MSFT @ 50

Microsoft was founded 50 years ago this coming April. Most of you are somewhat familiar with their origin story that began with a small office in Albuquerque by Bill Gates and Paul Allen. And thanks to this series in Geekwire, you can read about things from their perspective. This series has inspired my own POV.

Back in the spring of 1975, I was finishing up college in New York. The only computers I had access to were mainframes. When I got to grad school a few years later, we had a time-sharing system. That meant getting up at the crack of dawn or waiting until the middle of night to go across campus and sit in front of a monochrome character-mode terminal. The odd hours were caused by their popularity during the day. When I got my first post-grad-school job in DC, I used a downtown “remote job entry” storefront (I think it was on K Street, but don’t hold me to that) where I could submit my decks of punched cards and come back the next day to see if my programs had run without errors. (They usually took a few tries, just so you know.)

My first actual PC was an HP 85 running CPM, somewhere around 1979. I was using it to build math models for various consulting clients, and the models were built using Visicalc, the original digital spreadsheet. It had all of 8K of RAM, an amount of memory so small you can’t even buy it in a basic digital watch today.

My first interaction with Microsoft was IBM PC DOS in 1981. It would take several years before I joined PC Week in the mid-1980s, when I got my first breakout job there (now known as eWeek). Then I began using Microsoft’s local area network software, called LAN Manager, that it built to run on 3Com’s servers. The LAN Man era accounted for one of my favorite PC Week cover stories back then: we wrote about how anyone could take over a server with a simple boot floppy which granted unrestricted physical access to the machine. Ah, those were the days!

It was at PC Week that I began to develop relationships with many of the MSFT execs, including Ballmer and Gates, as we went around the country to various events and covered major product launches. It was a heady time for a former anonymous corporate user, now blessed with a huge expense account.

I got side tracked during this time period with OS/2, the failed IBM and Microsoft operating system project that resulted in a book deal for me (which remains unpublished) and a new server operating system for Microsoft called Windows NT. NT had an enduring and somewhat troubling legacy, which I first wrote about in 2003. I still have a soft spot in my keyboard for it.

NT is the OS that keeps on giving, as I recently updated a post for CSOonline about its infamous and enduring NTLM protocol, a favorite of hackers through the ages because it basically doesn’t require any authentication.

During the 1990s, Microsoft (along with many of us) discovered the web, or as we called it then, The Web. Microsoft stumbled here as well, trying to make the web its own proprietary playground, as I wrote about in 1998. This would be a common theme, one that I called attention to when ActiveX was on its way out in the mid 2000s for dynamic content. They tried and failed to squash the upstart browser innovator Netscape with their own Internet Explorer. That eventually failed and now Microsoft’s Edge browser is based on Google’s Chromium.

It was during this decade that Microsoft began to understand the open-source community. Some of this understanding was the result of court judgements (at one point in time, the company had 130 lawsuits to deal with), and some due to a transformation of its collective engineering mindset. I went to one of its 2007 conferences where it was clear that it still had  a love/hate relationship with the internet and viewed many OSS projects as competitors for its own commercial products. You can see how that attitude has changed somewhat on this current splash page, where they claim to use thousands of OSS projects every day.

It was also in 2008 that Gates announced his retirement, and where I developed a clever speaking gig giving thanks to him for making my career so interesting. The speech is somewhat tongue-in-cheek: if Microsoft had made better products or gotten on board trends sooner, I would have had a more boring arc in writing my stories, not to mention fewer support issues. Remember Bob and Clippy? Windows 8 and ME?

Thanks to all of you for reading my work over the years, and sharing your own MSFT memories along the way.

The miserable mess that is Microsoft Recall

Last week Microsoft announced a new feature that is a major security sinkhole called Recall. It is a miserable mess, and makes Windows more vulnerable to attack. Sadly, it will be operating by default unless you get out your secret decoder ring and lock it up behind some group policies.

Why is Recall so bad? It combines the features of a keylogger and an infostealer and puts them inside the Windows OS. It automatically takes frequent screenshots of what you are doing, and stores them on your hard drive. This data is stored in a searchable database, so you can rewind what you are doing to a specific point in time. This includes all your passwords, if they are displayed on screen. Kevin Beaumont wrote that Recall fundamentally undermines your security and introduces immense new risks.

