back to article Microsoft pins hopes on AI once again – this time to patch up Swiss cheese security

Microsoft has made fresh commitments to harden the security of its software and cloud services after a year in which numerous members of the global infosec community criticized the company's tech defenses. Brad Smith, Microsoft president, pointed to significant technological developments across the industry as the reason for …

  1. Duncan Macdonald
    Flame

    Use defensive programming

    If Windows was coded with the same level of defensive programming as used to be common in minicomputer operating systems there would be far less security problems in it.

    An example (in pseudo code) of the sort of coding that used to be common (taken from RSX11M operating system)

    System function request from user program

    Is the function number in range - if NO then reject the request

    Does the program have the right to call the function - if NO then reject the request

    Has the program passed the correct number of parameters - if NO then reject the request

    Are all the parameters accessible - if NO then reject the request

    If the above checks are OK then pass the request to the system function which (for most requests) will perform further checks and reject the request if any fail

    The assumption should always be that any request is invalid and only if all checks are passed should it be acted on.

    Unfortunately a lot of current code omits the vital checks resulting in security holes.

    1. simonlb Silver badge
      Thumb Up

      Re: Use defensive programming

      And that's always been the issue with Windows - security was an afterthought and their basic permissions model was way too relaxed meaning there were numerous security holes by default they then had to close. Personally, I think the whole design of Windows has been crap from day one and should have been completely redone properly around the time they were working on XP.

    2. big_D

      Re: Use defensive programming

      It isn't just the programming, it is the security of their systems in general. The exposure of the certificate that allowed hackers to compromise government email in M365 Exchange, for example, were captured in the clear.

      MS announced they are now "leading the way" by putting those sorts of keys (and code signing keys) into hardware secure enclaves, just like everybody else has done, following best practices for years!

  2. Ken Moorhouse Silver badge

    So, the AI that Microsoft uses...

    ...is isolated how from the AI that the baddies use?

    Can AI's principles/ethics be bought if the price is high enough?

  3. Ken Moorhouse Silver badge

    "flaws are always likely to be found in tech...

    ...especially when a company has so many lines to code to maintain."

    Yes, but how many of those lines of code are cosmetic froth?

  4. wub
    Alert

    Training set?

    What, exactly, is Mictosoft going to rely on for suitable secure software code to train their AI on?

    1. ecofeco Silver badge

      Re: Training set?

      LOL! I wonder if anyone got this joke?

      Well played. Well played.

    2. Michael Wojcik Silver badge

      Re: Training set?

      Sigh.

      I hate to even appear to take this question seriously, but obviously you don't train the model on "secure" source code — for one thing, there's no such thing. Security isn't an absolute. You train the model on vulnerabilities, until it generalizes.

      This already works for many types of vulnerabilities using just a conventional deep convolutional stack. The advantage of using a deep transformer stack is that it makes better use of the context window, as the model does a better job of determining what's relevant. But most of the power of the system is simply in the huge number of parameters and large context window, of course.

      Note that I'm not a fan of this approach — I think it leads to learned helplessness in software developers, it resists explanation, and it's quite difficult to tune (RLHF is a very blunt tool when you're working in a technical domain). But it's pretty easy to understand how it works.

  5. Muscleguy
    Black Helicopters

    Just waiting

    Until the security AI gets pwned and locks out everyone at Microsoft as threat actors. Must stock up on popcorn.

    BTW this is standard arms race stuff. All fine until the opposition go bigger again.

  6. Flocke Kroes Silver badge

    If Microsoft really want to show commitnent to AI

    They should use it to replace senior management.

  7. Anonymous Coward
    Anonymous Coward

    Wait what?

    MS software for sale has been at best beta for decades hence continuous updates/ patches.

    Why would they pin themselves down to making a fully working and secure product? None would upgrade

    Insecure and halfarsed sells better and ms can blame everything on external badhats rather than incompetence.

    Microsoft has always been about dumbing down/

    Increasing access to computing. This was always the inevitable result

    Their target audience are people who do not look under the hood and resent techs forcing understanding upon them.

    MS sell products to people who know no better or get no choice. Neither party care if it actually does what it says on the tin anymore so long as it is a business standard product that they get paid to use

    Fixing the mass of security holes would mean sorting out the jury-rigged mess of legacy code inherant in the reselling of the same bit of string model,

    I would suggest what is really wanted by govs is closing other counties backdoors but not their own.

    Ms products were never supposed to be fit for puropose

    1. ecofeco Silver badge

      Re: Wait what?

      I will never understand why the whole world picked the worst possible operating system.

      In the early days, we used DOS because it was mostly free. Then, when GUIs came about, we mostly used Win 3 because it was, free(ish). (not really free, we pirated the hell out of it actually) The other choice was Apple. (a lot harder to pirate).

      The other reason was IBM-PC clones were also cheap and, most important, modular, and Apples were not.

      What we should have ended up with was Workbench, but Commodore priced themselves out reach of everyone. So that was never a real option.

      1. ecofeco Silver badge

        Re: Wait what?

        "...priced themselves out of the reach of..."

        Sheesh

    2. Michael Wojcik Silver badge

      Re: Wait what?

      I'm not a fan of Windows, but there's no such thing as "a fully secure" non-trivial software product, or for that matter a "fully secure" anything else.

      1. Anonymous Coward
        Anonymous Coward

        Re: Wait what?

        @ "Michael Wojcik

        Not when internet connected is a requirement.

        I understand what you mean though, what can be created can be broken but not bothering with security has been expensive and it not been ms who paid the bill.

  8. ecofeco Silver badge

    I can smell it from way over here

    Microsoft gaslighting and vaporware, that is.

    It's the smell of... failure.

  9. pc-fluesterer.info
    Facepalm

    AI is a plain mock attack

    Ransomware to 90% is not enabled by security holes in the sense of programming errors. Ransomware is enabled by design faults deep in M$' thinking. Most of ransomware comes with SPAM an the user has to contribute:

    Open the SPAM (ok, take that for granted);

    open the attachment (that's already questionable);

    allow macros! (¹);

    give the admin's password! (²)

    (¹) How on earth can it be that a document (text, spreadsheet, presentation) sent by mail can contain macros so powerful that they can damage the OS severely? How on earth can it be that macros in an email attachment can be enabled at all?

    (²) Following best practice, no user should™ have administrative rights, neither by knowing an admin's password nor by by normal working with administrative rights. But the latter happens way too often. Why? Because M$' products are "more comfy" with administrative rights - a design fault. Anyone remember Windows XP? That was effectively unusable with restricted user rights. The situation has since improved a little bit, but not enough by far.

  10. Tim13

    FUD - marketing as usual

    Fear: use another OS, you may be hacked (no one ever got fired for buying MS)

    Uncertainty: we are wrking really hard; the next update is coming soon; it will be AI-infused

    Doubt: we have really great AI security soon; would you use a product without?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like