46 comments

[ 2.9 ms ] story [ 108 ms ] thread
I think that while the claim is true, the tawdry implication is less clear.

Organizations which feel it a great risk have alternatives and can move to alternative solutions if MS drags its feet. Moreover, this isn’t just MS, it’s most of the software industry in general who benefit from the skittishness by promoting and proving “cloud alternatives” and other solutions as well as the solutions riding these coattails (from indemnification, forensics, to threat detection, etc.

TL;DR it's a sales pitch for Proofpoint. Absolutely no interesting content whatsoever.
Weren't they a high-flying Palo Alto email scanning startup?
This is like saying "Ford is contributing to car accidents and monetizing the safety hardware"

Irresponsible reporting

There are at least several ways to continue your analogy though.

1) Cars cause accidents, and modern safety improvements like pedestrian alert, don't make up for the responsibilities manufactures have for their death machines

2) "Features" in new cars, like increased touchscreen usage, contribute to accidents by causing distraction. Better braking or whatever doesn't overcome the responsibility to have better control interfaces.

3) New tactile controls, and popup displays for backup cameras, in some recent luxury cars are reversing the trend in distracting touch-screen interfaces, resulting in safer driving experiences

All three examples above are true to some extent.

Sure but Ford isn't developing shitty touchscreens because they want to cause accidents so they can upsell you on a more expensive jogwheel.

They're developing shitty touchscreens because they're an old car company with little expertise in software UX.

Neither is microsoft. They aren't deliberately adding security bugs to their software. They just are doing a crap job of building secure software. You could argue they don't have the right incentives to fix that problem though.
This is a terrible analogy and you should feel terrible for offering it.

MSFT is 100% in a conflict of interest by simultaneously both selling the disease and the 'cure'.

The only bigger crime is when companies genuinely believe that paying MSFT for both is a good idea.

> "Ford is contributing to car accidents and monetizing the safety hardware"

Or (and I can predict the reaction to this, but it's a thought-provoking analogy): pharma companies coming up with treatments that aren't strong/cheap/scalable enough to eradicate a disease, so the virus evolves to become immune, requiring governments to keep buying more doses.

S mode seemed like an improvement, but their ecosystem is much more diffuse and wild west than Apple's to get all devs signing their work and putting them on the MS store.
This is completely stupid; Microsoft didn't develop PowerShell and Excel macros on purpose in order to enable cyber threats, so that it could then monetize the countermeasures.
(comment deleted)
This is just inane. There's nothing in this piece, or in anything from the previous decade, that suggests Microsoft is intentionally putting people at risk. The only thing I can think about is potential dealings with the NSA, but you could say as much of any large American tech company.

The fact is that Microsoft has continuously improved its process for the past fifteen years while being the most exposed company in IT.

Backwards compatibility, including keeping arcane and dangerous features, is the killer product of Microsoft and companies value it enough to accept increased risk exposure. That's all there is to it.

>The design of Active Directory, Office macros, PowerShell, and other tools has enabled successive generations of threat actors to compromise entire environments undetected.

And SSH and Bash contribute to arbitrary remote code execution !

Yes and no.

If you don’t buy E5, Microsoft’s position is that you are not entitled to even basic things like conditional access in O365. They no longer invest, even in 1st party solutions to allow for a clean implementation of this sort of solution.

They are a company with a lot of good security capability, but they use anticompetitive tactics to sell them. Products like O365 are very insecure for many customers as a result. I should not need to turn employee identity over to Azure AD to authenticate email users.

Ditto with modern windows. You cannot do modern mdm management with SCCM unless you buy Intune. That was a feature offered and the withdrawn as market uptake of Intune was poor. (because it sucks.) Again, I shouldn’t need to turn over machine identity to Azure AD to image a PC.

The E5 thing really annoys me, and I've seen many others in the infosec space on Twitter bemoaning it too. It really is silly that they reserve security features for E5 customers, when these things should be available to all customers.
We have E5 licenses, which security features are you referring to?
Within O365, ATP is a E5 feature, although I’m sure the legacy AV in E3 is awesome. The ability to limit client access is very limited. Anything ActiveSync will sync. I believe the only other option is to only allow the Outlook for Mobile App.

