Microsoft answered Congress' questions on security. Now the White House needs to act Microsoft president Brad Smith struck a conciliatory tone regarding his IT giant's repeated computer security failings during a congressional hearing on Thursday – while also claiming the Windows maker is above the rule of law, at least in China. He answered nearly three hours of questions from US House reps about Microsoft's …
He also was seemingly unable to recall facts about Recall and as nobody knew what he was talking about he didn't get the bollocking he deserved, and they moved onto the next subject.
So I fear it will very much be business as usual.
This is the opportunity do what the DOJ failed to do in the 90s which has directly lead to this catastrophic situation - break up Microsoft. At the very least, OS, Office, Cloud and Security should be completely separate entities. There is also a question of what to with their AI investment.
I'm not necessarily disagreeing with the sentiment, but Ido question the idea that Security can be an entity separate from everything else.
It's the same with Quality. I once had a Managing Director who thought that the quality control happened just before you put the instrument in its shipping container.
Security, like Quality, needs to be part of the design (and documented in the same way).
The idea is that your design for Quality creates a system which, if the documented procedures are followed, is *unable* to produce something which is not as designed.
Of course part of the system covers how you ensure that the procedures are in fact followed. I could tell you stories about that, involving both the purchasing and the testing departments, but not now.
I may be wrong, but I read that as it's not that the programs shouldn't be developed securely, it's that security "fixing" products should be kept separate from the actual applications.
E.g. Make the networking code secure, don't just rely on a bundled firewall. - I.e Keep the firewall separate as an additional protection, whilst the other teams concentrate on using secure coding practices within their code.
I agree that security can't be separate but has to be present in all parts you might split Micros~1 into. Maybe a better name for a split off entity would be Autentication Services. Currently everybody and their grandma rely on Micros~1 to be the gate keeper for email and documents in the cloud - sometimes helped by 3rd party providers like Okta.
The powers that be prefer outsourcing to Micros~1 rather than taking responsibility for secure operations even after multiple big failures by Micros~1 have been reported - seems to be true both for our company and the US government.
Does anyone have an idea how we can make it clear to them that they can't delegate or outsource accountability?
Quote
"It's the same with Quality. I once had a Managing Director who thought that the quality control happened just before you put the instrument in its shipping container."
Which is born of a view among modern manglement that quality control is a cost to the company rather than an asset.
And we see this in m$ where the QC department is reduced in numbers , the users become the testers, and bugs/faults being fixed only when say 10 000 instances of the same failure are reported by the telemetry being sent back.
My beliefe is that software companies should be made to send software out on install discs/media again, with any failures after that being covered by the sale of goods act (or local version thereof) as the availability of the internet to send out huge patches, and huge number of patches also creates a bad atitude at software companies of 'well if its got bugs, we'll just send a patch out"
I also think that m$ should have been broken up into smaller companies, Operating systems, applications, gaming, not so much for security but as a more even ground for other software manufactures to compete and bring in better products..
I think it is past that. This is a clear and present danger and should be nationalized. They, MS, are literally enabling our enemies' and competitors' hacking because they have no business case to do anything else.
MS acts like they are in a 'so what you cannot make us and there's no alternative anyway' mode. And I don't think MS is misreading the situation.
They have near nation-state power but not the ability, nor inclinations, to safeguard that power effectively. This is dangerous for all concerned. But I suppose we've been here for 20+ years already.
"should be nationalized"
Are you saying Microsoft should be nationalised? Leaving aside any political disagreements: by whom? MS are everywhere. Should every country nationalise the local office? If it were a US government run entity why should any other country trust it (again, leaving aside the obvious comments)?
Nope, just that no government should ever be using any "Cloud" services provided by any private entity.
All of that should be in-house, so any security issues are their own look-out.
Purchase commercial software, support etc, and even lease the hardware by all means, but run it on hardware where the government knows the location and physical connectivity, and can order someone to unplug it should they so desire.
If you can't unplug it, you don't control it.
The is no evidence of the widely discredited excuse about the key being recovered from a crash dump.
This was an obviously blame steering excuse.
Occam teaches us that Microsoft's pathetic programming security blunders demonstrated over the last 40 years are likely not just confined to programming but realistically enterprise wide.
Microsoft are as lax with security anywhere within the company as they are without, vis their clients data and security as demonstrated time after time.
We are approaching an infection point where running Microsoft software or using their services will be regarded as negligence in the care of personal or corporate data.
That's not inherently a bad thing.
It means that off the shelf stuff needs to actually have military grade security. And that's good for everybody.
The problem is that the US government (and the general public) are trusting Micro$hit to have that level of security. And that's stupid.
Having somewhat watched it unfold, it looked like it (the COTS initiative) started as a cost saving initiative after the Soviet Union stopped being a bogey man and before the internet as we know it existed. Forcing procurement of standardized off-the-shelf components whenever possible ended sweetheart projects and did reduce costs.
