Microsoft Transparency Centers
I never stop re-learning the lesson that security gets better when the business has a direct stake in such improvements. A lot of people will say “that’s obvious”, but, for me, that knowledge sometimes sinks to my lower-level consciousness and only surfaces when I read articles like this one about how Microsoft is increasing its use of encryption and opening transparency centers in order to ease customers’ minds about their information being handled in Microsoft’s cloud services.
The big takeaways are that, wherever possible, Microsoft will be switching to Transport Layer Security (TLS) in places that are both commonplace and leading edge, and will be using improved standards for encryption wherever possible as well. Furthermore, Microsoft is allowing interested parties (I think governments, initially) to inspect the portions of code that handle these operations in order to ensure there are no NSA back doors.
A security person reading this will say “they should have been doing that all along!” And it’s true. When we were asked to look into our businesses’ use of the cloud, we probably saw that there was very little way to assess the technical and operational security of the cloud providers. But we also pointed out that the biggest problem was the lack of transparency. The vendors say stuff like “we are ISO 27001 certified” and that would make the buyers happy, but, as anyone in the security field knows, that really doesn’t mean anything specific at all.
This is a case where increased security directly impacts the financial prospects of the company. Microsoft is losing in mobile and losing money in online services. The desktop is dead. Windows 8 was a flop. But the company’s Azure offerings are not only really good, but they are catching on. The online services part of Microsoft may be the company’s best hope for the future. The Snowden revelations are causing direct harm to that portion of Microsoft’s business.
Building good security becomes a competitive necessity. When that’s the case, everyone wins.
Really Amazing BGP Attacks
We all know that BGP is vulnerable to some attacks, but check this out. Massive-scale Monkey-in-The-Middle attacks. Ouch.
This is why I love the infosec community. Reputation matters. Results matter. Science ultimately rules, but there is a lot of “gut instinct” and “second nature” involved, too. I
It will be interesting to see how this plays out.
Hi Peeps. I want to start using an Android-based phone as my second mobile (I always carry two; I have a condition). I am looking around for a recommendations. Here are my requirements:
- I use some Gmail and IMAP accounts, and am about to consolidate on self-hosted IMAP to avoid Google’s bullshit
- I regularly test Mobile Device Management and Enterprise Mobility Management tools and platforms for my work, so it should be one with wide support for management tools
- I want access to Google Play
- I live in Austria, and will be using the carrier Drei
- I like Whatsapp, Twitter, Foursquare
Right now, I’m leaning towards a Samsung Galaxy S4 just because it’s what I have heard of and it gets good reviews. Is there something else I should be considering?
That’s Gonna Leave A Mark
I like the way Adobe’s disclosing this information. But it looks like this was such a wide-ranging breach that they even lost source code:
hacking team’s server contained huge repositories of uncompiled and compiled code that appeared to be source code for ColdFusion and Adobe Acrobat.
Am I Unable To Understand English?
I’ve always thought that Microsoft CEO Steve Ballmer had ineloquent diction. His metaphors were overwhelmingly blustery and masculine, his poetry was completely absent, and the stories he told about Microsoft were never inspiring or creative, but rather litanies of compete-speak and business jargon wrapped in a salesman’s ego.
So when Microsoft announced in a press release indicating that the company had finally figured out that it has missed out on nearly every important development in technology in the past ten years and failed to lead or innovate in any of them and decided to shit-can Ballmer, I can’t figure out what this sentence means:
“My original thoughts on timing would have had my retirement happen in the middle of our transformation to a devices and services company focused on empowering customers in the activities they value most.”
What? Aren’t they in the middle of that transition? And if this was so well-planned and thought out, why the surprise in timing? Anyway, I just can’t make sense of that. What does it mean?
“Q: One more question on timing. Does your announcement today tell us anything about what to expect, earning-wise, for Q1 FY 2014 for Microsoft. Is it going to be nothing to write home about, as some have been whispering in my ear?
Ballmer:A) we don’t comment on a quarter. We would never comment on a quarter. No chance we’ll comment on a quarter. So I can’t answer your question.
Does anything about this timing, however, have anything to do about anything short term, the answer is absolutely no.
The timing here is all (the fact that) these things come in waves. We have kicked off, the leadership team and I have kicked off a new wave. And in looking at that and saying to myself, can I last deep enough into this — can I last isn’t the right way to say it — do my personal plans sort of fit with me lasting far enough that I’m not leaving in now mid-wave, kickoff’s fine but not leaving mid-wave, the timing is all about that. I mean, summer is the kind of time we would do — this would happen anyway, because summer is when we write our personnel reviews, summer is when we sort of do our long term contemplation. So that’s all been consistent, if you will. So there’s nothing short term about the selection of timing, and I just refuse to even say anything that relates to your actual question.”
German Government: You Can’t Trust Windows 8 and Microsoft
The German Federal Office for Information Security has circulated information internally that Windows 8 is not to be considered a trusted platform when used in connection with the Trusted Platform Module 2.0.
I can totally relate.
Microsoft, as the purveyor of what amounts to a piece of critical infrastructure for the majority of the world, should implement security in a way that is trustworthy for the world. But that’s the key phrase: “trustworthy”
The entire concept of trustworthiness means that, eventually, you have to trust *somebody*.
In this case, Microsoft and those defining TPM 2.0 should have figured out a way that the end users of the platform devices can assign the trust to whomever or whatever they wish. In fact, they should be made explicitly aware of whom their trust is assigned to.
I suspect that is indeed the case if one digs into the details and implementation. However, the default trust assignment to Microsoft — especially for any organization or individual with a slight interest in confidentiality or integrity — is absolutely the wrong choice.
Apple Blocks Flash
Not sure how Apple is doing this, but I just noticed they blocked my Flash plugin from running based on the fact that it was not “up to date”. So maybe every time something like this happens, they will push this kill switch.
Which basically means we will never have Flash on Macs again.
It also means I need to look into how this works. It’s an interesting development.