E5 allows you to limit the types of clients that can connect.

M365 E5 or EMS allow for conditional access, and to terminate sessions based on various criteria. Without it, you are limited as to how you can affect application access.

I once sent this https://ibb.co/XpwGwrK to Satya, but never got a response.

It was absolutely a racket that you couldnt connect Windows Pro Defender to the cloud to track threats without renting Win E5.

Everyone in this thread is very defensive, but putting the security features all at the top of the licensing chain is exactly the behavior the author is accusing them of. The author however wrote a puff piece that was nearly devoid of any useful information. You could have deleted the entire article and kept just: "So, with one hand, the company ships vulnerabilities and hosts malware, and with the other, it charges to “protect” users from those same vulnerabilities and threats."

What the article did not do, was make a convincing argument that a third party alternative was a better threat protector. They could do a worse job while also having a lesser conflict of interest.

> The fact is that Microsoft has continuously improved its process for the past fifteen years while being the most exposed company in IT.

It's not just that they have continuously improved process, they have also made enormous contributions to the security space in terms of building and sharing repeatable processes, and providing a platform to socialize some of those practices (for example, bug bounty programs, threat modelling, SDL practices, tons of documentation and guidance around how to improve processes).

I am not a Microsoft shill - my main use for Windows and Microsoft products are video games, and Microsoft Office, but they have made tremendous progress and shared several tools and learnings along the way.

> This is just inane. There's nothing in this piece, or in anything from the previous decade, that suggests Microsoft is intentionally putting people at risk.

Are saying the article suggests that but does not support it? If so, where does it suggest that? I don't see that, scanning the article -- but I do see:

> it was not the company’s intention to become a leading contributor to security risk.

It seems like they're not suggesting some evil plan, but something more like just the operation of the market?

The article claims Microsoft is 'selling the cure' for cybersecurity flaws in its products, but provides literally zero evidence for this statement.

Somewhat disappointing the author expects me to take this core foundation of the article on faith.

Agree. I think this is thanks to many journalists who don't even need to explain or justify their thought process anymore.

This article offers a highly accessible and simplified construct that allows anyone without the need for causality to feel "informed" and formulate an opinion.

p.s. I wrote a longer response about this in another comment.

That would be a racket, not a paradox.
In a nutshell: Microsoft is bad, hmmmmmkay?

Author presents no facts to support their obviously biased click bait headline.

Many baseline versions of SAAS software will use username/passwords but in order to get SSO you need the premium version. Is it fair to accuse that company of profiting from cybersecurity threats because username/password is less secure than SSO?

"If you only addressed the capability from product B in product A then product B would not be necessary" is not automatically greed or malice, these are just basic product portfolio decisions.

I think the realistic situation is that they're desperately trying to fix it at one end and selling protection at the other end. There's no malicious causality here. It's just a typical human evolutionary shit show.

Really it sucks for the end users because the security solutions are a shit show and vastly destroy the usability of devices for technical and power users and the architectural flaws of windows are just horrible to start with.

As much as I am no fan of Microsoft, at least they're trying though.

> I think the realistic situation is that they're desperately trying to fix it at one end and selling protection at the other end. There's no malicious causality here. It's just a typical human evolutionary shit show.

Microsoft did not care about security until ca. 2001. Then some viruses came which prompted MS to address some issues. The only security step taken later by MS was to integrate Defender in windows. But this came late, at the time when the so called AV products were basically rootkits (which Defender is also). With the rise of javascript and the browser as a (virtual) machine, came a lot of remote exploits. Of course MS does not care, it is your data that you have to protect.

> Really it sucks for the end users because the security solutions are a shit show and vastly destroy the usability of devices for technical and power users and the architectural flaws of windows are just horrible to start with.

The security solutions are a shitshow because there are no real security companies. They mostly offer security as a certification - install our software and you will reach certification X.

> As much as I am no fan of Microsoft, at least they're trying though.

I don't think so. Their aim (like every company) is to make a lot of money from all their departments. Thei sell everything, even "security".

