Today's links

• You should be using an RSS reader: The one thing you can choose to do that will make your internet life better and make the internet better for everyone else, too.
• Hey look at this: Delights to delectate.
• This day in history: 2004, 2009, 2014, 2019, 2023
• Upcoming appearances: Where to find me.
• Recent appearances: Where I've been.
• Latest books: You keep readin' em, I'll keep writin' 'em.
• Upcoming books: Like I said, I'll keep writin' 'em.
• Colophon: All the rest.

You should be using an RSS reader (permalink)

No matter how hard we all wish it were otherwise, the sad fact is that there aren't really individual solutions to systemic problems. For example: your personal diligence in recycling will have no meaningful impact on the climate emergency.

I get it. People write to me all the time, they say, "What can I change about my life to fight enshittification, or, at the very least, to reduce the amount of enshittification that I, personally, experience?"

It's frustrating, but my general answer is, "Join a movement. Get involved with a union, with EFF, with the FSF. Tell your Congressional candidate to defend Lina Khan from billionaire Dem donors who want her fired. Do something systemic."

There's very little you can do as a consumer. You're not going to shop your way out of monopoly capitalism. Now that Amazon has destroyed most of the brick-and-mortar and digital stores out of business, boycotting Amazon often just means doing without. The collective action problem of leaving Twitter or Facebook is so insurmountable that you end up stuck there, with a bunch of people you love and rely on, who all love each other, all hate the platform, but can't agree on a day and time to leave or a destination to leave for and so end up stuck there.

I've been experiencing some challenging stuff in my personal life lately and yesterday, I just found myself unable to deal with my usual podcast fare so I tuned into the videos from the very last XOXO, in search of uplifting fare:

https://www.youtube.com/@xoxofest

I found it. Talks by Dan Olson, Cabel Sasser, Ed Yong and many others, especially Molly White:

https://www.youtube.com/watch?v=MTaeVVAvk-c

Molly's talk was so, so good, but when I got to her call to action, I found myself pulling a bit of a face:

But the platforms do not exist without the people, and there are a lot more of us than there are of them. The platforms have installed themselves in a position of power, but they are also vulnerable…

Are the platforms really that vulnerable? The collective action problem is so hard, the switching costs are so high – maybe the fact that "there's a lot more of us than there are of them" is a bug, not a feature. The more of us there are, the thornier our collective action problem and the higher the switching costs, after all.

And then I had a realization: the conduit through which I experience Molly's excellent work is totally enshittification-proof, and the more I use it, the easier it is for everyone to be less enshittified.

This conduit is anti-lock-in, it works for nearly the whole internet. It is surveillance-resistant, far more accessible than the web or any mobile app interface. It is my secret super-power.

It's RSS.

RSS (one of those ancient internet acronyms with multiple definitions, including, but not limited to, "Really Simple Syndication") is an invisible, automatic way for internet-connected systems to public "feeds." For example, rather than reloading the Wired homepage every day and trying to figure out which stories are new (their layout makes this very hard to do!), you can just sign up for Wired's RSS feed, and use an RSS reader to monitor the site and preview new stories the moment they're published. Wired pushes about 600 words from each article into that feed, stripped of the usual stuff that makes Wired nearly impossible to read: no 20-second delay subscription pop-up, text in a font and size of your choosing. You can follow Wired's feed without any cookies, and Wired gets no information about which of its stories you read. Wired doesn't even get to know that you're monitoring its feed.

I don't mean to pick on Wired here. This goes for every news source I follow – from CNN to the New York Times. But RSS isn't just good for the news! It's good for everything. Your friends' blogs? Every blogging platform emits an RSS feed by default. You can follow every one of them in your reader.

Not just blogs. Do you follow a bunch of substackers or other newsletters? They've all got RSS feeds. You can read those newsletters without ever registering in the analytics of the platforms that host them. The text shows up in black and white (not the sadistic, 8-point, 80% grey-on-white type these things all default to). It is always delivered, without any risk of your email provider misclassifying an update as spam:

https://pluralistic.net/2021/10/10/dead-letters/

Did you know that, by default, your email sends information to mailing list platforms about your reading activity? The platform gets to know if you opened the message, and often how far along you've read in it. On top of that, they get all the private information your browser or app leaks about you, including your location. This is unbelievably gross, and you get to bypass all of it, just by reading in RSS.

Are your friends too pithy for a newsletter, preferring to quip on social media? Unfortunately, it's pretty hard to get an RSS feed from Insta/FB/Twitter, but all those new ones that have popped up? They all have feeds. You can follow any Mastodon account (which means you can follow any Threads account) via RSS. Same for Bluesky. That also goes for older platforms, like Tumblr and Medium. There's RSS for Hacker News, and there's a sub-feed for the comments on every story. You can get RSS feeds for the Fedex, UPS and USPS parcels you're awaiting, too.

