Patches that were released in January to protect Windows 7 from the Meltdown flaw may have opened an even worse can of worms for the OS, according to one security researcher.
Ulf Frisk, a security researcher who specializes in direct memory access (DMA) attacks, described the problem this week in a blog post called "Total Meltdown?"
The January patch was intended to address the Meltdown flaw in Intel, IBM POWER and ARM-based processors that emerged in January and theoretically allows a rogue process to read all memory on a system.
"[The patch] stopped Meltdown but opened up a vulnerability way worse...It allowed any process to read the complete memory contents at gigabytes per second, oh -- it was possible to write to arbitrary memory as well," wrote Frisk, who is the author of the PCILeech memory access attack toolkit, and who described himself in a DEFCON 24 presentation in 2016 as a penetration tester specializing in online banking security and working in Stockholm, Sweden.
"No fancy exploits were needed. Windows 7 already did the hard work of mapping in the required memory into every running process. Exploitation was just a matter of read and write to already mapped in-process virtual memory. No fancy APIs or syscalls required -- just standard read and write," Frisk said.
The flaw does not affect Windows 10 or Windows 8, according to Frisk.
The problem appears to have been introduced by the Windows 7 patches released in January, during the industrywide scramble to address the Meltdown and related Spectre flaws whose existence was revealed slightly ahead of schedule. Some of the first-generation patches caused reboot and slowdown issues, among other problems.
Frisk said the subsequent March patch for Windows 7 fixed the flaw, and he discovered the problem after the March patch was released.
Posted by Scott Bekker on March 28, 2018 at 10:26 AM0 comments
Network managers need to be on the lookout for password-spray attacks, according to warnings from the FBI and U.S. Department of Homeland Security.
In a password-spray attack, a hacker tests a single password against multiple user accounts at an organization. The method often involves weak passwords, such as Winter2018 or Password123!, and can be an effective hacking technique against organizations that are using single sign-on (SSO) and federated authentication protocols, but that haven't deployed multifactor authentication.
By hitting multiple accounts, the method can test a lot of user names without triggering account-lockout protections that kick in when a single user account gets hit with multiple password attempts in a row.
"According to information derived from FBI investigations, malicious cyber actors are increasingly using a style of brute force attack known as password spraying against organizations in the United States and abroad," the agencies declared in a US-CERT technical alert issued Tuesday evening.
Prompting the alert was the disclosure last Friday of a federal indictment against nine Iranian nationals associated with the Mabna Institute, a private Iran-based company accused of hacking on behalf of the Iranian state. The main focus of that indictment was a massive, four-year spear-phishing campaign to steal credentials from thousands of university professors whose publications could allegedly advance Iranian research interests.
Also caught up in the alleged Iranian effort were 36 private companies in the United States, 11 companies in Europe and multiple U.S. government agencies and non-government organizations, and the method of attack for those organizations was password spraying.
According to the indictment:
In order to compromise accounts of private sector victims, members of the conspiracy used a technique known as 'password spraying,' whereby they first collected lists of names and email accounts associated with the intended victim company through open source Internet searches. Then, they attempted to gain access to those accounts with commonly-used passwords, such as frequently used default passwords, in order to attempt to obtain unauthorized access to as many accounts as possible.
Once they obtained access to the victim accounts, members of the conspiracy, among other things, exfiltrated entire email mailboxes from the victims. In addition, in many cases, the defendants established automated forwarding rules for compromised accounts that would prospectively forward new outgoing and incoming email messages from the compromised accounts to email accounts controlled by the conspiracy.
The US-CERT technical alert refers to the indictment as having been handed up in February, which could explain Microsoft's detailed guidance for deterring password-spray attacks in a high-profile blog post on March 5. In that post, Alex Simons, director of program management for the Microsoft Identity Division, called password spray "a common attack which has become MUCH more frequent recently," and declared, "Password spray is a serious threat to every service on the Internet that uses passwords." The new government alert linked back to the March 5 Microsoft post as a mitigation resource.
While the Mabna-related password spraying clearly has a lot to do with the new alert, US-CERT warned that others are currently using the attack. "The techniques and activity described herein, while characteristic of Mabna actors, are not limited solely to use by this group," the alert stated.
This is US-CERT's third technical alert this year. Previous alerts warned about the Meltdown and Spectre side-channel vulnerability and Russian government cyberactivity targeting critical U.S. infrastructure.
Posted by Scott Bekker on March 28, 2018 at 12:23 PM0 comments
Could Microsoft's cloud strategy, partner channel and customer base help it vault ahead of its tech rivals to become the first trillion-dollar company?
Apple, Amazon and Alphabet (Google) have been front-runners in investor speculation about which company could be first to reach the psychological milestone of a trillion-dollar market capitalization.