All the people I know at Microsoft do their best to improve the products. They are hemmed in by horrible bureaucracy that stymies them often, but at the end of the day they want an easy life with solid products that don't have bugs and exploits.

Making secure code is hard.

And they failed miserably. The only thing they acomplished is change by the sake of change. Every few months they move GUI elements in Teams and they call it an improvement. And despite their telemetry they still don't get it that messing with the title bar is a bad idea (hello Google, hello Firefox).
Scam article, why is this here?

> Editor's Note: This article has been updated to include a summary of Microsoft's responses to criticism related to the SolarWinds hack. Proofpoint and Microsoft are competitors in cybersecurity.

I very much do not like Microsoft, and I find this article to be specious at best, and a blatant and malicious lie at worst. By the logic displayed here, every organization that's ever created a network protocol or programming language is responsible for all exploits that make use of it, forever, even though they are not intentional outcomes. There's also no evidence whatosever that Microsoft is monetizing "the cure", as if any such cure even exists. At best, there's a bevy of "security" companies that exist because of their response to issues in Microsoft-land, but Microsoft is not directly profiting in any way, and if anything it exists as a stain on their reputation.
A good analogy to the Microsoft paradox is the Pfizer/Moderna vaccines against Covid-19: these companies have distributed a vaccine that we can safely qualify as well vulnerable to time (effect wears off after a low number of months). People who took this vaccine were passively encouraged to believe they are safe to engage in risky behaviors and to ignore all safety rules. The consequence of this is two-fold: a significant number of vaccinated people will probably die soon because their vaccine just doesn't work anymore, and a much more significant number of people will become aware of this and seek to get a third dose in order to boost their immunity.

We could argue that Pfizer and Moderna are doing this intentionally and thus contributing to being both the problem and the cure, simply because they did not work enough to release a more robust vaccine.

To be honest, I felt the same thing after reading the article than after reading your comment: two extreme opinions that either treat Microsoft as the bad guy, or as the victim.

I think what we are observing is much more complex than it seems, and it may be heavily influenced by three aspects: the size of Microsoft, its silo culture, and its low/limited level of security expertise.

First, Microsoft is big. And by big, I mean, it is big enough to do business on both aspects of a same concern, namely, to write software used globally/worldwide and to produce products and services to make the cyber-work more secure. Microsoft can do that without ever questioning the relationship or logic between these two businesses, as long as it can deliver both markets satisfyingly.

Second, Microsoft operates in a silo culture (like all similar companies, this is not a "Microsoft" thing). Even if one department "knows" something about cyberthreats and how to mitigate them, chances are that the other department will either not be informed, or not be willing to invest time to collaborate with people working in "the other building". Their respective top-level managers are probably incentivized to sell rather than to collaborate, too. We would be well inclined to criticize Microsoft for this, assuming the same gangrene is affecting both large companies and public institutions everywhere.

Third, Microsoft is not that good at cybersecurity as many may think. One reason that could explain why so many see Microsoft as the elite in cybersecurity is because most people working in the field are mediocre at their job. Another point is that cybersecurity introduces a very broad spectrum of problems and capabilities/skills. Microsoft is good at incident detection/response, governance, threat intelligence and vulnerability management. These concerns are very appealing to senior executives, especially those who don't understand a thing about technology and those who would always prioritize paying for a good fire department rather than learning how to build, maintain or operate robust IT systems. On the other side of the spectrum is writing secure code: Microsoft is not good at it. I would never say that Microsoft is doing a worse job than others, they are just simply mediocre, like the largest part of the software industry worldwide. We may think they are good at writing secure code, but they are simply not. Some Microsoft's engineers produced pillar research work in the field of designing and writing secure systems (e.g., threat modelling, security development lifecycle, compiler optimization/hardening, etc.) between 2000 and 2010 but the company hasn't much evolved since. It is fully stagnating, whereas its pace of innovation and its production of "new code" is accelerating.

This brings me to my conclusion: saying that Microsoft is selling the cure to insecure systems is wrong, in my opinion. I think they are just selling a symptomatic treatment for a globally broken enterprise management model that tends to reward whoever acquires insecure software much more than anyone who dares trying to vet soft...

