25 comments

[ 2.1 ms ] story [ 67.8 ms ] thread
ok, security matters.

recoverability also matters.

guess how i probably prevented a death?

i recovered an email account.

a womans entire livelihood was locked up until she correctly entered the email, and subject of a number of sent items.

nobody had copies, i had to grok the email logs [crypted] on her computer. then decrypt until i had what m$ wanted.

so SN and m$ teams, please step back and moderate to prevent destroying peoples lives, for the sake of the best security

"If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security. In some cases, this will mean prioritizing security above other things we do, such as releasing new features or providing ongoing support for legacy systems."

Can someone explain the implications of this decision ?

Security reviews will probably be more expensive and extensive part of the release process internally, lots of deprecating old tech that no one maintains likely, more consolidation into new tech as a given.

Don't be surprised about some of your favorite software being EOL in 2025.

Life will be a bit harder for engineers who work at Microsoft mainly due to security theater in some organizations, and others out of necessity.

All assumptions though.

I bet not shoving ads into your OS is probably a really nice security first approach. Think they'll remove those? HA!
In my fantasy world, they would rethink and rearchitect their software stack so that it is secure by default. And when you want to relax some security setting there is auditable approval process.

In reality I am not holding my breath. Microsoft equals zero security in my mind.

"Software stack" is doing a lot of work there. Are you shaking a stick at Microsoft's entire product offering?

Microsoft deserves criticism, but not all of the criticism it gets.

This is a long comment already, so I'll only touch on windows itself.

Going back in time, the whole "Internet security" thing was not an issue that the sector perceived until there was already a huge install base. Longhorn reveals the intent to sort out the security issues. It''s harsh to judge XP for being vulnerable to the explosion of the Internet and the proliferation of new vectors, without also recognising the improvements that the next iteration brought.

Vista shipped with:

- firewall on and default-deny inbound - privilege separation by default - remote shell and rdp disabled - default SMB shares requiring admin - tray notifications of insecure settings with buttons to restore secure settings - trust zones - aslr - driver signing requirements

This was roughly commensurate with OSX at the time.

Auditing and template-based secpol was in NT; Windows logging out-of-the-box is comparable to Fedora or Ubuntu. Windows logging is approximately feature-equivalent to rsyslog.

Windows is the OS for users who don't know shit, and that creates a burden of default services. Their surface area to support is necessarily larger than in your favourite distro. It's disingenuous to ignore that in an analysis. PWASAUL (people who are smug about using linux) have to ignore that to protect their opinion. Let's be better.

Example: the print spooler on windows is exploitable. That's clearly a vuln from a code error. IMO, any argument that it's _also an insecure default_ is trumped by the requirement for network printing to work for Evelyn, 62, with her crappy Canon. Criticism for the vuln is valid; criticism for the default service is less so, and that's what I'm addressing in this comment.

Lateral movement is possible in any network, but not a gimme in a windows network. You can't just telnet from box to box any more; you have to find unpatched vulns, same as with other OSes. Hopefully, heartbleed has demonstrated that "Linux and yolo" is not a security posture.

You could argue either way whether sshd or rpc is a bigger attack surface. Hardening ssh is not a box-tick if you still need to use it to manage services; there's work to do, and it's not clear to me that it beats the effectiveness of the same amount of effort spent hardening a windows network. A minimal AD build is very granular about who can do what.

Example: local admins are unprivileged over the network, which is equivalent to denying sudo over SSH for pam users. You have to implement that yourself on Linux.

Example: agent forwarding is allowed by default in sshd in Ubuntu, IIRC, but double-hop is disabled by default in a windows network. Those features are not the same, but I take it as a more secure default on windows than linux.

To put Microsoft's security sins into perspective:

- I have a bank account that asks for my mother's maiden name - there are countries where it's possible to steal property by convincing the land registry that you bought it - retail services on my country mostly do "two-factor" by email or SMS

Microsoft is way better than most companies.