Your local politician's website probably has an RSS feed. Ditto your state and national reps. There's an RSS feed for each federal agency (the FCC has a great blog!).

Your RSS reader lets you put all these feeds into folders if you want. You can even create automatic folders, based on keywords, or even things like "infrequently updated sites" (I follow a bunch of people via RSS who only update a couple times per year – cough, Danny O'Brien, cough – and never miss a post).

Your RSS reader doesn't (necessarily) have an algorithm. By default, you'll get everything as it appears, in reverse-chronological order.

Does that remind you of anything? Right: this is how social media used to work, before it was enshittified. You can single-handedly disenshittify your experience of virtually the entire web, just by switching to RSS, traveling back in time to the days when Facebook and Twitter were more interested in showing you the things you asked to see, rather than the ads and boosted content someone else would pay to cram into your eyeballs.

Now, you sign up to so many feeds that you're feeling overwhelmed and you want an algorithm to prioritize posts – or recommend content. Lots of RSS readers have some kind of algorithm and recommendation system (I use News, which offers both, though I don't use them – I like the glorious higgeldy-piggeldy of the undifferentiated firehose feed).

But you control the algorithm, you control the recommendations. And if a new RSS reader pops up with an algorithm you're dying to try, you can export all the feeds you follow with a single click, which will generate an OPML file. Then, with one click, you can import that OPML file into any other RSS reader in existence and all your feeds will be seamlessly migrated there. You can delete your old account, or you can even use different readers for different purposes.

You can access RSS in a browser or in an app on your phone (most RSS readers have an app), and they'll sync up, so a story you mark to read later on your phone will be waiting for you the next time you load up your reader in a browser tab, and you won't see the same stories twice (unless you want to, in which case you can mark them as unread).

RSS basically works like social media should work. Using RSS is a chance to visit a utopian future in which the platforms have no power, and all power is vested in publishers, who get to decide what to publish, and in readers, who have total control over what they read and how, without leaking any personal information through the simple act of reading.

And here's the best part: every time you use RSS, you bring that world closer into being! The collective action problem that the publishers and friends and politicians and businesses you care about is caused by the fact that everyone they want to reach is on a platform, so if they leave the platform, they'll lose that community. But the more people who use RSS to follow them, the less they'll depend on the platform.

Unlike those largely useless, performative boycotts of widely used platforms, switching to RSS doesn't require that you give anything up. Not only does switching to RSS let you continue to follow all the newsletters, webpages and social media accounts you're following now, it makes doing so better: more private, more accessible, and less enshittified.

Switching to RSS lets you experience just the good parts of the enshitternet, but that experience is delivered in manner that the new, good internet we're all dying for.

My own newsletter is delivered in fulltext via RSS. If you're reading this as a Mastodon or Twitter thread, on Tumblr or on Medium, or via email, you can get it by RSS instead:

https://pluralistic.net/feed/

Don't worry about which RSS reader you start with. It literally doesn't matter. Remember, you can switch readers with two clicks and take all the feeds you've subscribed to with you! If you want a recommendation, I have nothing but praise for Newsblur, which I've been paying $2/month for since 2011 (!):

https://newsblur.com/

Subscribing to feeds is super-easy, too: the links for RSS feeds are invisibly embedded in web-pages. Just paste the URL of a web-page into your RSS reader's "add feed" box and it'll automagically figure out where the feed lives and add it to your subscriptions.

It's still true that the new, good internet will require a movement to overcome the collective action problems and the legal barriers to disenshittifying things. Almost nothing you do as an individual is going to make a difference.

But using RSS will! Using RSS to follow the stuff that matters to you will have an immediate, profoundly beneficial impact on your own digital life – and it will appreciably, irreversibly nudge the whole internet towards a better state.

Hey look at this (permalink)

* You Can't Make Friends With The Rockstars https://www.wheresyoured.at/rockstars/

• Tom Lehrer Discovers Australia (And Vice Versa) https://taylorjessen.blogspot.com/2024/10/tom-lehrer-tom-lehrer-discovers.html

• Conceptual models of space colonization https://www.antipope.org/charlie/blog-static/2024/10/conceptual-models-of-space-col.html

This day in history (permalink)

#20yrsago Sony bullies Retropod off the net https://web.archive.org/web/20041018040446/http://www.retropod.com/

#15yrsago This Side of Jordan – Violent jazz age novel by Charles M Schulz’s son Monte https://memex.craphound.com/2009/10/16/this-side-of-jordan-violent-jazz-age-novel-by-charles-m-schulzs-son-monte/

#10yrsago FBI chief demands an end to cellphone security https://www.nytimes.com/2014/10/17/us/politics/fbi-director-in-policy-speech-calls-dark-devices-hindrance-to-crime-solving.html

