Language Selection

English French German Italian Portuguese Spanish

Microsoft

Microsoft's very bad year for security: A timeline

Filed under
Microsoft
Security

So far, 2021 has proved to be somewhat of a security annus horribilis for tech giant Microsoft, with numerous vulnerabilities impacting several of its leading services, including Active Directory, Exchange, and Azure. Microsoft is no stranger to being targeted by attackers seeking to exploit known and zero-day vulnerabilities, but the rate and scale of the incidents it has faced since early March has put the tech giant on its back foot for at least a moment or two.

What follows is a timeline of the significant security events that have afflicted Microsoft in 2021, why it remains susceptible to serious vulnerabilities and attacks, and an assessment of its response according to experts from across the cybersecurity sector.

Read more

Former Microsoft Security Analyst Claims Office 365 Knowingly Hosted Malware For Years

Filed under
Microsoft
Security

Malware on Windows devices has become a real problem in the last few years, specifically with a recent uptick in ransomware. It appears that Microsoft has been trying to combat this issue, though, with updates to Microsoft Defender, so it has more teeth than ever before. However, what if Microsoft is part of the problem too?

On Friday, cybersecurity researcher TheAnalyst explained on Twitter how BazarLoader malware leads to ransomware that can severely affect healthcare, among other industries. He then called out Microsoft, asking if the company has “any responsibility in this when they KNOWINGLY are hosting hundreds of files leading to this,” alongside an image of what appears to be malicious files being hosted in OneDrive.

Read more

Microsoft Bailouts From the US Army Budget

Filed under
Microsoft
  • US Army slows ~$20bn project to put Microsoft's HoloLens VR headsets into the field [Ed: President Biden has already bailed out Microsoft to the tune of 22 billion dollars for something that's basically dead; Microsoft sacked all staff of HoloLens; this is worse than grifting as it's akin to Microsoft theft from taxpayers (Trump did the same with "JEDI"; latest below)]

    The US Army has delayed a massive rollout of Microsoft's HoloLens virtual reality headsets.

  • [Older] Looks like NSA now stands for Not Selecting Azure: US spy agency picks AWS over Microsoft
  • Supreme Court declines to hear Oracle's challenge to JEDI • The Register

    The US Supreme Court has brushed off Oracle’s complaint that it wasn't awarded the Pentagon's $10bn winner-takes-all Joint Enterprise Defense Infrastructure (JEDI) cloud contract.

    [...]

    Still, Big Red refused to give up. It appealed its case all the way to the Supreme Court. The US government told the justices the case ought to be rejected given that Oracle wouldn’t have won the contract anyway. The ongoing legal spats, however, were made pointless when the Pentagon scrapped JEDI in July.

    Despite this, Oracle still thought the case was worth pursuing considering the DoD had replaced the cloud project with the new “Joint Warfighter Cloud Capability (JWCC)” contract. The JWCC deal has been limited to AWS and Microsoft only. We note that Oracle says it does more than $28bn a year in cloud revenues.

Free Software Foundation claims Windows 11 will reduce user freedom

Filed under
GNU
Microsoft

The Free Software Foundation has described Windows 11, the new avatar of Microsoft's desktop operating system that was launched on 6 October, as taking "important steps in the wrong direction when it comes to user freedom".

In a blog post, the organisation's campaigns manager Greg Farough said Windows 11 did nothing to mitigate "Windows' long history of depriving users of freedom and digital autonomy".

The FSF was set up by former MIT employee Richard Stallman to try and develop an operating system and other utilities that would not impinge on the freedom of users. The word "free" refers not to the price, but the ability to change and share the software as one wishes.

Farough said Microsoft was "intentionally choosing to create an unjust power structure, in which a developer knowingly keeps users powerless and dependent by withholding information".

Read more

Proprietary Web and Vista 11 Performance Catastrophe

Filed under
Microsoft
Web
  • Client-side content scanning as an unworkable, insecure disaster for democracy • The Register

    Fourteen of the world's leading computer security and cryptography experts have released a paper arguing against the use of client-side scanning because it creates security and privacy risks.

    Client-side scanning (CSS, not to be confused with Cascading Style Sheets) involves analyzing data on a mobile device or personal computer prior to the application of encryption for secure network transit or remote storage. CSS in theory provides a way to look for unlawful content while also allowing data to be protected off-device.

