Microsoft and China
It looks like Chinese routers aren't the only things that come loaded with bonus software...
NBC news reports:
Microsoft's president told Congress on Thursday his company accepted responsibility for major security failures that let China-linked hackers penetrate federal government computer networks, but defended his company's presence in China.
Brad Smith struck a humble tone in his testimony before the House Homeland Security Committee and promised that the giant tech firm would fix security gaps in its products, which are widely used across federal agencies.
----------------------------------------------------
Somehow, I think it's so ironic that my own government is such a fan of security, yet, by enforced ignorance, the very things that they implement give only the illusion of security. No one knows if there's a backdoor or not, and who can verify?
Gone are the days just a homebrew CRC16 digester, knowledge of exact file length, and a list of files to check, would tell me with almost absolute certainty if my system files had been monkeyed with. If so, which ones? And what did they do? ( File compare... FC.EXE to known good backup copies of the critical files stored on another floppy )
"We acknowledge that we can and must do better"
https://edition.cnn.com/2024/06/13/tech/microsoft-president-congress-cybersecurity-failures/
Microsoft "accepts responsibility for each and every one" of the issues cited in a scathing US government-backed report on the tech giant's cybersecurity failings, Microsoft President Brad Smith will tell US lawmakers Thursday, according to his prepared testimony.
"We acknowledge that we can and must do better, and we apologize and express our deepest regrets to those who have been impacted," reads Smith's testimony to the House Homeland Security Committee. He is set to testify before the panel Thursday afternoon in a hearing the committee says will assess the impact of Microsoft's "cybersecurity shortfalls" on homeland security.
Microsoft has been at the center of two sweeping hacking campaigns in the last year allegedly carried out by Chinese and Russian spies.
A report issued in April by the US Cyber Safety Review Board found that Microsoft committed a "cascade" of "avoidable errors" that allowed Chinese hackers to breach the tech giant's network and later the email accounts of senior US officials last year, including the secretary of commerce. The board is comprised of government and private cybersecurity experts led by the Department of Homeland Security.
Smith says Microsoft has for months been overhauling its cybersecurity practices, in part by implementing recommendations from the US government-backed board.
A snippet from a Wired article:
"When Microsoft revealed in January that foreign government hackers had once again breached its systems, the news prompted another round of recriminations about the security posture of the world's largest tech company.
Despite the angst among policymakers, security experts, and competitors, Microsoft faced no consequences for its latest embarrassing failure. The United States government kept buying and using Microsoft products, and senior officials refused to publicly rebuke the tech giant. It was another reminder of how insulated Microsoft has become from virtually any government accountability, even as the Biden administration vows to make powerful tech firms take more responsibility for America's cyberdefense.
That state of affairs is unlikely to change even in the wake of a new report by the Cyber Safety Review Board (CSRB), a group of government and industry experts, which lambasts Microsoft for failing to prevent one of the worst hacking incidents in the company's recent history. The report says Microsoft's "security culture was inadequate and requires an overhaul.""
(Score: 5, Insightful) by Rosco P. Coltrane on Tuesday June 18 2024, @11:25PM (10 children)
One might argue that they single-handedly create the antivirus industry, and the malware-based economy wouldn't be the smashing success it is without Windows. And the bugfest is still very much on.
What would makes US lawmakers believe that Microsoft is actually capable of following through with their promise to fix their security issues?
(Score: 0) by Anonymous Coward on Tuesday June 18 2024, @11:42PM (7 children)
If they're of the party of big business interests?
(Score: 4, Insightful) by bzipitidoo on Tuesday June 18 2024, @11:53PM (6 children)
What Cornyn said is one of MS's greatest strengths, this belief that commercial companies will be more responsible because they "have skin in the game".
For really messed up rationales, try the US military. They talk big on computer security, but they love that MS software so much they'll throw security to the wind for it. The bull they use to justify it is that MS is an American company while Linux is hacked on by people all over the world, some of whom could be hostile foreign agents. Never mind that MS employs programmers outside the US.
I gather that it's politically impossible for the US government to use LibreOffice, no, has to be MS Office.
(Score: 4, Interesting) by Runaway1956 on Wednesday June 19 2024, @01:03AM (5 children)
Bell Labs was an American operation. Congress and the Pentagon could go back to Unix, the starting point of all other OS's today, except Windows. With serious effort, they could rebuild Unix into a competitor for today's most modern OSs. To hell with Microsoft. Seriously, to hell with them. Linux, MacOS, and the BSDs demonstrate that anything that can be done on Windows, can be done on a *nix. Don't like Linux for some unfathomable reason? Just go back, and rebuild from scratch.
Oh, forgive me. That might mean doing real work. Imagine, having to employ tens of thousands of people to build a secure, reliable operating system for government use. That's just too much to ask of government. Better to throw truckloads of wothless fiat money at Microsoft, hoping that they can come through for you.
“I have become friends with many school shooters” - Tampon Tim Walz
(Score: 3, Insightful) by PiMuNu on Wednesday June 19 2024, @10:28AM
> That's just too much to ask of government.