#10yrsago Please, Disney: put back John’s grandad’s Haunted Mansion tombstone https://thedisneyblog.com/2014/10/16/petition-to-return-a-lost-tombstone-to-the-haunted-mansion/

#10yrsago How Microsoft hacked trademark law to let it secretly seize whole businesses https://www.wired.com/2014/10/microsoft-pinkerton/

#10yrsago If you think you’ve anonymized a data set, you’re probably wrong https://web.archive.org/web/20141014172827/http://research.neustar.biz/2014/09/15/riding-with-the-stars-passenger-privacy-in-the-nyc-taxicab-dataset/

#10yrsago The lost cyber-crayolas of the mid-1990s https://memex.craphound.com/2014/10/16/the-lost-cyber-crayolas-of-the-mid-1990s/

#5yrsago “The People’s Money”: A crisp, simple, thorough explanation of how government spending is paid for https://neweconomicperspectives.org/2019/10/the-peoples-money-part-1.html

#5yrsago What it’s like to have Apple rip off your successful Mac app https://memex.craphound.com/2019/10/16/what-its-like-to-have-apple-rip-off-your-successful-mac-app/

#5yrsago Blizzard suspends college gamers from competitive play after they display “Free Hong Kong” poster https://www.vice.com/en/article/three-college-hearthstone-protesters-banned-for-six-months/

#5yrsago Terrified of bad press after its China capitulation, Blizzard cancels NYC Overwatch event https://www.bloomberg.com/news/articles/2019-10-15/blizzard-cancels-overwatch-event-as-it-tries-to-contain-backlash

#5yrsago A San Diego Republican operator ran a massive, multimillion-dollar Facebook scam that targeted boomers https://www.buzzfeednews.com/article/craigsilverman/facebook-subscription-trap-free-trial-scam-ads-inc

#5yrsago Britain’s unbelievably stupid, dangerous porn “age verification” scheme is totally dead https://arstechnica.com/tech-policy/2019/10/uk-government-abandons-planned-porn-age-verification-scheme/

#5yrsago Not only is Google’s auto-delete good for privacy, it’s also good news for competition https://memex.craphound.com/2019/10/16/not-only-is-googles-auto-delete-good-for-privacy-its-also-good-news-for-competition/

#5yrsago Edward Snowden on the global war on encryption: “This is our new battleground” https://www.theguardian.com/commentisfree/2019/oct/15/encryption-lose-privacy-us-uk-australia-facebook

#5yrsago In Kansas’s poor, sick places, hospitals and debt collectors send the ailing to debtor’s prison https://features.propublica.org/medical-debt/when-medical-debt-collectors-decide-who-gets-arrested-coffeyville-kansas

#5yrsago Want a ride in a Lyft? Just sign away your right to sue if they kill, maim, rape or cheat you https://memex.craphound.com/2019/10/16/want-a-ride-in-a-lyft-just-sign-away-your-right-to-sue-if-they-kill-maim-rape-or-cheat-you/

#5yrsago #RedForEd rebooted: Chicago’s teachers are back on strike https://www.thenation.com/article/archive/union-strike-chicago-teachers/

#1yrago One of America's most corporate-crime-friendly bankruptcy judges forced to recuse himself https://pluralistic.net/2023/10/16/texas-two-step/#david-jones

Upcoming appearances (permalink)

• OKFN Tech We Want Online Summit (Remote), Oct 18
  https://okfn.org/en/events/the-tech-we-want-online-summit/

• SOSS Fusion (Atlanta), Oct 22
  https://sossfusion2024.sched.com/speaker/cory_doctorow.1qm5qfgn

• Eagle Eye Books (Decatur), Oct 23
  https://eagleeyebooks.com/event/2024-10-23/cory-doctorow

• TusCon (Tucson), Nov 8-10
  https://tusconscificon.com/

• International Cooperative Alliance (New Delhi), Nov 24
  https://icanewdelhi2024.coop/welcome/pages/Programme

• ISSA-LA Holiday Celebration keynote (Los Angeles), Dec 18
  https://issala.org/event/issa-la-december-18-dinner-meeting/

Recent appearances (permalink)

• Speciale intervista a Cory Doctorow (Digitalia)
  https://digitalia.fm/744/

• Was There Ever An Old, Good Internet? (David Graeber Institute)
  https://www.youtube.com/watch?v=T6Jlxx5TboE

• Go Fact Yourself
  https://maximumfun.org/episodes/go-fact-yourself/ep-158-aida-rodriguez-cory-doctorow/

Latest books (permalink)

• The Bezzle: a sequel to "Red Team Blues," about prison-tech and other grifts, Tor Books (US), Head of Zeus (UK), February 2024 (the-bezzle.org). Signed, personalized copies at Dark Delicacies (https://www.darkdel.com/store/p3062/Available_Feb_20th%3A_The_Bezzle_HB.html#/).

