggle Chunder

I can resist. I read “Microsoft’s Army Goggles Left U.S. Soldiers with Nausea, Headaches in Test.” I am not too familiar with the training drills for US military personnel. Some create some discomfort. I can here “no pain, no pain” and other friendly, supportive, positive comments.

The write up explains:

U.S. soldiers using Microsoft’s new goggles in their latest field test suffered “mission-affecting physical impairments” including headaches, eyestrain and nausea, according to a summary of the exercise compiled by the Pentagon’s testing office.

How long did it take to create the interesting side effects? Less than three hours.

The trigger for the chunder is Microsoft’s innovation Integrated Visual Augmentation System. I wonder if the acronym or code for the gizmos will be ZUCK which rhymes with upchuck? Probably not.

One government official who works in procurement allegedly said:

the service “conducted a thorough operational evaluation” and “is fully aware” of the testing office’s concerns. The Army is adjusting the program’s fielding and schedule “to allow time to develop solutions to the issues identified…”

One of the issues may be the illumination of the gizmo itself. If true, is this a device designed by those who love science fiction movies or engineers with expertise in warfighting gear? My hunch is that the video game and motion picture aficionados outnumber the combat seasoned on the headgear team.

Bolting a weapon on a robot dog might be an alternative in my opinion.

Will more information be forthcoming? My hunch is that the next report will contain more positive information. F35 pilots seem to be doing okay with their new immersive helmets. Are pilots different from other military professionals?

What if the F35 helmet approach is better than the Softies who continue to struggle with getting printers to work in a way users expect?

Stephen E Arnold, October 19, 2022

Want a Cyber Security Job But Know Zero? Will a Fake LinkedIn Profile Help You?

LinkedIn has unwittingly become a vector for the spread of false information. Krebs on Security reports, “Fake CISO Profiles on LinkedIn Target Fortune 500s.” A slew of fake LinkedIn profiles mysteriously appeared for Chief Information Security Officers purportedly serving at high-profile companies. Some were entirely original fabrications, but at least one lifted a description from the actual CISO’s profile. See the write-up for screenshots of a few offending profiles.

Who is fooled? Organizations looking for cybersecurity professionals. And not just on LinkedIn. Apparently other sources unwittingly perpetuated the lies, sources like Google Search, Apollo.io, Signalhire, Cybersecurity Ventures, and Cybercrime Magazine’s CISO 500 list. Whoever is behind the effort must have been delighted. It was apparently Honeywell’s former CISO Rich Mason who first noticed the trend and sounded the alarm. Krebs notes:

“Again, we don’t know much about who or what is behind these profiles, but in August the security firm Mandiant (recently acquired by Google) told Bloomberg that hackers working for the North Korean government have been copying resumes and profiles from leading job listing platforms LinkedIn and Indeed, as part of an elaborate scheme to land jobs at crypto currency firms. None of the profiles listed here responded to requests for comment (or to become a connection). In a statement provided to KrebsOnSecurity, LinkedIn said its teams were actively working to take these fake accounts down.”

We are sure they are. The article suggests some ways the site could make things easier on themselves in the future. Maybe even catch and remove such fabrications before they make it to other media channels. We are told:

“LinkedIn could take one simple step that would make it far easier for people to make informed decisions about whether to trust a given profile: Add a ‘created on’ date for every profile. Twitter does this, and it’s enormously helpful for filtering out a great deal of noise and unwanted communications. The former CISO Mason said LinkedIn also could experiment with offering something akin to Twitter’s verified mark to users who chose to validate that they can respond to email at the domain associated with their stated current employer. … Mason said LinkedIn also needs a more streamlined process for allowing employers to remove phony employee accounts.”

It is unlikely that we’ve seen the last of this tactic. LinkedIn should bolster its safeguards and streamline its reporting process. Meanwhile, other sources must learn to verify information they find on the site. Safeguarding one’s reputation for accurate data should be worth the effort.

Cynthia Murrell, October 17, 2022

« Previous Page — Next Page »

• 

• Search the site

•  

  Subscribe to Beyond Search

  • 
  • 
   
  • 
   
  
  Feature archive
  News archive
   
  
  
  Stephen E. Arnold monitors search, content processing, text mining and related topics from his high-tech nerve center in rural Kentucky. He tries to winnow the goose feathers from the giblets. He works with colleagues worldwide to make this Web log useful to those who want to go "beyond search". Contact him at sa [at] arnoldit.com. His Web site with additional information about search is arnoldit.com.