There are a lot of IT infrastructures in the modern world that are fully privatised with little or not government oversight - from OS, to office products, to email provision, web architecture. At the moment these are handled, at great cost to the public, by microsoft, google and others. To realise this in government would be a major ask - and likely require some cost (i.e. taxes).
Structurally, no elected government would ever take on a major investment like this because it can only result in lost votes (or at least it would take a very strong leader to explain the benefits vs the costs).
(Score: 3, Insightful) by hendrikboom on Wednesday June 19 2024, @04:12PM (3 children)
You are more likely to get a secure, reliable operating system with fewer than tens of thousands of people.
(Score: 1) by Runaway1956 on Wednesday June 19 2024, @07:31PM (2 children)
This is a government job. It's going to take 20 to 50 times the number of people, it's going to run decades late, and so far over budget the original estimates will be meaningless. Think "moonshot". But, on the plus side, all those people will be employed, even if not meaningfully.
“I have become friends with many school shooters” - Tampon Tim Walz
(Score: 2) by drussell on Thursday June 20 2024, @12:44AM (1 child)
Are you seriously suggesting that the US could have landed on the moon in the 1960s with only 8,000 - 20,000 people working on things related to the entire Apollo project?
Really?!!
It sounds like you're being absolutely absurd again. As usual. 🙄
(Score: 1) by Runaway1956 on Thursday June 20 2024, @02:51AM
Absurd, huh? You don't think the US government wastes every asset at it's disposal?
“I have become friends with many school shooters” - Tampon Tim Walz
(Score: 4, Insightful) by Gaaark on Wednesday June 19 2024, @12:38AM (1 child)
They've admitted that it's their fault, now sue them for TCO: every time the Gov. had to pay someone/somegroup to fix a problem over the entirety of the Gov using Windows.
Sue them for all monetary outlays. Sue them for the Cost of purchasing Windows and Windows based software.
Sue Microsoft out of existence, then audit Gates, Ballmer, the new guy i didn't care to learn his name... audit them to Hell.
Do this, and it won't matter if they fix their security issues. Do this and switch to linux. Put the Gov. into the same game as China is moving, instead of just sitting on the bench as a waterboy and getting bowled over by the Chinese playah's.
Same with Canada: sue MS Canada. If every country did this, then you'd have some basis for security.
Microsoft has just learned from Zuckerberg: apologize and move on, even if you have to do the same thing you just apologized for.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. I have always been here. ---Gaaark 2.0 --
(Score: 1, Insightful) by Anonymous Coward on Wednesday June 19 2024, @08:12PM
> Microsoft has just learned from Zuckerberg: apologize and move on ...
I think you have the order reversed, young jerk Zuck followed in the footsteps of young jerk Gates. Perhaps not coincidentally, both attended Harvard, but didn't graduate.
(Score: 3, Insightful) by looorg on Tuesday June 18 2024, @11:40PM (4 children)
> his company accepted responsibility for major security failures ...
Monetary responsibility? Or some more generic no fault or binding apology? We sorry, we hope it won't happen again anytime soon. Now buy more things ...
(Score: 2) by Thexalon on Wednesday June 19 2024, @01:29AM
No, of course not. Nor criminal responsibility if anything like that occurred. When an executive says they "accept responsibility", they mean "find some underling who can't fight back, and fire them instead of me".
"Think of how stupid the average person is. Then realize half of 'em are stupider than that." - George Carlin
(Score: 3, Interesting) by aafcac on Wednesday June 19 2024, @01:48AM
When it comes to corporations, is there any other kind? The thing though is that it's unclear what they can do about the situation at this point. Windows has decades worth of software that runs on it and has certain expectations There's stuff like the registry that were never good ideas, but ones that we're stuck with for the time being. Even user accounts are rather ill-conceived of as implemented in the OS.
Is it even possible to sandbox all the programs that are installed without massive changes to the architecture that would require the 3rd party software to be updated for it?
(Score: 4, Informative) by ChrisMaple on Wednesday June 19 2024, @04:00AM
If MS isn't paying for the damage it's done, it's not accepting responsibility.
(Score: 3, Insightful) by mcgrew on Wednesday June 19 2024, @09:39PM
It sounds like Boeing's president, who said those exact same words accepting blame for Boeing's failures. He didn't go to prison for negligent homicide or manslaughter for those hundreds of people his negligence killed in those two crashes.
So Microsoft isn't worried, why should it be? And this isn't their first dance with the feds.
Impeach Donald Palpatine and his sidekick Elon Vader
(Score: 1, Funny) by Anonymous Coward on Wednesday June 19 2024, @05:36AM
Oh, I must have been asleep for many years.
Last time I heard on the matter, the mantra was "govt are imbecile parasites and the industry knows better".
What happened in between?
(Score: 0) by Anonymous Coward on Wednesday June 19 2024, @01:15PM (1 child)
I just picked up a client in the healthcare space that was managed by an incompetent point-and-click MSP. They got breached, lost a bunch of data, and were down for about a week.
It's awesome that Microsoft is taking responsibility for it.
Where do I send the bill?
(Score: 1, Funny) by Anonymous Coward on Wednesday June 19 2024, @08:15PM
> Where do I send the bill?
To Bill, of course!
Plenty of money in the Gates Foundation, eh?
(thanks for the setup...)