• "The Lost Cause:" a solarpunk novel of hope in the climate emergency, Tor Books (US), Head of Zeus (UK), November 2023 (http://lost-cause.org). Signed, personalized copies at Dark Delicacies (https://www.darkdel.com/store/p3007/Pre-Order_Signed_Copies%3A_The_Lost_Cause_HB.html#/)

• "The Internet Con": A nonfiction book about interoperability and Big Tech (Verso) September 2023 (http://seizethemeansofcomputation.org). Signed copies at Book Soup (https://www.booksoup.com/book/9781804291245).

• "Red Team Blues": "A grabby, compulsive thriller that will leave you knowing more about how the world works than you did before." Tor Books http://redteamblues.com. Signed copies at Dark Delicacies (US): and Forbidden Planet (UK): https://forbiddenplanet.com/385004-red-team-blues-signed-edition-hardcover/.

• "Chokepoint Capitalism: How to Beat Big Tech, Tame Big Content, and Get Artists Paid, with Rebecca Giblin", on how to unrig the markets for creative labor, Beacon Press/Scribe 2022 https://chokepointcapitalism.com

• "Attack Surface": The third Little Brother novel, a standalone technothriller for adults. The Washington Post called it "a political cyberthriller, vigorous, bold and savvy about the limits of revolution and resistance." Order signed, personalized copies from Dark Delicacies https://www.darkdel.com/store/p1840/Available_Now%3A_Attack_Surface.html

• "How to Destroy Surveillance Capitalism": an anti-monopoly pamphlet analyzing the true harms of surveillance capitalism and proposing a solution. https://onezero.medium.com/how-to-destroy-surveillance-capitalism-8135e6744d59?sk=f6cd10e54e20a07d4c6d0f3ac011af6b) (signed copies: https://www.darkdel.com/store/p2024/Available_Now%3A__How_to_Destroy_Surveillance_Capitalism.html)

• "Little Brother/Homeland": A reissue omnibus edition with a new introduction by Edward Snowden: https://us.macmillan.com/books/9781250774583; personalized/signed copies here: https://www.darkdel.com/store/p1750/July%3A__Little_Brother_%26_Homeland.html

• "Poesy the Monster Slayer" a picture book about monsters, bedtime, gender, and kicking ass. Order here: https://us.macmillan.com/books/9781626723627. Get a personalized, signed copy here: https://www.darkdel.com/store/p2682/Corey_Doctorow%3A_Poesy_the_Monster_Slayer_HB.html#/.

Upcoming books (permalink)

• Picks and Shovels: a sequel to "Red Team Blues," about the heroic era of the PC, Tor Books, February 2025

• Unauthorized Bread: a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2025

Colophon (permalink)

Today's top sources:

Currently writing:

• Enshittification: a nonfiction book about platform decay for Farrar, Straus, Giroux. Today's progress: 818 words (64779 words total).

• A Little Brother short story about DIY insulin PLANNING

• Picks and Shovels, a Martin Hench noir thriller about the heroic era of the PC. FORTHCOMING TOR BOOKS FEB 2025

Latest podcast: Spill, part one (a Little Brother story) https://craphound.com/littlebrother/2024/10/06/spill-part-one-a-little-brother-story/

This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/@pluralistic

Medium (no ads, paywalled):

https://doctorow.medium.com/

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):

https://twitter.com/doctorow

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

Recently, Microsoft had quite frankly a kicking from the US Department of Homeland Security over their security practices in a Cyber Safety Review Board report. I’ve tried to keep as quiet as possible about this one for various reasons (and I was not involved in the CSRB report, even anonymously) — although long time followers will know I’ve been often critical of Microsoft’s security posture. The CSRB report is well worth a read — they did a great job.

In particular, I aired some pretty critical (but vague) thoughts after leaving Microsoft — which although there was a period where I gather people were told it was because I had an axe to grind, it wasn’t — it was because I had been concerned about what I had seen. I couldn’t do anything about it at the time due to other issues going on there. Truthfully I’d always been critical of Microsoft over various things, e.g. prior to joining Microsoft I talked to BBC News about docs.com being the source of Microsoft’s customers accidentally leaking their documents, which ultimately led to the quiet mothballing of the product.

To give Microsoft its credit, it has a unique (from what I’ve seen) and good corporate culture that tolerates dissent. The reason I aired concerns is.. well.. what happens at Microsoft impacts society. And, selfishly, also me, and the ability for me to defend the orgs I work for.

They’re uniquely placed as a software and services vendor. Microsoft’s security woes are, in my opinion, a safety issue for society because the dependency on them for civil society is so vast. Those woes are not the fault of one person, or team — in fact, I think they’re due to security debt building up over time.

