Microsoft should just double down again on the doubling down. That would be twice as good and really start to make some headway I figure. Maybe as good squared, I'm not an C-level exec so I confess I don't fully understand the math on this.
I’ve heard this means: teams get several months to work on just security. A lot of the work is cleaning up internal tools, secrets in deployment pipelines, that kind of work.
Nadella has been the CEO of Microsoft for more than 10 years.
In the last year there have been multiple huge security breaches at Microsoft. And it's not just that there were bugs. It's that these cases showed a shocking negligence in security systems and processes, and no defense in depth.
So why exactly does Nadella deserve any trust on security? All of this happened on his watch. And like, it's not even a close call where he could plausibly blame his predecessors. He had a decade to get his house in order, and appears to have done nothing at all. If anything, it's the opposite: his words on are empty and can't be trusted, until they actually deliver.
Nadella was a long time Microsoft insider before he became CEO. Under him Microsoft started putting ads in windows, featuring their AI features unfairly above competitors, bundling Teams with Office, and more. He may come off as being a quiet person but he used the same old playbook all monopolists have.
And as for cybersecurity - MS is now forcing AI agents to run on your machine in the background. That undermines everyone’s privacy and security.
- Microsoft is one of the top conglomerates and has a lot of issues which are common at that size of the organization while delivering incredible revenue results.
- I completely agree with you that we can make a list of Microsoft completely unfair practices. One of my companies is full dedicated to Microsoft Windows System Programming/Internals and I an personally not using Windows "anymore" since I cannot (be 100% sure) disable telemetry and all those scammy bloatware.
- Having said all that, I have insiding information about the first cybersecurity approach from Microsoft Bill Gates time and it was real. Following that thing, today cybersecurity IS geopolitics so you cannot play the wrong game.
A key difference with Nadella is that as CEO he's earned credibility with the board, investors, analysts and many employees. Arguably, this should give him greater leeway to adopt strategies which may yield less immediate revenue (such as increasing investment in security) with the justification that it will pay off in the longer run.
Microsoft doesn’t care about any principle beyond money. You can see this in their anticompetitive practices on browsers or AI or “secure computing” or Teams or whatever else. The government should move away from them entirely like some others have, and spend their money funding competing startups or on open source.
I don’t really think that’s possible in an organization that size. People don’t really care about organizational outcomes any more but rather aim for personal outcomes.
Uh, forget it. If even MS can't set their own proper GPOs...
Maybe they should rebase their OS with SeL4, a capabilities system and isolated NT+Win32 subsystems on top per application. It should requiere a current-ish computer to run that, but the resources would be properly spent.
A jail + own FS + subsystem would be taxing over four or fives applications open, but documents and software would stay in their own jails. Interop ala COM/OLE? Forget that, the data sharing protocols would be far more restrictive. If any, a noexec subvolume with OLE objects saved as files. Nothing like DBUS or message passing.
The user would see a directory with the objects from the clipboard per application.
And to be shareable between applications, the user must drop the object in a directory with shared objects explicitly.
Great, where is the audit demonstrating it achieves those goals?
Here is the security certification page for Windows Server [1]. They achieved EAL1+ which is: "applicable where some confidence in correct operation is required, but the threats to security are not viewed as serious" [2].
Stating your dreams is not the same as achieving them. Please point to actual evidence that their dreams have been reached. And no, it is "battle-tested" and "no new bugs have been discovered yet" and "you can not prove it is bad" are not evidence, it needs to be actual positive evidence of quality, not the absence of evidence of defects.
can't improve upon ClickOps as a pervasive operating principle; Nadella's pull quote in the title throws the assumption everyone touching Microsoft security will be clicking twice as much now.
Bollocks. It is plain that Microsoft only care about stock price rising on a promise rather than delivering gains for their customers. They'll only say this while there is attention on it.
I am having trouble naming one change they have delivered since Nadella came along that isn't user hostile or a net loss for security in some way.
reply