Microsoft, Proprietary Failures, and Windows TCO

posted by Roy Schestowitz on Jul 12, 2023

• Shortening the Let's Encrypt Chain of Trust

  When Let’s Encrypt first launched, we needed to ensure that our certificates were widely trusted. To that end, we arranged to have our intermediate certificates cross-signed by IdenTrust’s DST Root CA X3. This meant that all certificates issued by those intermediates would be trusted, even while our own ISRG Root X1 wasn’t yet. During subsequent years, our Root X1 became widely trusted on its own.

  Come late 2021, our cross-signed intermediates and DST Root CA X3 itself were expiring. And while all up-to-date browsers at that time trusted our root, over a third of Android devices were still running old versions of the OS which would suddenly stop trusting websites using our certificates. That breakage would have been too widespread, so we arranged for a new cross-sign – this time directly onto our root rather than our intermediates – which would outlive DST Root CA X3 itself. This stopgap allowed those old Android devices to continue trusting our certificates for three more years.

  On September 30th, 2024, that cross-sign too will expire.

• Are Microsoft Layoffs Bad News for Investors? [Ed: Truly absurd, obtuse, and offensive question, from a Microsoft site (Motley)]

  Tech company Microsoft (MSFT 1.65%) initiated a round of layoffs on Monday, just after the company's new fiscal year started. The news is interesting following a surge in the prices of many tech stocks, evidenced by the tech-heavy Nasdaq Composite's 31 % year to date gain. Microsoft's gains have been even stronger, with shares rising an incredible 39%. Could Microsoft's latest round of layoffs suggest that hype in the sector has gone too far?

• Another 250+ layoffs at Microsoft as company starts new fiscal year [Ed: This title is misleading. This sum refers to only 2 cities.]

  In yet another round of cost-cutting, Microsoft laid off 276 employees Monday evening as the company enters a new fiscal year.

• Why government websites and online services are so bad

  Today on the show, a conversation with Jennifer Pahlka about her new book Recoding America and lessons learned from California's broken unemployment system.

• Microsoft Warns of Office Zero-Day Attacks, No Patch Available

  In an unusual move, Microsoft documented “a series of remote code execution vulnerabilities” impacting Windows and Office users and confirmed it was investigating multiple reports of targeted code execution attacks using Microsoft Office documents.

  Redmond’s security response pros tagged the unpatched Office flaws with the CVE-2023-36884 identifier and hinted that an out-of-band patch may be released before next month’s Patch Tuesday.

• The Spies Who Loved You: Infected USB Drives to Steal Secrets

  In the first half of 2023, Mandiant Managed Defense has observed a threefold increase in the number of attacks using infected USB drives to steal secrets. Mandiant tracked all of the cases and found that the majority of the incidents could be attributed to several active USB-based operation campaigns affecting both the public and private sectors globally.

• Miscreants exploit five Microsoft bugs as Windows giant addresses 130 flaws

  Crucially, there is no patch yet for CVE-2023-36884, and one may be provided via an emergency update or future scheduled Patch Tuesday, we're told. Microsoft went public early with some details of the flaw because a Russian crew, dubbed Storm-0978, apparently used the vulnerability to target attendees of the ongoing NATO summit in Lithuania on Russia's invasion of Ukraine.

  Storm-0978, also known as RomCom and DEV-0978, is known to carry out opportunistic ransomware campaigns – infecting vulnerable organizations as the crooks find them – as well as prey upon specific targets to harvest their access credentials for Russian intelligence, according to Microsoft. Along with government IT systems, Storm-0978 has also allegedly attacked telecom and finance organizations in Europe and the US.

• Chinese [crackers] gained access to government email accounts, Microsoft says

  Microsoft said that in all, about 25 organizations, including government agencies, had been compromised by the [cracking] group, which used forged authentication tokens to get access to individual email accounts. Hackers had access to at least some of the accounts for a month before the breach was detected, Microsoft said. It did not identify the organizations and agencies affected.

• Chinese hackers raided US government email accounts by exploiting Microsoft cloud bug

  Chinese hackers exploited a flaw in Microsoft’s cloud email service to gain access to the email accounts of U.S. government employees, the technology giant has confirmed.

  The hacking group, tracked as Storm-0558, compromised approximately 25 email accounts, including government agencies, as well as related consumer accounts linked to individuals associated with these organizations, according to Microsoft. “Storm” is a nickname used by Microsoft to track hacking groups that are new, emerging or “in development.”

• [Repeat] Microsoft hit with new round of layoffs, months after eliminating 10,000 jobs

  Microsoft later confirmed it to GeekWire, but declined to provide the scope of the job cuts.

• [Repeat] Microsoft to lay off more employees months after letting 10,000 workers go

  A Microsoft spokesperson declined to specify the number of cuts in the latest round. In January, CEO Satya Nadella issued a memo, indicating the company would change its hardware lineup and consolidate leases.

• [Repeat] Microsoft's 10,000 job cuts didn't quite do the trick

  Anecdotally, The Reg noticed Microsoft workers all over the world posting #OpenToWork status notices on LinkedIn within the last few hours from various other US states including Arizona, Texas, Florida, Philadelphia, Illinois, and Michigan, as well as places as far afield as Canada and Denmark. Most appear to be in sales, support, and customer roles.

• Microsoft Federal President Rick Wagner steps down

  According to his LinkedIn profile, Wagner has led Microsoft’s government technology operation since March 2020, and before that was president of ManTech’s mission, cyber and intelligence solutions group.

• Internet registry APNIC announces governance and election reforms

  APNIC’s structure has seen its director general serve as its sole legal director, and also as trustee of the only share in APNIC Pty Ltd. The director general has been unable to do anything with the share without the approval of the org's Executive Council (EC) – an elected body with the status of a board even if its members are not formally directors.

  The changes mean EC members will become actual directors of APNIC Pty Ltd. A new not-for-profit company, called APNIC EC Limited, has been established to hold the single share in APNIC Pty Ltd in trust for the APNIC EC. The principle that nothing can be done with the share without the approval of the elected EC remains in place. EC members will be the directors and members of APNIC EC Limited.

• i think microsoft windows security is kind of a joke honestly

  s…so.wh…what’s there to stop me from…not having that condition? and blocking every keystroke across the entire system? what’s there to stop me from logging every keystroke even while my application is in the background?

  good news! nothing at all. i just tried it. you can use this code to very easily make a keylogger or keyboard disabler for your local windows machine. yes, it logs password fields, of course. and, conveniently, windows applications don’t need to create a visible window! they can just hang out in the background as a little row in the tasque manager.