Microsoft have now announced to customers their response — after a slightly weird few days where they announced what was happening via anonymous press briefings, to shareholders and then attached to pitching Security Copilot in news reports. Lesson for Microsoft here — tell staff and customers first, and keep AI sales separate.

After watching the dust settle, I thought it was important to dig into the announcements and what I think they mean in practice.

The Microsoft response

The Verge reports that Microsoft are re-prioritising around cybersecurity as their top priority, with six prioritized security pillars (pro-tip: if you’re ever talking to Satya, talk in pillars) —largely talking about Microsoft’s internal corporate systems.

These pillars are:

Protect identities and secrets
Protect tenants and isolate production systems
Protect networks
Protect engineering systems
Monitor and detect threats
Accelerate response and remediation

The announcement to customers comes with a blog from Charlie Bell, their Executive Vice President of Microsoft Security:

https://www.microsoft.com/en-us/security/blog/2024/05/03/security-above-all-else-expanding-microsofts-secure-future-initiative/

And an all company email from Satya Nadella, their CEO. To quote the end of it:

Security is a team sport, and accelerating SFI isn’t just job number one for our security teams — it’s everyone’s top priority and our customers’ greatest need.

If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security. In some cases, this will mean prioritizing security above other things we do, such as releasing new features or providing ongoing support for legacy systems. This is key to advancing both our platform quality and capability such that we can protect the digital estates of our customers and build a safer world for all.

I’ll say up front, it’s a great email. I think Satya and Charlie are killing it with messaging. Frankly, everybody likes to talk about cybersecurity and pretend it’s super interesting.. until they actually have to do it.

Because cybersecurity is, frankly, major boring (and far too expensive) shit — and also really hard to do right and super easy to do wrong. So it’s the kind of email you have to send from the top as you need people internally to go ‘oh, this is a real thing’.

What I think it means

It’s a really good response, which high level grapples with a whole bunch of problems I saw within Microsoft. Truthfully, the problems I saw at Microsoft extended way beyond what is known, and I don’t want to document them publicly as — frankly — they appear to know parts of the barn are, in fact, on fire.

The other thing I’m cognizant of is I was just an idiot analyst there, a pleb — I did not have a full picture of what was happening, I was sat looking at things going ‘oooooooooohkay, apparently it’s 1997 here in cybersecurity’.

One of the things with the Snowden disclosures is that guy was, essentially, a SharePoint administrator as I understand it, who somehow promoted himself to Chief Expert Spy after fleeing the country. I was just a boring threat intelligence person for Microsoft in Redmond. And I also offer no documents to read. I want to be clear I’m not comparing myself to Snowden here, more making the opposite point.

I think when you had Brad Smith talking about “being on the frontlines” of the Russia/Ukraine war, on the side supporting Ukraine, it was the right thing to do — but also, you’re relying on having the best cybersecurity in the world. Microsoft was already a target, but essentially it’s like screaming ‘come at me, I’m hard’ in a Call of Duty match. I don’t think the execs at Microsoft had a full view of the security challenges they are facing.

That isn’t to say everything Microsoft has been doing in cybersecurity is wrong, by the way — it isn’t, they employ some of the smartest people in security and deal with an incredible amount of incidents nobody knows about. What I mean is, some risky things there are normalised — things straight up in CISA’s Bad Practice list, that Microsoft helped write — and were deemed okay because.. uh… they’re Microsoft.

do as i say not as i do — the customer experience

Watermelon Green

In a PowerPoint slide, it looks like every unpatched system is automatically booted from the network after 2 weeks, 100% green! In reality, if you looked at the real details… you’d hit the red. I call this the Watermelon Green effect.

To be clear, I have no idea if that PowerPoint slide exists at Microsoft (it probably does, based on what I’m told as a customer by MS sales about Microsoft’s amazing internal security) — it’s just a made up example of that I think every org can learn from. If people aren’t bringing out their dead, too, you’re looking at death by compliance and governance, especially where everything is incentivised to be green.

Breaking down the pillars

Protect identities and secrets — the identity teams and managers at Microsoft are really good, in my experience. Microsoft Entra ID is also a really good product, along with the product security offerings.

What they’ve grappled with in the identity space internally includes parts of the org trying to rapidly bolt on services upon services — e.g. consumer Xbox authentication etc — and they’ve reached a point of a two decade long game of Jenga that has got a bit out of hand. Some of the things bolted on included clear documentation on how not to use the features, which internal developers promptly ignored. It feels right Microsoft go back and concentrate on this area, as Jenga has a habit of toppling down.

Notably, the announcement mentions HSMs — think of this as digital vaults. I’ve had a few people at Microsoft call me and be like ‘Kevin, we do use HSMs’. Reality check: Microsoft don’t use HSMs for everything, including some of the most important things.