Attention around the question peaked near the market's recent top in January and has settled considerably as stocks have fallen since. In addition, Facebook, which had been a little further back in the market cap sweepstakes, has completely worked its way out of the conversation in the midst of its recent storm of controversy over data privacy that has severely affected the stock price.
An analyst at Morgan Stanley revived the tech market cap question on Monday with a high-profile note to clients predicting Microsoft will reach a $1 trillion market cap within 12 months.
"Strong positioning for ramping public cloud adoption, large distribution channels and installed customer base, and improving margins support a path to $50 billion in EBIT and a $1 trillion market cap for MSFT," said Morgan Stanley's Keith Weiss in a note quoted by CNBC.
Shares of MSFT rose more than 5.5 percent after Morgan Stanley's note.
Here are the companies' relative market caps, according to Yahoo! Finance:
- Apple: $854 billion
- Amazon: $734 billion
- Alphabet (Google): $712 billion
- Microsoft: $710 billion
- Facebook: $453 billion
Posted by Scott Bekker on March 26, 2018 at 11:11 AM0 comments
Microsoft unveiled details and highlights of the upcoming Spring '18 release of Microsoft Dynamics 365 on Wednesday at Business Forward Amsterdam.
"We're unleashing a wave of innovation across the entire product line with hundreds of new capabilities and features in three core areas: new business applications; new intelligent capabilities infused throughout; and transformational new application platform capabilities," said James Phillips, corporate vice president of the Microsoft Business Applications Group, in a blog post unveiling the changes.
Dynamics 365 for Marketing
One hotly anticipated component that will be generally available on April 2, when many of the capabilities of the spring release are set to begin rolling out, is the overdue Dynamics 365 for Marketing application.
"This is a new marketing automation application for companies that need more than basic email marketing at the front end of a sales cycle to turn prospects into relationships," Phillips said of the component, which was originally announced in October 2016 and was supposed to ship a year ago.
Microsoft has previously described the forthcoming module as aimed at smaller businesses and steers larger companies to the Adobe Marketing Cloud suite, which is already available to Dynamics 365 users. A public preview of Dynamics 365 for Marketing has been available since February.
Dynamics 365 for Sales Professionals
Along the same lines of a more basic experience for customers with less intensive needs, Microsoft is also rolling out a new module called Dynamics 365 for Sales Professionals on April 2.
Phillips described the Sales Professional version as a streamlined version of Dynamics 365 for Sales, with an emphasis in the new version on core salesforce automation capabilities. "From opportunity management to sales planning and performance management, the solution optimizes sales processes and productivity," Phillips said.
New Intelligence Capabilities
The spring release is also productizing the years of work and millions invested in artificial intelligence research, Phillips said. "These investments are infused throughout Dynamics 365 and are now available with the spring 2018 release," he said.
The highest-profile examples are in a feature set Microsoft is calling "embedded intelligence" in the Dynamics 365 for Sales application. Microsoft previously referred to the feature set as Relationship Insights.
The idea is that embedded intelligence leverages information created in the sales process to recommend actions. The initial spring release on April 2 will include a relationship assistant, auto capture and e-mail engagement. Relationship Assistant analyzes customer interactions in Dynamics 365, Exchange and other sources to generate action cards that suggest next steps. Auto-Capture takes a salesperson's Outlook messages and appointments that relate to Dynamics 365 deals and offers to track them. E-mail Engagement tracks whether recipients open messages and attachments, click through links or reply to messages, and allow scheduling e-mails and reminders.
Common Data Service for Analytics and Apps
The launch will also include previews for a new set of data integration services built on the common data model -- one for Power BI and one for PowerApps.
The Common Data Service (CDS) represents another Microsoft run at the age-old problem of integrating data from multiple sources and trying to wrangle actionable business intelligence out of the combined data.
"The CDS for Analytics capability will reduce the complexity of driving business analytics across data from business apps and other sources," said Arun Ulag, Microsoft general manager of Intelligence Platform Engineering, in a blog post. Common Data Service for Analytics works with Power BI.
Ulag said CDS for Analytics expands Power BI with the introduction of an extensible business application schema. "Pre-built connectors for common data sources, including Dynamics 365, Salesforce and others from Power BI's extensive catalog, will be available to help organizations access data from Microsoft and third parties. And organizations will be able to add their own data," he said.
One of those pre-built Power BI apps, designed for Dynamics 365 for Sales, is supposed to enter the public preview stage during the second quarter of this year. Called Power BI for Sales Insights, the app will provide relationship analytics. The purpose is to help salespeople manage pipeline by using AI to rate the health of customer relationships with techniques including sentiment analysis. Another CDS for Analytics-based Power BI app coming to public preview in the second quarter is called Power BI for Service Insights.
