> Microsoft has placed a major bet that customers will embrace its effort to incorporate AI into its security product platforms. Microsoft said, after months of testing with customers, that Security Copilot helped security analysts be 22% faster and 7% more accurate.
Good news! I am sure there aren't any deeper issues around Microsoft's ideology, arrogance, or crass financially-motivated reasoning. Otherwise I might start wondering if maybe Microsoft's security AI might not actually work that well.
Windows XP did that way before smartphones came up with it.
We are unfortunately prisoner of the masses. The smart phone is a 99% device which means it caters for 99% of the users. And it's probably not a good idea letting 99% of the users anywhere near the thing based on the crap I've had to unstick over the years.
We can of course choose not to participate in this still if we don't want to.
> We can of course choose not to participate in this still if we don't want to.
The problem is that the alternatives are lacking, at least for the smartphone world. While on my PC I run a Linux distro, efforts like the PinePhone are still not good enough to be a daily driver.
> Attacks like these will spur proactive security measures at many companies, for example increasing employee training, upgrading email security to an E5 level, adopting the use of audit logs and increasing the use of encryption during file transfers, Stella said. E5 is considered the premium tier for Microsoft 365 customers, offering enhanced security and other services, he said.
What incentive does Microsoft have to change when the customer response to security breaches is to buy more expensive licenses from them? There's not much leverage in criticizing Microsoft, as is hinted in the article: the leverage is in criticizing orgs that continue to give MS more money.
Implicating some of their cheaper products don't offer enough security. I don't understand what goes through the head of people working at Microsoft today but the results are quite lacking.
Because they're still drunk on OpenAI integrations being the next unicorn, and have completely forgotten the trustworthy computing email Bill sent them 20 years ago.
> Availability: Our products should always be available when our customers need them.
"Beginning mandatory shutdown for software updates. There's nothing you could possibly need your own computer for in the next hour, and all the data you lost when we killed your programs is your fault for not using Microsoft applications instead."
> Privacy: Users should be in control of how their data is used
"Telemetry is very important, for example the hardware IDs of that USB stick you plugged in were also reported to us by another computer an hour earlier, so now we know there's a relationship between you! Isn't metadata grand? But trust us, we have only your privacy in mind. By the way, did you ever finish that novel you were working on from the last crash report?"
> Users should be in control of when and if they receive information to make best use of their time.
"Hey! You still haven't linked your logon to a Microsoft account! Hey! Use Bing! Hey! It looks like you launched a web browser that isn't from Microsoft, switch to Edge instead! Hey! Here are advertisements on your lock-screen just cuz we can!"
Is that the one that bought us various fad service oriented technologies, even more broken DCOM and Code Access Security in the .Net Framework, topped with a peppering of Vista, UAC and shovelling the lumpy turds that remained into virtualization (LSASS etc) yet still somehow managing to run their entire AV software as SYSTEM resulting in a zero touch complete system remote compromise?
Trust is of course earned. Bill's words were lost unfortunately under the next year's priority, the one after that and the one after that.
Today it's AI. Tomorrow it's whatever Satya says that pumps the stock. I've worked with their tech for 30 years and customer requirements, safety and security is somewhere down the priority list. That is the only truth.
> Privacy: Users should be in control of how their data is used. Policies for information use should be clear to the user. Users should be in control of when and if they receive information to make best use of their time. It should be easy for users to specify appropriate use of their information including controlling the use of email they send.
> Regrettably, the marketplace is far from healthy
The unhealthy thing here isn't the marketplace, it's government policy. If you eschew popular open-source tools for closed/proprietary alternatives, this will happen. Linux will always have several orders of magnitude more experts banging on it than Windows ever will. Vendors pontificating about security will not change this fundamental asymmetry. Also, don't want product lock-in? Don't choose vendors with a significant risk or history of lock-in. Don't endorse face-eating leopards and then blame others when they eat your face.
Save taxpayer money today by outsourcing to a vendor that might have a problem, but really isn’t your “fault” per se. OR spend a lot of taxpayer money running your own system; which if there is a problem is very much your “fault”.
I don’t agree with the outcome, but the logic isn’t hard to follow.