It didn’t take long after the announcement at Build, Microsoft’s annual developer conference, for the UK ICO, its privacy agency, to open an inquiry. Yes, hackers would need to gain access to your device and figure out the encryption of the data, but these aren’t big hills to climb. “Something could go wrong very quickly,” said one security researcher. 

Eva Galperin, director of cybersecurity with the Electronic Frontier Foundation, said Recall will “be a gift for domestic abusers,” given that a partner would have physical PC access and perhaps login details too. She said the database of screenshots would be a tempting target for hackers.

Bh187 Total Recall GIF - Bh187 Total Recall Arnie GIFsMicrosoft will start selling its own line of AI-enabled laptops later this summer that will include Recall. Sometimes total recall goes awry, as fans of the original Arnold movie (or Philip Dick short story) might remember. It’s too bad that this is one journey from sci fi to reality that we could do without.  Here is how to disable it.

CSOonline: Microsoft Azure’s Russinovich sheds light on key generative AI threats

Generative AI-based threats operate over a huge landscape, and CISOs must look at it from a variety of perspectives, said Microsoft Azure CTO Mark Russinovich during Microsoft Build conference this week in Seattle. “We take a multidisciplinary approach when it comes to AI security, and so should you,” Russinovich said of the rising issue confronting CISOs today. I cover his talk, which was quite illuminating, about AI-based threats here for CSOonline.

 

CSOonline: It is finally time to get rid of NTLM across your enterprise networks

It is finally time to remove all traces of an ancient protocol that is a security sinkhole: NTLM. You may not recognize it, and you may not even know that it is in active use across your networks. But the time has come for its complete eradication. The path won’t be easy, to be sure.

The acronym is somewhat of a misnomer: it stands for Windows New Technology LAN Manager and goes back to Microsoft’s original network server operating system that first appeared in 1993.

NTLM harks back to another era of connectivity: when networks were only local connections to file and print servers. Back then, the internet was still far from a commercial product and the web was still largely contained as an experimental Swiss project. That local focus would come to haunt security managers in the coming decades.

In this analysis for CSOonline, I recount its troubled history, what Microsoft is trying to do to rid it completely from the networking landscape, and what enterprise IT managers can do to seek out and eliminate it once and for all. It will not be a smooth ride to be sure.

Faking the demo

Simon and Garfunkel once sang:

I know I’m fakin’ it / I’m not really makin’ it /I’m such a dubious soul
I was thinking about this song while I was reading this report in TechCrunch about a recent Google demo of their Gemini AI model. Turns out the demo was faked. “Viewers are misled about how the speed, accuracy, and fundamental mode of interaction with the model,” they wrote.
Now, in the rush to either overlaud or bedevil AI over the past year, we have this. It is enough to make me want to dive back into the Bitcoin market, where the real faking was going on. Just kidding.
Getting to the bottom of how demos are conducted used to be my bread and butter as a roving technology reporter back in the go-go 1980s and 1990s. I was (in)famous for going behind the equipment that was being demo’ed in front of me, and pulling the plug or some Ethernet cable to see if it stopped, testing the reality of the situation or seeing if the vendor was running some canned video. PR folks warned their clients ahead of time that I was going to do this, and some vendors even incorporated the “Strom reveal” in their demos.
I recognize that the demo gods can be cruel, and often things go wrong at the last minute. We all recall the famous moment when Bill Gates himself got hit with a blue screen when showing off some Windows 98 demo. The audience cheered, I guess in sympathy — at least that was back when the titans of tech could be sympathetic and not act with the emotional range of children. Or when candidates running for national office — or podcasters with huge multi-million audiences — wouldn’t espouse ridiculous conspiracy theories. I am sure you can guess who I am talking about in each of these cases. Sadly, there are multiple examples of each. These people are in plentiful supply.
Now, it is great that my tech press colleagues can call foul play on Google’s demo. Especially on the topic of AI, when the hype is already on overdrive. But maybe it is time to return to a more believable era, when things were more genuine, and when “alternative facts” were once called “bold faced lies” or something more profane. Or when we had fewer dubious souls roaming the planet.
Self-promotions dep’t
Among the numerous articles that I wrote this week for SiliconANGLE is one about Joe Marshall who was the genuine real deal. You should read about his leadership and determination to help the Ukrainian people. Recall how the Russians jammed GPS signals so their troops weren’t targeted? Turns out that doing that does more than prevent folks from finding their way around the country. It also disrupts their power grid, which needs precise absolute time to synchronize the power flows. Marshall cobbled together some Cisco gear (he works for the company, but that isn’t really the point) and got their lights turned back on thanks to his doggedness in figuring out how to do it.
Speaking of GPS jamming, even in the best of times there are numerous GPS fails. How about all the people — and there were a lot of them — who were stranded in the Mojave desert coming back to the LA area from Vegas. They were following directions from Google Maps, and also didn’t know that there is only one way to get there (I-15). Now they certainly do.