On the Power Apps side, Microsoft is unveiling a preview of Common Data Service for Apps on April 2. When it ships, it will come with PowerApps and offer capabilities for modeling business solutions within platforms like Dynamics 365 and Office 365.
Others of the hundreds of new features in the spring release aim to unify Microsoft's business applications and improve integrations with Microsoft technologies, including Outlook, Teams, SharePoint, Stream, Flow, Azure, LinkedIn, Office 365 and Bing.
Microsoft will be providing more detail on March 28 in a Business Applications Virtual Spring Launch Event.
Posted by Scott Bekker on March 21, 2018 at 12:34 PM0 comments
Intel is officially declaring that it's done with the massive effort to provide software updates to protect against Spectre and Meltdown for all the products it has released in the last five years.
The chip maker also says it has redesigned the processors being released later this year to offer additional protections.
"We have now released microcode updates for 100 percent of Intel products launched in the past five years that require protection against the side-channel method vulnerabilities discovered by Google," said Intel CEO Brian Krzanich in a written statement Thursday.
The declaration would bring to a close a promise Krzanich made in a keynote at CES in the second week of January just after news broke that Intel and its OEM and software partners were working feverishly to fix the flaws, which represented a serious theoretical threat but did not seem to have been exploited in the wild.
At the time, Krzanich said Intel expected to issue fixes for 90 percent of its processors within a week and fixes for all of them by the end of January. However, complications arose involving bricked systems, server performance issues and reboot problems.
While Intel is done working on the microcode, that doesn't necessarily mean all systems can be patched yet. Because customers get the fixes through their OEMs rather than from Intel, it could still take time for some of Intel's OEMs to test and approve the patches on their supported systems.
At the same time, Intel redesigned forthcoming processors shipping later this year to address two of the three variants of the Spectre/Meltdown family identified by Google Project Zero's reporting.
"While Variant 1 will continue to be addressed via software mitigations, we are making changes to our hardware design to further address the other two. We have redesigned parts of the processor to introduce new levels of protection through partitioning that will protect against both Variants 2 and 3," Krzanich said Thursday. "These changes will begin with our next-generation Intel Xeon Scalable processors (code-named Cascade Lake) as well as 8th Generation Intel Core processors expected to ship in the second half of 2018."
Posted by Scott Bekker on March 15, 2018 at 1:54 PM0 comments
Security researchers have discovered a logical flaw in the Credential Security Support Provider (CredSSP) protocol that affects all supported versions of Windows.
Preempt Security reported the flaw to Microsoft last August. Microsoft released a fix for it this week as part of its monthly Patch Tuesday release.
The flaw, CVE-2018-0886, was rated "important" by Microsoft, which is a middling severity designation in Microsoft's scale, largely because the new flaw is not an initial infection vector.
Instead, an attacker needs to already be inside the network and set up a man-in-the-middle (MITM) attack via methods that could include ARP Poisoning or even the new WPA2 vulnerability known as KRACK.
CredSSP is designed to securely forward a user's full credentials to a target server. The flaw relies in part on the fact that the client trusts the public key provided by the server. In the case of an RDP connection, an attacker would intercept the initial connection request from the client and return a malicious command to the client, which assumes the command is actually a valid public key from the server and signs it. That signed version is passed by the MITM back to the server, which executes the malicious code -- now signed by the client -- on the server.
Preempt positions the flaw as a technique for lateral movement and privilege escalation. One of the most severe scenarios would be if the attacker intercepts an attempt by an administrator to remotely log on to a domain controller.
"This vulnerability is a big deal, and while no attacks have been detected in the wild, there are a few real-world situations where attacks can occur," said Roman Blachman, Preempt CTO and co-founder, in a statement. Preempt also posted a video showing how the attack works and a technical blog post. "Ensuring that your workstations are patched is the logical, first step to preventing this threat. It's important for organizations to use real-time threat response solutions to mitigate these types of threats," Blachman said.
Dustin Childs of the Zero Day Initiative at Trend Micro described CredSSP as "fascinating" in his analysis of Microsoft's Patch Tuesday release, which included 14 updates resolving 78 unique vulnerabilities. "This patch corrects a truly fascinating bug," Childs wrote of the CredSSP flaw. "It's important to understand this is not a constrained delegation. CredSSP passes the user's full credentials to the server without any constraint. That's a key to how an attacker would exploit the bug."
Childs also warned that applying the patch isn't enough to be fully protected. "Sysadmins must also enable Group Policy settings on their systems and update their Remote Desktop clients. While these settings are disabled by default, Microsoft does provide instructions to enable them. Of course, another alternative is to completely disable RDP, but since many enterprises rely on this service, that may not be a practical solution," he wrote.
