Microsoft's Brad Smith summoned by Homeland Security committee over 'cascade' of infosec failures The US government wants to make Microsoft's vice chair and president, Brad Smith, the latest tech figurehead to field questions from a House committee on its recent cybersecurity failings. The House Committee on Homeland Security has proposed the hearing take place later this month on May 22. It will be referred to as "A …
Borkzilla's GOOHF(*) card has always been the words "Microsoft is not responsible for any loss of data on the customer's system", or words to that effect. You installed Windows and it was your job to make sure everything worked well.
Except that, when dealing with governmental bodies and National Security, that "protection" was bound to be demolished by the requirements of actual security.
Now, Redmond is going to have to do the very job it has avoided for the past 40 years : secure its platform.
I look forward to the fireworks this will undoubtedly result in.
* - Get Out Of Hell Free
We want features, more features. We want pretty themes with too much white space and choices of mauve and fuscia.
We want animations everywhere and AI assistants so all we need to do is press the Start button (where is it now?) and the AI will take over for the rest of the day.
Security is for the IT department (who are vastly overpaid and are not in the next budget cycle anyway.)
"We want features, more features."
For values of "We" that equals the Redmond Marketing Department.
Nobody else.
Before replying, think. Does YOUR corporation enjoy paying to uptrain the staff on a yearly basis (with no compensation to the shareholders) just because Microsoft decided to make changes that don't actually improve things, and that you never asked for in the first place?
You missed a bit, given who is running the show.
Somehow, it'll all be the fault of Biden, who started laying his nefarious plans as a new Senator back in 1973. And they'll have PROOF! Witnesses! Whistleblowers! Lots and lots of them! Who will all have to testify behind closed doors because reasons! Really! They have him this time! Just you watch!
Oh I'm sure. The committee is no doubt comprised of people who can barely find the on switch to a computer with a map and a flashlight/torch, and are so far out of their depth it'd be like trying to explain particle physics to an amoeba. Just more political theater. Remind me again why we pay these idiots? Most of them are there just to line up a cushy job as a contributor on some cable news network or a do-nothing job at a think tank where they just put out a "research" paper that basically just regurgitates whatever the RNC/DNC talking points are so someone can hold it up as "proof" that this or that policy is a good idea.
I don't have a perfect solution to this problem, but I definitely think public funding for campaigns would go a long ways to helping address the worst abuses. At least then they can focus on doing the people's business instead of constant fundraising.
This post has been deleted by its author
What kind of idiot[0] expects Microsoft to produce secure ANYTHING?
It's been over 43 years since the release of MS-DOS 1.0. In those 43 years, when has Microsoft ever been synonymous with Security? And Microsoft TELLS YOU THAT in the small print that you agree to whenever you install their software, be it an OS, an application, or whatever you call the inherently insecure "cloud" based stuff. It says right there in your contract that Microsoft cannot be held responsible for anything that breaks, goes missing, or is stolen if you install their crap on your hardware.
What, exactly, does HCHS think that means? Don't they have even one half decent lawyer up there in Congress that could explain the terms of the contract to the idiots?
[0] Granted, the current Chairman of the HCHS is a freedom caucus freakmember, dedicated to getting absolutely nothing done in Congress, and blaming the Republican lack of action on Biden, as decreed by their Lord and Master, Trump the Senile Indicted One, holder of no actual political office ...
About biological monocultures and the increased likelihood of infection therein.
Maybe we should have been encouraging alternate operating systems and 'productivity software' designers, instead of automatically assuming that 'computers come with Windows because that's what's on them when you get them out of the box'? Could it be possible that MS's marketing deals with hardware makers for the last forty years has not served us well?
An Operating System is the very definition of a natural monopoly market.
There's a reason why almost every server runs Linux, almost every desktop and laptop runs Windows, and phones and tablets are Android or iOS.
The other OS are almost exclusively embedded systems.
Applications and libraries get developed for the smallest number of operating systems possible, because supporting their differences is expensive - even with libraries like Qt the abstractions leak.
"Software engineering should be overhauled too, it urged. "
Do you really think so, after damn near a good forty year long tradition of putting out garbage software with a serious lack of any thought to doing security properly implemented in it. Well good luck with changing that anytime soon, better off starting with a clean slate and ditching the steaming piles of dung they have already produced basically forever.
Quote: (2019) "Windows 10 source code: over 0.5 terabytes source code, over 4 million files, more than a half million folders...."
So.......Brad Smith will be telling us how the new "security by design" approach might try to clean up?
.....and then there's all the other products: Office, Powerpoint, SQL Server, Edge..........
Maybe a COMPLETE REWRITE might do the job.....maybe by the year 2100AD!
Good security is by design, not an afterthought. Securing Windows really needs to start with a kernel redesign - and that would break the core OS. That, in turn, would break the drivers, interface layers and applications that sit above that. Like it or not, it'd be an act of lunacy for Redmond to deliberately render the entire ecosystem of partners, apps and so on completely inoperable on their new, secure-by-design platform and I suspect they'll have no choice but to simply add wrappers around the existing model to try to patch up the holes. More lipstick on the pig, as it were.
All these companies that keep telling us We take the security of our client data seriously would be well advised to start by looking at their choice of OS because if that 'ain't secure, it'll be next to impossible to lock down the data.
ofc, educating users not to click spammy links, etc. is a given, natch, but the concept of security should have been baked-in way, way before users get near the systems.
Heard it before... (massive security breaches due to Microsoft flaws).... "Oh we are going to focus on security now!"
I recall claims like this in the late 1990s; after Code Red worm in the early 2000s, they AGAIN claimed they would focus on security. Every time they have a big worm outbreak or breach, they claim this. They focus on security for a while. They go and fix some flaws for a while, wirte some knew code that is securely coded. Then kind of forget about it and carry on as they were.
Given the size of the company, they should PROBABLY have some people within the company that ONLY go over code looking for security flaws, run pen tests and fuzzers against daily builds or whatever, test out their cloud system to make sure access controls are functional, try odd combinations of settings to make sure they are STILL functional, see if there are flags in there the GUI doesn't expose but can still be poked at, and so on.
I assume they'll do some lip service, probably really will pay attention to security for a little while, maybe even assign some people FOR A WHILE to look for flaws. Then after a while forget all about it again, throw those people temporarily working on security back into the general pool. Rinse and repeat.
The biggest problem with securing Microsoft products is the sheer depth and complexity that they have. Allowing for support from a one man band up to a 100,000 seat enterprise within a single security design schema is bound to cause problems.
For security to work it's got to be simple to implement, easy to interact with on a day to day basis, and easy to understand. Only a couple of thousand people in the world *really* understand Microsoft Entra and Active Directory, and yet ten's of millions of people are there using it to "secure" their systems.
The tools for secure comunications are already part of Linux:
+ end to end GNUpg encryption. Never trust a $hitty email server.
+ AppArmor Sandboxing of all apps from Firefox to LibertyOffice to Thunderbird.
+ Dump Microsoft, as they are easily 20 years behind the state of the art. Sandboxing for starters. This is the only language they understand.
+ Never trust the cloud for anything sensitive or more. Rather, run ssh/scp based file servers INSIDE your network.
+ Monitor all traffic at the firewall, maybe AI can detect unusual patterns there.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