The problem is we no longer live in that world and need to operate in a world where the internet is connected to everything. The paradigm that seems to cause the most grief is that the internet must be connected to everything.
“Now it's time for the White House and Congress to do their job and ensure we don't learn about yet another Redmond blunder exploited by a foreign government six months from now.”
a. It isn't blunders and it isn't only foreign governments doing the exploiting /s
b. What were the keys even doing on a Microsoft server?
c. Never keep your cyber secrets on a computer connected to the Internet /s
d. The Dangers of a Software Monoculture.
e. Whatever happened to the Common Criteria?
MICROS~3 could make their OS more admin friendly. At many points.
My pet example we suffer since 2000: Open an mmc, like gpedit.msc, lusrmgr.msc, dsa.msc etc... Ever Administrator, more than 99% of the time, move the divider between the tree pane and the list pane to the right. Every time. Check video2brain (now linkedin) videos, or youtube or whatever. Everyone does that move. For the last 24 years.
Administrator friendly explorer defaults would be nice too: Default "detail" view, the "file size" tab a bit wider since the old default is too small, the "file time" a bit narrower sind its default wastes space, show extensions, show hidden etc etc...
There will always be flaws in software. Most hacks are still due to user error. Punish tech companies financially for dereliction of duty if they haven't fixed known vulns, but not at the expense of the entire sector. Unlimited liability would end the production of software.
Nobody ever put a gun to the head of the US government and forced them to use Microsoft software. They have unlimited funds for national security and could switch to Linux whenever they want. But would the author of this piece want Torvalds to be locked up after a couple of vulns come to light? Because eventually they will.
As for the supposed primacy of the White House, Joe Biden grew up in the age of Bakelite and I doubt Trump can wire a plug. Politicians are the last people who should be in charge of tech. They fail at absolutely everything they do. The tech industry should be distrusted, but they only want your cash. Politicians are far more insidious and have a much darker agenda.
If something has to be secure it should never touch the public internet. And if you want to take it one step further, use pen and paper. The distributed model removes honeypots of data and E2EE reduces hacks. So maybe these basic fixes are a better place to start than state sponsored back doors, E2EE bans, biometric data grabs and universal surveillance.
They have unlimited funds for national security and could switch to Linux whenever they want. But would the author of this piece want Torvalds to be locked up after a couple of vulns come to light? Because eventually they will.
No, responsibility lies with the person/organisation implementing the open source solution. The code is there to see and theirs to patch.
"Joe Biden grew up in the age of Bakelite"
He's about the same age as I am. I don't remember th '50s a s being particularly the age of Bakelite. It was the age when all these computers bere first being designed - and those by a generation older than he and I.
A pox on your casual ageism and another on your lack of historical knowledge.
Open Source does not have the bribery infrastructure in place. Unlike the $corporation.
Also, good people avoid the government, as it cannot pay competitive wages. Instead they hire armies of losers.
When push comes to shove, a college-dropout oligarch will be the Effective Surgeon General, as we have seen with COVID.
A dark world full of corruption.
From my current point of view: Microsoft should buy Pingcastle (Just an example, we use it) and hard-integrate it when AD-role or AD-Tools are installed. That has most of it covered, IMHO only a few tiny things are missing there. Prominently as "Active Directory Security Analyzer and Recommender". Without needing that shitty "Admin Center", which fails at way too many Fileserver migration scenarios where simply robocopy works...
Oh, and MICROS~5 should open their spec for NTLMv2 for free, so Cisco, Fortigate and all those others which still use NTLMv1 or even LM 0.12 (from 1993) have no more excuse to prevent upgrading their shitty software to, at least, use NTLMv2. Next would be their details about Kerberos, freely available, for obvious reasons.
"The most expensive thing that can happen to a government agency is to lose sensitive data to a competing government.
For details, you can ask Karl Dönitz and Isoroku Yamamoto.
Windows must be banned from processing any secret government information, as they are at least 20 years behind the state of the art."
It's been documented that China: Criminal Nation started hacking the USA in 1998, the year their country was foolishly given Most Favored Nation status. China's first hacking group was the Red Hacker Alliance. Hacking-the-world was then integrated directly into the CCP (Chinese Communist Party) run government. It took until 2007 for #MyStupidGovernment to admit that EVERY federal government Microsoft Windows PC exposed to the Internet had been compromised with Chinese bots that sent data back to Beijing.
And here we are in 2024 and #MyStupidGovernment has learned nothing about the security perils of using Microsoft software.
China laughs as the ease with which they hack-the-world.
Microsoft continues to BS its way through time and technology.
There are techno-savvy departments and individuals in the US government. But they continue to be ignored. Why they are ignored is the pressing question.
Well I remember when they got this contract. There was no dissent allowed, they strictly decided they'd have a single contract for all cloud services, even though some deptartments did in fact warn about Microsoft's continuous security problems.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