Part of Microsoft's problem is its immense attack surface.

For every instance of a server or network router running a Linux-based OS that requires deep tech knowledge just to log in, there are dozens or even hundreds of Microsoft desktops running software. These are sitting in front of folks who get used to the nice features and aren't watching for subtle URL changes, application misbehavior, or other hints that those reading this forum are more likely to pick up on.

Looking back, certainly we could have done without some of the feature set (something Google picked up on this when they designed their own office suite), but I can't fault MS for trying to make their products attractive to their customers.

AFAIK a security rule says that you shall run as few processes as possible to achieve your goal and keep ports closed by default. Windows (even 10) does not care about it.
Security is governance of tech, and when that clicks, it makes sense why MSFT or anyone can't just "fix" it. I genuinely dislike that company and its products, but releasing vulnerabilities and exploits or shipping code with risks is part of the ecosystem.

The article implies it has an old way of thinking where because software is artificial we can ostensibly operate it as being a deterministic system, and that we can solve security, which is effectively a political problem of control and power, by specifying the right operations. Reality is, we have initial conditons and incentives, and what happens in between is dynamic.

Governance has policy, surveillance, and enforcement, and security products fall into those buckets, with the highest value being to the latter, and the smartest being the first. Policy requires more forethought and coordination than you can reasonably expect at scale within orgs, let alone across different ones, so we (sec) sell surveillance and enforcement tools instead.

A lot of comments are jumping to saying how extreme this is and arguing that this is a hit piece, but I think they’re missing the important point here: Microsoft is incentivized to create insecure software. When they’re allocating the budget, it’s gonna be a harder to convince your boss to invest in security when every dollar in security is a dollar you don’t make in sales for security solutions. Bad situations arise when there is a mismatch between customer needs and company incentives.
Proofpoint/Crowdstrike/etc. are, by the same logic, incentivized to fix only 90% of security issues they are aware of so that they can continue to have customers.
That problem is not unique to Microsoft, or even the software and computing industry as a whole.

I don’t believe ‘incentivised’ is the correct term either as it suggests and additional reward on top of the binary give and take between more or less software assurance in response to market demands. It’s just a business decision that everyone has to make. Even open source communities need to make a decision to expend time in one area or another.

> That problem is not unique to Microsoft, or even the software and computing industry as a whole.

Yes and it’s a very bad thing and it’s so bad that it’s frequently regulated to prevent it from happening. For example, in many regions of the US it is illegal for asbestos test companies to also be asbestos removal companies because they’re incentivized to lie.

I don’t believe Microsoft is talented enough to do this deliberately.
Relevant context: The author, Ryan Kalember, is an executive at Proofpoint. His title says "Cybersecurity Strategy", but he's really in marketing and PR. I know Ryan and would say he's a great guy and by far the best marketing executive I've worked with, but marketing is marketing. This piece is marketing.

Proofpoint competes with Microsoft in the email security space, less and less effectively as time has gone on. They're partners with CrowdStrike and George Kurtz in the Spectra Alliance [1], and CrowdStrike also competes with Microsoft (in the EPP/EDR space), so it's not surprising to see them team up against a common competitor.

All that said, the criticisms of Microsoft aren't without merit. There's definitely some truth to them.

1. https://www.proofpoint.com/us/partners/spectra-alliance

(comment deleted)
This monetization of leveraging your own software crap for (however unintentional) commercial gain shall too … continue.

Until we make software developer and/or corporation held liable for selling insecure commercial products.

Microsoft didn’t design and build these fundamentally flawed products as part of some grand plan to monetise the fixes later. They did it because at various times in the past they:

Didn’t understand servers, coming from a desktop world.

Didn’t understand multiuser environments.

Didn’t understand networking, in particular networking beyond the scale of a small workgroup, and certainly not the Internet.

I remember the early days of supporting both Linux and Microsoft, Linux quietly went about serving mail or whatever it was configured to do but Microsoft constantly needed rebooting or reinstalling and generally not doing. So Microsoft was famous and Linux was unknown. TBH I didn't read the article but the headline made me smile.