• Categories

  • 3D-Printing
  • Acquisition
  • Advertising
  • Aggregation
  • AI
  • Alexa
  • algorithms
  • Amazon
  • Amazonia
  • Analytics
  • Appliance
  • Applications
  • Audio
  • Augmented Reality
  • Big data
  • Bing
  • Bitcoin
  • Bitext
  • Book review
  • Business intelligence
  • Business process
  • Business strategy
  • Censorship
  • Cloud computing
  • Company Profile
  • Conferences
  • Connectors
  • Consulting
  • Consumer
  • Content processing
  • Copyright
  • Corporate Concerns
  • Cost
  • Crawl
  • Crowdfunding
  • cryptocurrency
  • Customer support
  • Cyber OSINT
  • cybercrime
  • cybersecurity
  • Dark Web
  • DarkCyber
  • Data
  • Data mining
  • Database
  • Deepfakes
  • Digital Assistant
  • Digital Library
  • E2EE
  • ECommerce
  • EDiscovery
  • Editorial opinion
  • Education
  • Emoticons
  • Enterprise
  • Enterprise search
  • Entity extraction
  • Ethics
  • Facebook
  • Faceted search
  • Factualities
  • Feature
  • Federated search
  • Financial
  • Google
  • Governance
  • Government
  • Hackers
  • healthcare
  • IBM Watson
  • Image search
  • Indexing
  • Infrastructure
  • Innovation
  • Integration
  • intelware
  • Interface
  • Internet
  • Interview
  • Investment
  • law enforcement
  • Legal matters
  • Library automation
  • Management
  • Marketing
  • Mathematics
  • Metadata
  • Microsoft
  • Mobile
  • Natural language processing
  • News
  • NGIA
  • Online (general)
  • Open Access
  • Open source
  • OSINT
  • Osint Radar
  • Overflight
  • Palantir
  • Patents
  • Personnel
  • Podcast
  • Policeware
  • Portals
  • Predictive coding
  • Privacy
  • Profile
  • Publishing
  • Quotation
  • Real time search
  • Reference tool
  • Rich media
  • Robot Writer
  • Search
  • Search enabled applications
  • search engine
  • Search quality
  • Security
  • Semantic
  • Sentiment analysis
  • SEO
  • SharePoint
  • Short Honks
  • Smart Technology
  • Social
  • Social Media
  • software
  • Statistics
  • Taxonomy
  • Technology
  • Text analytics
  • Text processing
  • Tools
  • Tor
  • Training
  • Translation
  • Twitter
  • Uncategorized
  • Unstructured Data
  • User experience
  • User Interface
  • Vertical search
  • Video
  • visualization
  • Voice search
  • Voice technology
  • Web 3
  • Web Services
  • Webinar
  • Windows
  • Work flow
  • XML
  • Yahoo

• Archives

  Archives Select Month May 2024 April 2024 March 2024 February 2024 January 2024 December 2023 November 2023 October 2023 September 2023 August 2023 July 2023 June 2023 May 2023 April 2023 March 2023 February 2023 January 2023 December 2022 November 2022 October 2022 September 2022 August 2022 July 2022 June 2022 May 2022 April 2022 March 2022 February 2022 January 2022 December 2021 November 2021 October 2021 September 2021 August 2021 July 2021 June 2021 May 2021 April 2021 March 2021 February 2021 January 2021 December 2020 November 2020 October 2020 September 2020 August 2020 July 2020 June 2020 May 2020 April 2020 March 2020 February 2020 January 2020 December 2019 November 2019 October 2019 September 2019 August 2019 July 2019 June 2019 May 2019 April 2019 March 2019 February 2019 January 2019 December 2018 November 2018 October 2018 September 2018 August 2018 July 2018 June 2018 May 2018 April 2018 March 2018 February 2018 January 2018 December 2017 November 2017 October 2017 September 2017 August 2017 July 2017 June 2017 May 2017 April 2017 March 2017 February 2017 January 2017 December 2016 November 2016 October 2016 September 2016 August 2016 July 2016 June 2016 May 2016 April 2016 March 2016 February 2016 January 2016 December 2015 November 2015 October 2015 September 2015 August 2015 July 2015 June 2015 May 2015 April 2015 March 2015 February 2015 January 2015 December 2014 November 2014 October 2014 September 2014 August 2014 July 2014 June 2014 May 2014 April 2014 March 2014 February 2014 January 2014 December 2013 November 2013 October 2013 September 2013 August 2013 July 2013 June 2013 May 2013 April 2013 March 2013 February 2013 January 2013 December 2012 November 2012 October 2012 September 2012 August 2012 July 2012 June 2012 May 2012 April 2012 March 2012 February 2012 January 2012 December 2011 November 2011 October 2011 September 2011 August 2011 July 2011 June 2011 May 2011 April 2011 March 2011 February 2011 January 2011 December 2010 November 2010 October 2010 September 2010 August 2010 July 2010 June 2010 May 2010 April 2010 March 2010 February 2010 January 2010 December 2009 November 2009 October 2009 September 2009 August 2009 July 2009 June 2009 May 2009 April 2009 March 2009 February 2009 January 2009 December 2008 November 2008 October 2008 September 2008 August 2008 July 2008 June 2008 May 2008 April 2008 March 2008 February 2008 January 2008 November 5

• Recent Posts

  • Googzilla Versus OpenAI: Moving Up to Pillow Fighting
  • IBM: A Management Beacon Shines Brightly
  • Allegations about Medical Misinformation Haunt US Tech Giants
  • Flawed AI Will Still Take Jobs
  • AI Delivers The Best of Both Worlds: Deception and Inaccuracy

• Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org