Well, the hardware isn’t actually too severe as it’s paid upfront for very long time periods. The real cost isn’t even the salary. One system professional might be 150k, so let’s say employees are going to cost 500k for the system. I imagine that the annual cost for 365 for a single governmental department would be $2 million or more. I think that the biggest cost would be the transition and potential data loss.
It's not really about open source versus priority, it's about open source quality, which quite frankly isn't there. It's like living in a rickety shed at the best of times on the desktop.
> it's about open source quality, which quite frankly isn't there. It's like living in a rickety shed at the best of times on the desktop
First, we're not talking about the desktop here, we're talking about services. Open source provides much better quality for services. It is frankly appalling to me to see the government relying on Microsoft services given the quality and reliability and security of open source alternatives--not to mention the lower cost.
Second, the biggest obstacle to a standardized Linux desktop that everyone can use and rely on is the lack of a big player in the market willing to invest in one. Imagine if the government took even a fraction of the money it spends on Windows desktops, and spent it on developing a standardized Linux desktop instead. Isn't that exactly the sort of coordination problem that governments are supposed to solve?
Show me an open source O365 equivalent that scales to the 10,000 seats in my org.
I agree with your second point. I'm in the UK and have advocated this position for years. We have so much government infra here, considering NHS etc, that it would be cost effective to dedicate people to a "national standard computing" infrastructure. But it doesn't exist. Yet.
> Show me an open source O365 equivalent that scales to the 10,000 seats in my org.
I am forced to use O365 every day in my work. It's a piece of crap. The LibreOffice equivalents that I have on my personal Linux machines are better for everyday office applications. As for server side, even if we leave aside all the times I see supposedly reliable MS infrastructure break when I'm trying to do an everyday task, a quick Google search will show you plenty of equivalents, and as for "scaling", the government, or any large organization, could get better value for money paying someone to engineer whatever customizations are necessary in the open source alternatives--which it could then deploy for free on as many servers as it wanted--than from MS's licensing model.
I suspect you don't actually use O365. There's a lot of collaboration stuff in there which is pretty much unbeatable. I mean I'd rather use LaTeX and a VCS for some of the stuff I do but quite frankly that's just too hard for a lot of people.
Also a lot of assumptions about the ROI there and the availability of any engineers who can customise it.
Not really. The reason those orgs use O365 is that there isn't a better option with the same ROI and staffing requirements. It because a defacto standard because no one offered anything better.
(I will add I despise it to the core, but I know why people use it)
> The reason those orgs use O365 is that there isn't a better option with the same ROI and staffing requirements. It because a defacto standard because no one offered anything better.
As you pointed out once the goal posts shifted, the reason they use Microsoft is because Microsoft is notoriously incompatible with anyone but Microsoft, but also ubiquitous.
HN is proprietary and closed source. I am looking at it with Safari which a fair chunk of it is closed source on my Mac which is mostly closed source. It's routed over a bunch of commercial routers, which are closed source and infrastructure which is closed source.
YMMV.
But that isn't the point. The point is that the open source desktops do not even touch Windows in usability, quality, reliability and consistency. At best everything is fragmented at 80% complete. Show me an open source O365 and you might have something fit for an SME or government.
> The point is that the open source desktops do not even touch Windows in usability, quality, reliability and consistency.
I had a chuckle about this one. Seriously, none of MS crap comes close to a modern rolling release distro + KDE.
> Show me an open source O365 and you might have something fit for an SME or government.
Libre Office is pretty good, but its usability needs lots of work. To this day Libre Office still ships with templates that look like they were designed in 1998.
- You want a quick and dirty document or presentation that looks pretty good: MS Office is the winner.
- You want a large document with lots of figures, captions etc: Libre Office is the winner.Try to keep a larger document meticulously styled with named styles, MS Word will trip over tons of its bugs that lurks in the dark, and it will make an non-salvageable mess of figure placement, caption numbering, losing header formatting and what not.
What OSS software needs is more investment in UX. Libre Office needs a reality check here.
In this respect KDE is a great outlier, as it looks great, is responsive and has tons of pro features that are discoverable.
Indeed. I try every year in some vain hope it is. I throw a day away every time. Then I realise my time is better spent looking at shiny things in the Apple store that actually work the moment I walk out of the store.