    Apple in August proposed a CSS system by which it would analyze photos destined for iCloud backup on customers' devices to look for child sexual abuse material (CSAM), only to backtrack in the face of objections from the security community and many advocacy organizations.

    The paper [PDF], "Bugs in our Pockets: The Risks of Client-Side Scanning," elaborates on the concerns raised immediately following Apple's CSAM scanning announcement with an extensive analysis of the technology.

  • Vivaldi Adblock is mostly Adblock Plus and ublock-origin.

    The Vivaldi browser has a built-in ad blocker.

    However, the company hasn’t been extremely forthcoming about how it works.

    However, it seems to accept any list in adblock plus format, and Vivaldi seems to have implemented Webkit Content Blockers as well.

    Vivaldi includes a list called “DuckDuckGo Tracker Radar”, which leads to what seems to be a Webkit Content Blocker format list mirrored by Vivaldi.

    In my testing, the DuckDuckGo Tracker Radar seems to largely duplicate what Fanboy’s Ultimate List already had in it.

    While Fanboy’s Ultimate List is not in Vivaldi by default, you can add it by going to Vivaldi Menu/Settings/Privacy, and then select “Block Trackers and Ads”, and then I would suggest de-selecting everything in both columns that Vivaldi defaults to having on, then clicking + under Ad Blocking Sources, then adding https://www.fanboy.co.nz/r/fanboy-ultimate.txt and then Import. It should tell you it brought in a bunch of ad blocking rules.

  • This week's Windows 11 patch didn't fix AMD performance woes • The Register

    Windows 11 received its first bundle of fixes this week, but AMD users hoping for respite from performance issues that have dogged their PCs were to be disappointed. In fact, for some, performance might have actually got a bit worse.

    It wasn't the news AMD fangirls and fanboys were hoping for. After AMD noted performance issues with Microsoft's latest operating system, a fix had been expected to drop during October. Alas, that fix didn't turn up in this week's first Cumulative Update for the GA code. In fact, according to hardware site TechPowerUp, things might have even deteriorated.

  • Microsoft’s first Windows “11” update addresses AMD CPU scheduling problems. Ends up making them worse. – BaronHK's Rants

    Microsoft released their first “Windows 11” update.

    It was deployed to try to correct the AMD CPU problems that Windows “11” created on Ryzen, which tripled L3 CPU cache latency and slowed the processor down by an average of 15%.

    The update ended up making the problem worse. Doubling the cache latency from where it already was at launch.

    “Early adopters” of Microsoft’s latest broken operating system are seeing much worse performance than they were on Windows 10, even on the Intel side, as Microsoft’s “virtualization based security” was already wreaking havoc on video game performance.

  • The "What If" Performance Cost To Kernel Page Table Isolation On AMD CPUs - Phoronix

    Made public this week by CPU security researchers at Graz University of Technology and CISPA Helmholtz Center for Information Security was the research paper published "AMD Prefetch Attacks through Power and Time". The paper points to AMD CPUs suffering from a side-channel leakage vulnerability through timing and power variations of the PREFETCH instruction. The paper argues that AMD CPUs should activate stronger page table isolation by default. AMD has now published their security response where they are not recommending any mitigation changes at this time. But what if Kernel Page Table Isolation (KPTI/PTI) proves necessary for AMD CPUs? Here are some initial benchmarks showing what that performance impact could look like.

Microsoft and CNET confuse users with fake “This PC can’t run Windows 11” errors. Suggest buying a completely new computer.

Filed under
GNU
Linux
Microsoft

Microsoft and CNET confuse users with fake “This PC can’t run Windows 11” errors. Suggest buying a completely new computer.

Mostly, if your machine doesn’t have “Security Theater Boot” and the “Toilet Paper Module” (I jest.) available to be turned on, you need to buy another computer.

Except that you don’t. You could format Windows off your computer entirely and go on happily using GNU/Linux for many more years without fake incompatibility messages from your pals at Microsoft and Intel, where sales have been in the dumps and they need fake error messages to drive new sales.

Read more

Best Free and Open Source Alternatives to Microsoft Office

Filed under
Microsoft
OSS

This series looks at the best free and open source alternatives to products and services offered by Microsoft. This article focuses on the best free and open source alternatives to Microsoft Office.

What are the best open source alternatives to Office 365? This article focuses on replacements for only some of the components of Office 365. We’ll explore other components in later articles in this series.