There’s lots of certificate keys and such which simply haven’t been securely handled properly. I know a bunch of this infrastructure is really old, but.. well.. the world grew up, and the steps other orgs had to take a decade ago are also steps Microsoft needs to take about a decade ago. HSMs are hard to implement and use, in some cases incredibly so — I’m 25 years into corporate security and have the scars. But… uh… either make a better solution, or suck it up and implement ’em 100% of the time with deeply sensitive material.

On the other hand, the story with secrets at Microsoft is… they are not so secret. This is common across lots of orgs, and to Microsoft’s credit they’ve tried (and tried and tried) to get internal developers under control with putting API keys in source code and such. I think they need to keep trying.

For a long period Microsoft dealt with a guy or girl called The Walking Cat (_h0x0d_) on Twitter who constantly leaked Microsoft’s commercial plans publicly (notably Xbox, but others too), and he/she was just.. er… largely walking in the front door.

None of this should be reflection on Entra ID, I think. It isn’t. It’s issues around how Microsoft themselves use their own systems and have superglued things together like they’re on Season 37 of The A-Team. Mr T’s looking at bit too old for this.

Protect tenants and isolate production systems — you might look at this and think ‘Microsoft has the best security in the world, of course they already did this’. There’s always work to be done, and the path Charlie outlines in his blog is spot on for focus areas. Does everybody need to be local admin? Can attack surface be reduced for many people? If it was me I’d bring in somebody like PWC and say, don’t red team us, just roast us on our day to day security practices in the trenches… before China does.

Protect networks — raise your hand if you’ve worked for a company where the network is too flat, and people have convinced themselves it is okay because Zero Trust Or Whatever? Every company should try to fix this.

Protect engineering systems- obvious and good.

Monitor and detect threats — I often made the joke at Microsoft that Microsoft’s security products are great, and Microsoft should use them. It wasn’t a joke, also. Microsoft dogfood a whole bunch of their product stack, but they need to turn the features used up to 11 and really deploy everything. Microsoft Threat Experts? It should be enabled on Microsoft’s own corporate tenant. When I was there, it wasn’t… and had that service been enabled, they would have spotted significant nation state activity several months before Mandiant did. Microsoft own the product and the team and can afford their own services — that applies across the stack.

And yes, logging of corporate systems for two years is very much needed (and relatively standard amongst many industries). Azure IRM classification of every new doc created, DLP, the whole shebang should be there. If it’s too hard internally, improve the product for customers too (and sell more as a result).

Accelerate response and remediation- “Increase transparency of mitigated cloud vulnerabilities through the adoption and release of Common Weakness Enumeration™ (CWE™), and Common Platform Enumeration™ (CPE™) industry standards for released high severity Common Vulnerabilities and Exposures (CVE) affecting the cloud.” <- one thing with this, it should not just apply to CVEs, as CVEs exclude just cloud services. Microsoft, I think, need to lead the way in detailing fixed vulnerabilities in their cloud stack that they currently don’t list. Why? Because all cloud providers should do this, and it forces hands I think. This may be what they mean, but the wording leaves a bit of wriggle room I think compared to the CSRB report intentions.

Another pullout — Instituting new governance

I want to talk about the “Instituting new governance” heading from Charlie’s blog as I think it’s really important, and he’s hit upon an area of concern as a customer.

Microsoft has a bunch of different business units, who operate.. kinda separately? You’d have, say, Microsoft Security who operated differently to, say, Azure. Each of these would have overlapping areas — e.g. both Azure and Microsoft Security operated security products, but they had different senior leadership.

On top of this, Microsoft operated a security governance structure I’d not seen before — each business unit basically did its own thing. That’s over simplifying it and being glib, but the security governance was basically not aligned, and it led to situations like — for example — Microsoft Security, when I worked there, didn’t have certain features in Microsoft Defender for Endpoint enabled. But some non-security business units did. (This was fixed while I was there). It was pretty head scratching.

To quote the blog: “Microsoft is implementing a new security governance framework spearheaded by the Chief Information Security Officer (CISO). This framework introduces a partnership between engineering teams and newly formed Deputy CISOs, collectively responsible for overseeing SFI, managing risks, and reporting progress directly to the Senior Leadership Team. Progress will be reviewed weekly with this executive forum and quarterly with our Board of Directors.”

I think what’s happening here is they’re trying to centralise some of this, in a structure that works inside Microsoft’s existing operating model. That is smart, I think. But I’m bias:

Also smart: “We will instil accountability by basing part of the compensation of the company’s Senior Leadership Team on our progress in meeting our security plans and milestones.”

In other smart moves: “Finally, given the importance of threat intelligence, we are bringing the full breadth of nation-state actor and threat hunting capabilities into the CISO organization.”