My impression was that they did a hard switch to proper Secure OS engineers for Windows about 10 years back.. I kind of wonder if that pushed engineers and managers with the worst habits out to periphery things from the OS perspective..
Right, something that runs on windows is the periphery from an OS engineers perspective. "You don't have to leave the company, but you can't stay here."
Recommendations in article are sound, zero trust infrastructure is a nice to have.
Probably need something similar to a wake up call some industrial companies got with stux in the 2010s or hell their insurance company charging the sh*t out them unless they fix some things.
Lots of security professionals say that user-facing (as opposed to server) Linux except for Qubes, Android and ChromeOS is significantly less secure than user-facing Windows, MacOS, iOS, Qubes, Android and ChromeOS.
And I think they're probably right (although I'm not a security professional).
The people who think that Linux security is fine also make arguments, but those arguments are much less detailed (and much less convincing IMHO), such as the frequently-made argument that the fact that Linux's source code is readily available at no cost to anyone who wants to search it for security holes means that Linux's security will tend to be better than the security of systems whose source code is held secret. I mean, sure, if that were the only thing we knew about operating systems and we were forced to choose an OS based on that single piece of information, we'd choose one of the open-source ones, but the persuasiveness of that argument is more than cancelled out when we consider all the other things we know, such as the fact that many exploitable vulnerabilities have been found in Linux that examination of old versions of the source code reveal have been present for decades.
>How about the opinion of people who have nothing to win nor lose?
The question is complicated enough that my guess is that basically the only people who make the mental effort to resolve the question are people with a stake in it.
How many people for example who do not have a loved one with the cancer or a unusually high risk for that cancer and who do not hope to advance their careers as cancer-curers or cancer-preventers take the trouble to learn about the diagnosis and treatment of a particular kind of cancer?
Shall I take each point and explain why they are bullshit ? Probably not, but do tell me. This kind of post is a perfect example of the bullshit I spoke about.
Just a quote to illustrate:
The Linux kernel's size grows exponentially across each release, and it can be thought of as equivalent to running all user space code as root in PID 1, if not even more dangerous.
The page says that the Linux kernel "has no isolation between internal components whatsoever".
When two sentences later it says, "it can be thought of as equivalent to running all user space code as root in PID 1", it is elaborating on "no isolation . . . whatsoever". Specifically, it is saying that the organization of kernel code is analogous to organizing userspace so that all userspace code run as root in a single process.
The author of the madaidans site BTW is a Whonix and open-source developer, so how is it in his self-interest to criticize Linux's security? There is no indication anywhere on the site that the author or anyone else want to sell the reader anything.
Microsoft is much more than Windows though. Active Directory is still a terribly insecure mess that forms the backbones of most major companies. Beyond that, all of Windows still runs on unsalted NTLM hashes. NetNTLM and NetNTLMv2 are more secure salted hash types, but both use the original unsalted NTLM hash to form the NetNTLM/v2 hashes. That allows attackers to simply pass-the-hash to authenticate as domain/local Windows accounts without ever having to know the password.
I mean this very sincerely: The day Microsoft's products are actually secure is the day I'm out of a job.
To my knowledge the current best practicen is to have all NTLM versions disabled and use Kerberos which surprise surprise is also the backbone of linux enterprise login...
AD is just a fancy interface to LDAP with Kerberos, that sound familiar in any way?
This is true, but going away rapidly and being replaced by Entra ID (formerly Azure Active Directory).
The big difference is that a breach of any single Entra ID connected service doesn’t give attackers widespread access to unrelated systems sharing the same tenant. For comparison, once you’ve got a foothold on an Active Directory domain member, it’s surprisingly easy to move horizontally to the rest of the network.
Having more healthy competition in the form of Linux would have been net positive for the society:
> Failure of accountability
Many in the security community see the CSRB report and the recent CISA emergency directive as direct indictments not only of Microsoft’s security culture, but a government that has allowed Microsoft to maintain lucrative government contracts with no fear of competition across many of its services.
“The federal government gets off the hook a little easy in this report,” said Mark Montgomery, senior director at the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies. “Despite significant encouragement from outside experts, the Biden administration, and its predecessors, have failed to treat cloud computing as a national critical infrastructure, that is itself critical to maintaining the security of our national critical infrastructures.”