Read more

Openwashing of Proprietary Traps

Filed under
Microsoft
  • Broadband Forum Launches Latest Open Source Project to Bring Full Benefits of 5G to Fixed-line Services | Business Wire

    The goal of a new Broadband Forum project, Open Broadband – WWC Reference Implementation for 5G-RG (OB-5WWC) is for vendors and operators to bring products to market in a shorter timeframe and enjoy reduced development times and cycles. The Open Source project will bring the full benefits of the 5G ecosystem to fixed-line services and offer a full end-to-end solution to operators.

  • .NET Foundation boss apologizes for pull request that sparked community row

    We covered Littles earlier this week, noting that after he ran for the board on a platform of making it more responsive to developers' needs – rather than Microsoft's. He later quit because, according to a post, "I didn't have the energy to put into an organization that doesn't share my views and stance on what I think the community needs, Sustainable Open Source Software."

    [...]

    The first comment on the apology described it as "a total non-apology" – a sentiment repeated in other comments. The conversation also features some discussion of how to withdraw projects from the foundation.

    The Register suspects the foundation may soon need some new volunteers. Brave new volunteers

  • Microsoft's .NET Foundation under fire as resigning board member questions its role
    [Ed: Microsoft Tim weighs in as well. It's him who helped Microsoft hijack Linux (exporting it to GitHub).]
  • Questions Raised About .NET Foundation

    Littles was elected and took on the role of chair for the Technical Steering Group, hoping to be able to achieve some progress towards Open Source sustainability. However, when he realized that his efforts were futile he resigned from the .NET Foundation board ahead of the 2021 elections which took place in August. He hadn't intended to draw attention to this, but changed his mind when the announcement of the election results reported on his resignation.

Proprietary Leftovers (Mostly Microsoft)

Filed under
Microsoft
  • US Rolls Out New Cybersecurity Requirements for Rail, Air [iophk: Windows TCO]

    Homeland Security Secretary Alejandro Mayorkas announced the measures Tuesday at a virtual cybersecurity conference, warning that recent incidents such as the SolarWinds [crack] and the Colonial Pipeline ransomware attack showed that "what is at stake is not simply the way we communicate or the way we work, but the way we live."

    The new security directives target what the Department of Homeland Security and the Transportation Security Administration describe as "higher risk" rail companies, "critical" airport operators, and air passenger and air cargo companies.

  • Bill requiring companies report cyber incidents moves forward in the Senate [iophk: Windows TCO]

    The bill would require owners and operators of critical infrastructure groups to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. It would also require critical infrastructure groups, nonprofits and most medium to large businesses to report making ransomware attack payments within 24 hours.

  • TSA to issue regulations to secure rail, aviation groups against cyber threats [iophk: Windows TCO]

    According to Mayorkas, the directive will require these groups to “identify a cybersecurity point person” charged with reporting cybersecurity incidents to the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), along with establishing “contingency and recovery plans” in the case of cyberattacks.

  • U.S. to tell critical rail, air companies to report [breaches], name cyber chiefs [iophk: Windows TCO]

    The upcoming changes will make it mandatory for “higher-risk” rail transit companies and “critical” U.S. airport and aircraft operators to do three things: name a chief cyber official, disclose [breaches] to the government and draft recovery plans for if an attack were to occur.

  • The Gates Foundation Avoids a Reckoning on Race and Power

    Over the last year, Doctors Without Borders has faced a major scandal, as more than 1,000 current and former employees signed on to a letter accusing the Nobel Peace Prize-winning humanitarian organization of institutional racism, citing a colonial mentality in how the group’s European managers view the developing world.1

    Such an allegation would be serious in any field, but it deserves another level of scrutiny in the context of global health and humanitarianism, two fields built on a paternalistic premise: rich white people from wealthy nations setting themselves up as saviors of poor people of color. The assumptions embedded in this model have provoked increasingly popular calls to “decolonize” the sector, and many organizations have responded by invoking social justice rhetoric, claiming, for instance, that their work intersects with the Black Lives Matter movement.2

  • Canopy Parental Control App Wide Open to Unpatched XSS Bugs

    The vulnerability arises because the system is failing to sanitize user inputs. The input field allows 50 characters, Young found, “which was plenty to source an external script.”

    He said there are multiple ways to exploit the issue.

Syndicate content