Microsoft Transparency Centers

I never stop re-learning the lesson that security gets better when the business has a direct stake in such improvements. A lot of people will say “that’s obvious”, but, for me, that knowledge sometimes sinks to my lower-level consciousness and only surfaces when I read articles like this one about how Microsoft is increasing its use of encryption and opening transparency centers in order to ease customers’ minds about their information being handled in Microsoft’s cloud services.

The big takeaways are that, wherever possible, Microsoft will be switching to Transport Layer Security (TLS) in places that are both commonplace and leading edge, and will be using improved standards for encryption wherever possible as well. Furthermore, Microsoft is allowing interested parties (I think governments, initially) to inspect the portions of code that handle these operations in order to ensure there are no NSA back doors.

A security person reading this will say “they should have been doing that all along!” And it’s true. When we were asked to look into our businesses’ use of the cloud, we probably saw that there was very little way to assess the technical and operational security of the cloud providers. But we also pointed out that the biggest problem was the lack of transparency. The vendors say stuff like “we are ISO 27001 certified” and that would make the buyers happy, but, as anyone in the security field knows, that really doesn’t mean anything specific at all.

This is a case where increased security directly impacts the financial prospects of the company. Microsoft is losing in mobile and losing money in online services. The desktop is dead. Windows 8 was a flop. But the company’s Azure offerings are not only really good, but they are catching on. The online services part of Microsoft may be the company’s best hope for the future. The Snowden revelations are causing direct harm to that portion of Microsoft’s business.

Building good security becomes a competitive necessity. When that’s the case, everyone wins.

Really Amazing BGP Attacks

We all know that BGP is vulnerable to some attacks, but check this out. Massive-scale Monkey-in-The-Middle attacks. Ouch.

badBIOS

I’m reading with interest the assertions and the subsequent scepticism regarding the badBIOS saga. Totally fascinating, if you’re into this stuff.

This is why I love the infosec community. Reputation matters. Results matter. Science ultimately rules, but there is a lot of “gut instinct” and “second nature” involved, too. I

It will be interesting to see how this plays out. 

Alternative Platform

Hi Peeps. I want to start using an Android-based phone as my second mobile (I always carry two; I have a condition). I am looking around for a recommendations. Here are my requirements:

  • I use some Gmail and IMAP accounts, and am about to consolidate on self-hosted IMAP to avoid Google’s bullshit
  • I regularly test Mobile Device Management and Enterprise Mobility Management tools and platforms for my work, so it should be one with wide support for management tools
  • I want access to Google Play
  • I live in Austria, and will be using the carrier Drei
  • I like Whatsapp, Twitter, Foursquare

Right now, I’m leaning towards a Samsung Galaxy S4 just because it’s what I have heard of and it gets good reviews. Is there something else I should be considering?

That’s Gonna Leave A Mark

Adobe was expected to and then actually announced a massive data breach. 

I like the way Adobe’s disclosing this information. But it looks like this was such a wide-ranging breach that they even lost source code:

hacking team’s server contained huge repositories of uncompiled and compiled code that appeared to be source code for ColdFusion and Adobe Acrobat.

Am I Unable To Understand English?

I’ve always thought that Microsoft CEO Steve Ballmer had ineloquent diction. His metaphors were overwhelmingly blustery and masculine, his poetry was completely absent, and the stories he told about Microsoft were never inspiring or creative, but rather litanies of compete-speak and business jargon wrapped in a salesman’s ego.

So when Microsoft announced in a press release indicating that the company had finally figured out that it has missed out on nearly every important development in technology in the past ten years and failed to lead  or innovate in any of them and decided to shit-can Ballmer, I can’t figure out what this sentence means:

My original thoughts on timing would have had my retirement happen in the middle of our transformation to a devices and services company focused on empowering customers in the activities they value most.”

What? Aren’t they in the middle of that transition? And if this was so well-planned and thought out, why the surprise in timing? Anyway, I just can’t make sense of that. What does it mean?

Ballmer can’t tell you. I mean, they finally give Mary Jo Foley her first Ballmer face time in 20 years, and he gives her this:

Q: One more question on timing. Does your announcement today tell us anything about what to expect, earning-wise, for Q1 FY 2014 for Microsoft. Is it going to be nothing to write home about, as some have been whispering in my ear?

Ballmer:A) we don’t comment on a quarter. We would never comment on a quarter. No chance we’ll comment on a quarter. So I can’t answer your question.

Does anything about this timing, however, have anything to do about anything short term, the answer is absolutely no.

The timing here is all (the fact that) these things come in waves. We have kicked off, the leadership team and I have kicked off a new wave. And in looking at that and saying to myself, can I last deep enough into this — can I last isn’t the right way to say it — do my personal plans sort of fit with me lasting far enough that I’m not leaving in now mid-wave, kickoff’s fine but not leaving mid-wave, the timing is all about that. I mean, summer is the kind of time we would do — this would happen anyway, because summer is when we write our personnel reviews, summer is when we sort of do our long term contemplation. So that’s all been consistent, if you will. So there’s nothing short term about the selection of timing, and I just refuse to even say anything that relates to your actual question.”

*BLINK*

fred-wilson:


That’s some crazy shit right there

fred-wilson:

That’s some crazy shit right there

German Government: You Can’t Trust Windows 8 and Microsoft

The German Federal Office for Information Security has circulated information internally that Windows 8 is not to be considered a trusted platform when used in connection with the Trusted Platform Module 2.0.

I can totally relate.

Microsoft, as the purveyor of what amounts to a piece of critical infrastructure for the majority of the world, should implement security in a way that is trustworthy for the world. But that’s the key phrase: “trustworthy”

The entire concept of trustworthiness means that, eventually, you have to trust *somebody*. 

In this case, Microsoft and those defining TPM 2.0 should have figured out a way that the end users of the platform devices can assign the trust to whomever or whatever they wish. In fact, they should be made explicitly aware of whom their trust is assigned to.

I suspect that is indeed the case if one digs into the details and implementation. However, the default trust assignment to Microsoft — especially for any organization or individual with a slight interest in confidentiality or integrity — is absolutely the wrong choice

I’m coming back! SRSLY hope to start Tumbling again now that summer is winding down and I have a lot of interesting security stuff to talk about.

I’m coming back! SRSLY hope to start Tumbling again now that summer is winding down and I have a lot of interesting security stuff to talk about.

Apple Blocks Flash

Not sure how Apple is doing this, but I just noticed they blocked my Flash plugin from running based on the fact that it was not “up to date”. So maybe every time something like this happens, they will push this kill switch. 

Which basically means we will never have Flash on Macs again.

It also means I need to look into how this works. It’s an interesting development.

coolchicksfromhistory:

Police report on the arrest of Rosa Parks, 1955.
A diagram showing where Rosa Parks was seated.

coolchicksfromhistory:

Police report on the arrest of Rosa Parks, 1955.

A diagram showing where Rosa Parks was seated.

fuckyeahhistorycrushes:


Hedy Lamarr. Actress. Mathematically talented, Lamarr also co-invented with composer George Antheilan early technique for spread spectrum communications and frequency hopping, necessary for wireless communication from the pre-computer age to the present day.

fuckyeahhistorycrushes:

Hedy Lamarr. Actress. Mathematically talented, Lamarr also co-invented with composer George Antheilan early technique for spread spectrum communications and frequency hopping, necessary for wireless communication from the pre-computer age to the present day.