Sen. Ron Wyden, D-Ore., who called for a federal investigation following the State Department email hack, said the federal government shared responsibility for the negligent behavior disclosed in the report.
Wyden said Microsoft has been rewarded with billions of dollars in federal contracts, while not being held to account for even the most basic security standards.
I pound this a lot here, but open source investment is a security and military matter to the state. Relying on unfunded overworked and frankly exploited programmers for major aspects of security infrastructure is madness.
The US has a billion or ten to spare for this. Billion. With a B. This is an investment that is not just defense, it is an investment in the general economy.
The NSA budget is (maybe) 3.6 billion dollars. A general secure computing base for the American economy is worth at least 3x that.
... and thought something significant will definitely come out of this. (It didn't, so far I could tell.)
Here in AU it feels most orgs and gov agencies still assume Microsoft is the arbiter and epitome of good security practice, and their products seem to be excluded from serious scrutiny or regular review, as per almost every other vendor. (Google may be another exception, but their attack surface is obviously quite different.)
It's crazy how slack big tech is. For companies who have such a grueling application process you'd think they'd have more to show for it. disappointing.
Specifically, a vintage 2016, unrevokable consumer signing key that was inadvertently allowed to sign identity tokens for enterprise substrates, which is a whole security house of cards.
Yes, you are offbase. This is a fairly well written article that highlights and summarizes a few of their most recent gaffs. We recently re-evaluated our EDR solution and Microsoft was in the final 3. We didn't move them past the RFI process because of these recent incidents, on top of a very poorly packaged product (Defender). Microsoft has been really pushing the notion they're a security company (and my 401k would love it if that were true), but the sad reality is they continue to fall short in every possible way. I'll likely share this article with my peers when challenged on why we didn't move forward with them in our EDR project.
Microsoft Defender was, and is, an inexcusably poorly thought through product.
Just the branding - the name and logo is exactly the same as Windows Defender. It even puts an icon in the taskbar tray, resulting in two identical logos for two identically named products that do completely different things.
No idea what they were thinking there. It seems they thought that the separation in consumers’ minds between “Microsoft” and “Windows” was strong, which it absolutely is not.
And were those incidents detected by the competitor or a client?
> One of the more damaging findings was that Microsoft learned of the attacks only because the State Department had set up an internal alert system after purchasing a G5 license from the company.
Although I mean the lack of on-prem really should be a nonstarter for a lot of large companies. Having a defense in depth where you need to be on the VPN before you can actually authenticate to the services does help. Or in the case of governments; they can run private fiber lines between buildings and then you can't even attack the server from the public web.
Those are bugs in their products, not breaches in their clouds. I'm not aware of a single breach in GCP or AWS. Certainly nothing on the scale of either of Microsoft's.
I am unsure if ancient tech companies doing well is an indicator of quality.
Sales teams and various vendor lockouts/ins can cause people to bend the knee.
I accidentally pay $70/mo to microsoft because I bought wrong licenses that I needed only to serve a customer. Up until I started this company, I was 0% Microsoft.
You're right and wrong. I know about a team that does well and one that I think is begging for a major CVE.
Microsoft is said to be a collection of almost independent companies sharing a domain and a CEO. Based on my experience, small as it is, I can believe it.
There is a very strong professional code of conduct within security circles that you should monetize the security of your own product as little as possible, because your own security is not a revenue stream, it's your most basic obligation to your customer.
Like everything else in life, there's always trade-offs here, say, promoting your security practices to attract customers, but the general rule is that moment you start having different tiers of protection, you start venturing into some seriously morally grey areas.
Microsoft didn't just start venturing into morally grey areas, they decided to set up their entire business model there, to the point that they didn't even know that they were hacked because they couldn't generate revenue from that knowledge.
THAT'S why Microsoft deserves every piece of bad press it's getting right now. Not that they had a security incident (everyone will have security incidents), it's that they deliberately ignored accepted industry standards to do so, and to this day they're stonewalling efforts to assess the full impact.
Good news! I am sure there aren't any deeper issues around Microsoft's ideology, arrogance, or crass financially-motivated reasoning. Otherwise I might start wondering if maybe Microsoft's security AI might not actually work that well.