Assuming this includes MSTIC, it’s a really good move. MSTIC are one of Microsoft’s threat intelligence teams, who track nation state threats and criminal groups. MSTIC is full of really smart people, many of whom I admire and do important work.. and is also an element of, I think, a loaded gun to the foot in terms of their level and scope of access to telemetry, as not everything is just the optics of cybersecurity. It’s certainly an area that needs oversight and diverse thinking. Frankly threat actors are transitioning to platforms like Mac and Linux anyway. MSTIC probably needs to find sustainable insight from outwards in, rather than looking out.

My overall thoughts

As always, the proof is in the pudding, not the vendor blog. I think these changes will take a few years to start to work through, and fully expect a few more clanger breaches in the mean time. And that’s annoying but okay, because hard work is hard.

I do think, though, Microsoft are on the right track here towards earning my trust back as a customer. They’re talking about real internal issues at Microsoft — in a corporate blog cosplay way of course — and actually heading straight at long standing and festering issues which need addressing.

I’d also say, people shouldn’t take the CSRB report to be criticisms of Microsoft’s security product offerings. They aren’t. Microsoft’s security products are largely very good, in my view — having both used them at scale at large organisations for long periods of time while being the accountable manager, to actually working on a few. Microsoft Defender for Endpoint? Great. Microsoft Defender for Identity? Great. Both have got me and my organisations out of multiple security incidents unscathed. Same with Entra ID Protection.

Have there been tangible security failings with Microsoft 365 services? Yeah.

Do I understand the customers who get frustrated about receiving malware from Microsoft 365 hosted services? Hell yeah, I’m one. I also resent being sold Microsoft Defender for Endpoint… then being told to buy Microsoft Defender for Endpoint P2 addon, then Microsoft Sentinel etc to get the right logs in the right format. I get growth top right is always needed for a publicly traded business, but… uh… the upsell is real and often a turn off.

It’s particularly hard to justify nowadays as something in business you’ll really hear is ‘Microsoft should be giving us this for free, it’s our own data’ — I think the woes over the last few years have really damaged trust and the E5 upsell may be a problem for Microsoft’s sales people, frankly.

I think challenges remain in Microsoft Office, Microsoft Exchange, Microsoft SharePoint, ADFS.. some of the core products. Things should be more secure out of the box. Microsoft Windows shouldn’t allow .VBS, .VBE files to do anything in the space year 2024. I know, I know, Smart App Control and all that — but it feels like a lot of engineering work for a conversation which should probably become more ‘…should we just sunset some features and break a small amount of AppCompat, to protect hospitals?’.

I know there’s been some significant engineering resource on things like Application Guard for Office, Edge etc — but my personal view, from the trenches, is that if features require new hardware, things manually enabling etc — it isn’t going to work. Lots of orgs still have nobody responsible for cybersecurity, that’s just how it is in the trenches. Every day is spent talking to suppliers who have been hit with ransomware and have no idea how to begin to respond. And largely, it started with Windows PCs and servers. And it’s usually threat actors repeating the same basic things over and over again.

I think a whole bunch of the solutions Microsoft should look towards should be as simple to engineer and use as possible.

For example, the changes which hardened Office macros started due to, as I understand it, somebody in the Office team making the brave call to just disable macros from the internet, and take the heat it would generate. That relatively small pivot changed the email security market, and changed the overall threat landscape — it’s evident in data from email server and endpoint logs. In my opinion, that’s the template of what should be happening across Microsoft’s product offerings, driven by threat intelligence. Office macros were left to fester for far too long, and essentially spawned a large part of the ransomware industry problem we are now left with (and has become very difficult to put out — we’re in the age of the ransomware wildfire).

The pivot to attackers looking at edge network devices is, I think, partly driven by that. Now, you may say — Kevin — let’s just leave ransomware actors using Office macros, as we know how to defend against that. And it’s an okay argument. But it doesn’t help libraries, UK councils, old people’s homes etc in the immediate term. Disabling macros from the internet definitely did help them. Yes, attackers may be finding new ways — but that’s a cost we should, overall, be imposing I think. Every vendor should be better, and Microsoft should aim to be the best.

I’ve long said ransomware groups are a competitor for security vendors. I think we’re seeing that play out. It’s completely flown under the radar, but I recently published a private exploit that Akira ransomware group had been using against Cisco ASA VPN devices, written by @Naproxen.. the exploit looks simple, but finding it required looking through ~100k lines of code.

When you’ve got ransomware groups, largely driven by teenagers, working on edge network product exploits alongside nation state activity in China.. it’s a wild and escalating situation. I think we’ll continue to security vendors, not just Microsoft, having to reprioritise security to be at the heart of their operations — due to the real threat of being plunged into chaos by anime loving ransomware fans.