They should be better still, but let's not conflate then with Experian, or Lastpass, or Sony. Those guys were playing on easy mode and got shown up. Microsoft has complexity that few companies face. Amazon and Google may do better, but they have second-mover advantage.

Yes. 99% of their offering is IED.
My assumptions would be:

They will release fewer new features, products and software.

They will EOL 'legacy' software/products earlier, and maybe even break backwards compatibility, if they think it may be a too large security risk.

Working at Microsoft will be less about 'innovation' and more about 'maintenance'.

Internal processes will be put in place to be ignored.

Security PR puff pieces will be placed everywhere.

Sales people will promise it has been solved.

Profit will go up

> Secure by Default: Security protections are enabled and enforced by default, require no extra effort, and are not optional.

This is great! I take it we no longer have to pay extra to enable basic auditability features in Entra ID (f.k.a. Azure AD)?

And if the tradeoff is profitability vs. security:

> If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security.

Excellent!

No mention of how 22 years ago Bill Gates wrote a memo launching Microsoft's "Trustworthy Computing" initiative:

> Our new design approaches need to dramatically reduce the number of such issues that come up in the software that Microsoft, its partners and its customers create. We need to make it automatic for customers to get the benefits of these fixes. Eventually, our software should be so fundamentally secure that customers never even worry about it. ...

> So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve.

See https://web.archive.org/web/20150626172158/http://archive.wi... for the full memo.

Longhorn was a complete rewrite. That memo served its purpose.
It depends on what the purpose was. If it was to increase Windows market presence, which was suffering from security issues, then sure.

If it was to make the software "so fundamentally secure that customers never even worry about it" then no, it didn't.

Doesn’t matter unless they follow through with this and are willing to give up revenue to do security. MSFT always puts this garbage out to safe face, but the organization always reverts to speed and money over anything else.

Untrustworthy. It’s wild how enterprises have overlooked the rampant problems at MSFT for decades.

That's not unique to Microsoft. It's a problem of the economic system. The only thing that's valued is how much money can be extracted by executives and shareholders.

Good security, quality products, and employee well being don't matter as long as the stock goes up. Experience has shown that having poor security practices doesn't affect companies' stock price negatively so why would they spend money to have better security? Is the US government going to stop using Microsoft 365? Nope. Is there an alternative where security is actually valued? Nope.

The solution is not a single executive at a single company sending out a memo full of platitudes but a change to the economic system such that product quality is valued over how much value can be extracted and sent to parasitic shareholders.

This doesn't seem true, reputation, status, credibility, etc., clearly have some nonzero value?

If anything, competitive people looking to climb the social ladder tend to be even more viscious when it comes to status games than the Gordon Geckos of the world.

> reputation, status, credibility, etc., clearly have some nonzero value?

Yes, the stock price. As long as number goes up, everything is fine.

Is this supposed to be ironic?

My point is that people clearly value things beyond the 'number that goes up', often to an even more intense degree.

People do, yes. But corporate executives and shareholders are not people and fundamentally do not have the capacity to care what "people" think or value.

The decision makers want the number to go up, and they want it to go up now, not ten years from now.

There's a very good reason that all of the biggest companies are eating themselves from the inside out right now. Making the number go up right now is far, far more valuable than making sure it stays up after they get their bonus.

Money for sure, but I don't think of Microsoft a moving relatively fast - at least by tech standards.
A noble goal, but isn't it at odds with their policy of backwards compatibility?
(comment deleted)
Security first or revenue first?

One clue of depth of actual priorities will be how they bundle security features beyond just the Office/Exchange365 auditing they got in trouble for that allowed the State Department to detect Microsoft had been compromised (https://arstechnica.com/information-technology/2024/04/micro...)

To pick one long-standing consumer OS security feature that Microsoft charges extra for today… when is Microsoft moving its full disk encryption (bitlocker) into every version of its OS for no extra charge?

Checking Bing Copilot LLM for examples of other such features is left as an exercise for the reader. My prompting skills weren’t as good as my wetware neural network on that score.