SiliconANGLE: That Chinese attack on Microsoft’s Azure cloud? It’s worse than it first looked

The revelations last week that Chinese hackers had breached a number of U.S. government email accounts indicate the problem is a lot worse than was initially thought, according to new research today by Wiz Inc. Indeed, this hack could turn out to be as damaging and as far-reaching as the SolarWinds supply chain compromises of last year.

In my post for SiliconANGLE, I summarize what Wiz learned about the attack, what you have to do to scan and fix any potential problems, and why people who choose “login with Microsoft” are playing with fire.

SiliconANGLE: News from Google and Amazon cloud announcements this week

I posted two stories on SiliconANGLE about lots of news coming from new security services on Google Cloud and similar news from AWS. Both are showing that we are at watershed events — AWS is making architectural changes and adding new depth with programming languages such as Cedar.  Google is finally building some solid tools into its Chronicle platform that has been available for four or so years now. Both are also paying attention to LLMs/Generative AI methods to provide threat intelligence.

Both vendors are trying to consolidate their services with their channel partners large and small.

News flash: Google can still track you

Yesterday Google announced that they will completely eliminate third-party browser cookies. Calling it a move towards a more privacy-first web, as their director of product management who wrote the post claimed, is a bit of a misnomer. Yes, they will phase out tracking these cookies on their Chrome browser. But they will still track what you do on your mobile phone, especially an Android phone, and track what you do on their own websites, including YouTube and its main search page. And they will still target the ads that you see from these activities.

The announcement was expected: last year they announced their plan to de-cookiefy their browser. They basically had to — Safari and Firefox have blocked these cookies for years, so it was high time Google got on board this train. They have come up with a variety of technologies and tools that sound good at first blush, but I am not sure that these replacements are better, especially for preserving privacy. One of them is called the Privacy Sandbox. Now, sandboxes have certain implications, especially for security researchers.  The goal is to limit who can view what is going on inside the sandbox, and more importantly, who can’t. It seems that smaller advertisers will have to find some other place to play, but the big guys will still have the means to figure out who you are and more importantly, what you are interested in, to target their advertising. Vox’s Recode says that “Google will still technically deliver targeted ads to you, but it will do so in a more anonymous and less creepy way.”

Firefox has a better idea: to limit the reach of cookies to just the website that places them on your hard drive. They call it Total Cookie Protection and you can follow the links on their blog to understand more of the details. It does seem to eliminate web tracking cookies, but we’ll see as they roll it out across their browsers.

In the meantime, if you use any Google products, go to your Google Account and review the numerous personalization settings you have at your disposal to rid yourself of tracking, including their activity controls, ad personalization, and recorded activity history. And if you are using an iOS phone or tablet, make sure you update to iOS v14 and enable the ability to block cross-app tracking.

Network Solutions blog: The Best IT Certifications to Maximize Your Personal ROI

As teaching methods advance and especially during the pandemic, online learning is starting to approach a physical classroom experience, and it’s great for conceptual learning. A good online learning experience should include not only content, but should also feature practice drills, integrate with real-world case studies, and contain a social component to make learning more effective. I cover some of the things to look for in selecting the right professional IT certifications to increase your potential value to your company.

You can read my blog for Network Solutions here for more about this topic.

Network Solutions blog: What is Identity and Access Management and How Does It Protect High-Profile Users?

Microsoft AccountGuard banner Image

My latest blog for Network Solutions is about identity and access management. Our email accounts have become our identity, for better and worse. Hackers exploit this dependency by using more clever phishing lures. Until recently, enterprises have employed very complex and sophisticated mechanisms to manage and protect our corporate identities and control access to our files and other network resources. What has changed recently are two programs from Microsoft and Google that are designed to help combat phishing. They are aimed at helping higher-risk users who want enterprise-grade identity and access management security without the added extra cost and effort to maintain it. The two programs are called AccountGuard (Microsoft) and Advanced Security (Google). In my blog post, I explain what these two programs are all about.