Microsoft has the ability to redefine Windows, Office, Microsoft 365 and other products as the most secure solutions available out of the box — to be the true security leader for small to medium size businesses and large enterprise, by taking some calculated decisions on legacy compatibility.

Being an open to use operating system platform should not mean being an insecure one due to legacy code owned end to end by Microsoft itself (hi, wscript).

Microsoft has history with this. When I flash back to the beginnings of my career, as I was right there at the front of the IIS Unicode issue, where a Unicode directory traversal vulnerability allowed IIS to spawn any command. It was a really daft vulnerability. One of the earliest emails in my personal inbox is me and Microsoft’s security team talking about that, as it happens. A bunch more gaffes were made.

Microsoft’s then CEO, Bill Gates, reset the agenda on security, and in fairness — if you look at many Microsoft subsequent server offerings (such as IIS), they’re rarely the cause of security incidents in organisations. They really tightened up shop in many areas.

Did Microsoft later fumble it? Yeah. The Department of Homeland Security literally handed the US President a report (the CSRB one) saying Microsoft have made big mistakes.

To spell it out, security debt has piled up and internal corporate security at Microsoft isn’t where it needs to be for the world’s most important and targeted software company. The risk pivot was wrong. Hindsight is easy, doing the right thing is hard.

Microsoft products and services should be the safest choice to use for business leaders and community groups.

I think that’s a competitive advantage to end up at.. but frankly and more importantly, I think it’s the right thing to do. And I think if Microsoft delivers on this strategy, it can deliver that vision.

Breaking down Microsoft’s pivot to placing cybersecurity as a top priority was originally published in DoublePulsar on Medium, where people are continuing the conversation by highlighting and responding to this story.

Microsoft is adding touch controls to its Xbox apps for iOS and Android devices. The software maker started testing the touch controls in beta versions of the Xbox mobile apps this week, allowing Xbox owners to remotely control their consoles and play games on phones and tablets without a Bluetooth controller.

The touch controls are identical to the ones found on Microsoft’s Xbox Cloud Gaming service, providing an on-screen overlay to let you remotely navigate around the Xbox UI and open up games and stream them all from your own console without needing to use a controller.

The touch controls are surprisingly good in a pinch,...

Continue reading…

Enlarge / The Microsoft Ergonomic Keyboard is making a comeback. (credit: Microsoft)

In April, Microsoft announced that it would stop selling Microsoft-branded computer peripherals. Today, Onward Brands announced that it's giving those discarded Microsoft-stamped gadgets a second life under new branding. Products like the Microsoft Ergonomic Keyboard will become Incase products with "Designed by Microsoft" branding.

Beyond the computer accessories saying "Designed by Microsoft," they should be the same keyboards, mice, webcams, headsets, and speakers, Onward, Incase's parent company, said, per The Verge. Onward said its Incase brand will bring back 23 Microsoft-designed products in 2024 and hopes for availability to start in Q2.

Some of the Microsoft-designed gear that Incase is relaunching. (credit: Incase )

Incase also plans to launch an ergonomic keyboard that Microsoft designed but never released. Onward CEO Charlie Tebele told The Verge that there's "potential" for Incase to release even more designs Microsoft never let us see.

Read 7 remaining paragraphs | Comments

Microsoft appears to be readying new Xbox expandable storage options from other manufacturers. A new Western Digital 1TB expansion card for Xbox Series S / X consoles has been spotted early on Best Buy, priced at $179.99. It’s the first time we’ve seen Xbox expandable storage that’s not manufactured by Seagate.

Microsoft originally launched Xbox expandable storage cards nearly three years ago with its Xbox Series S / X consoles. The 1TB cards were priced at $219.99 and manufactured exclusively by Seagate. While we’ve seen 512GB and 2TB options appear from Seagate, prices have stubbornly remained high, despite similar storage for PS5 consoles dropping significantly.

Image: Best Buy

An additional manufacturer for Xbox expandable storage is much-needed and will hopefully help push prices in the right direction. Best Buy’s listing (which has now been removed) of the Western Digital C50 1TB expansion card is $40 less than the Seagate model. At $179.99 it’s still hugely overpriced for 1TB storage, especially when you can find a Samsung 980 Pro 1TB PCIe Gen4 drive for $79.99 right now.

Microsoft decided to go with proprietary storage for its Xbox Series X / S consoles, which makes the installation a lot more consumer friendly. But pricing has suffered with only a single manufacturer. Sony opted for a rather standard M.2 SSD expandable storage slot instead, which allows PS5 owners to use a variety of drives on the market. You can even use slow PCIe Gen4 drives on the PS5.

It’s not clear when Western Digital’s new 1TB expansion card for Xbox will be available. The Best Buy listing has no preorder dates, so we’ve reached out to both Western Digital and Microsoft to comment on the listing.

Update, April 2nd 6:30PM ET: Best Buy has now removed the listing.