Microsoft also released a support document that describes the steps required to update Group Policy or Registry settings to protect against the flaw. In a related step, Microsoft plans to update the Remote Desktop Client next month to provide more detail in error messages when an updated client fails to connect to a server that has not been updated.
A team from Preempt will give a presentation on the vulnerability at Black Hat 2018 Asia next week.
Posted by Scott Bekker on March 14, 2018 at 10:39 AM0 comments
Microsoft marked the one-year anniversary of its Teams enterprise chat hub by unveiling new features coming to the service this year, including Cortana integration and a new capability called "Direct Routing."
Originally positioned as Microsoft's answer to Slack, Teams first launched last March as a component of Office 365, which quickly exposed the new platform to the cloud productivity suite's broad base of 120 million users. Microsoft did not provide an update on Monday for how many users Teams has, but the company did report that 200,000 organizations are now using Teams. More recently, Microsoft disclosed that Teams will merge over time with Skype for Business.
After a rough start to 2018 within Microsoft and across the industry, Microsoft's digital voice assistant Cortana will get some attention from Teams engineers at Microsoft. Microsoft plans to add voice integrations within Teams that will allow users to speak with natural language to make a call, join a meeting or add other people to a meeting. The functionality is planned at first for IP phones and conference room devices.
In addition to Cortana integration, other features coming this year include background blur on video, inline message translation, proximity detection for Teams Meetings and mobile sharing in meetings.
The background blur will be an appealing feature for anyone calling into a meeting when they've got an unprofessional scene behind them or a background that they'd otherwise like to keep meeting participants from seeing. Blurring is one approach to the issue. Another approach, from Zoom Video Communications, is a Virtual Background for videoconferencing that allows users to select and display an image, such as a cityscape, behind them during a meeting.
Inline message translation presumably will leverage translation and transcription services in Azure to make posts readable to participants who speak different languages in chats and in channels, which is the Teams term for topic-based discussions among members of a team. With users in 181 Microsoft-defined markets around the world, the translation feature could get heavy use.
The proximity detection feature is designed to help users find and add a Skype Room System. A more universally useful feature will be mobile sharing, which will let attendees share live video streams, photos or their mobile screen.
Microsoft also disclosed a new enterprise calling feature to be available by the end of June called Direct Routing. While the specifics are complicated and have a lot of dependencies on both Microsoft products and third-party infrastructure, Direct Routing will be a way for customers to use existing telephony infrastructure with Teams for calling. In that sense, Direct Routing joins Microsoft Calling Plans as ways for customers to enable calling from Teams. More detail on Direct Routing is available here.
On the anniversary, Microsoft also highlighted some previously disclosed elements of the Teams roadmap. One is cloud recording, a one-click meeting recording option that will automatically transcribe and timecode a meeting. Features include the ability to read captions, search the conversation and play back the meeting. Later, Microsoft plans to add facial recognition to automate attribution of comments to specific attendees. Parts of the calling roadmap that Microsoft highlighted again on Monday included consultative transfer and call delegation.
Although they weren't reinforced on Monday, Microsoft has previously discussed a number of features coming by the end of June. For meetings, those features include broadcast meetings, federated meetings, large meeting support for about 250 participants, a lobby for PSTN callers, Outlook meeting schedules from other platforms, PowerPoint loading and sharing, whiteboard and meeting notes, user-level meeting policies for IT professionals, and e-discovery enhancements.
On the calling side, Microsoft has publicly talked about 2018 availability for call support between Teams and Skype Consumer, distinctive rings, call queues, "do not disturb" breakthrough, forwarding to group, call parking and group call pickup. (For more background on Teams-Skype integration, listen to the Redmond Tech Advisor webcast with Office 365 and SharePoint MVP Christian Buckley from December.)
Posted by Scott Bekker on March 12, 2018 at 1:04 PM0 comments
Kali Linux hit the Microsoft App Store this week. It's very nearly been reduced to a one-click install for Windows 10 users, and has clear appeal for experienced users.
But if you're thinking of trying out the infamous and powerful penetration testing Linux distribution for the first time now that it's a free and easy install on Windows, there may be a better way.
Tara Raj, a program manager at Microsoft who works with the Windows Subsystem for Linux (WSL), announced availability of Kali Linux in the Microsoft Store in a blog post on Monday. "We are happy to officially introduce Kali Linux on WSL," Raj wrote. She noted "great interest" in Kali among the WSL community after Offensive Security, the security and training company that maintains Kali Linux, posted a tutorial in January for getting the OS running in WSL.
The app-ified experience within the Microsoft Store simplifies and speeds up the installation process, but, somewhat paradoxically, Kali within the WSL is a far less intuitive experience for a Windows user than running the pentesting distribution on a dedicated system, on a Live USB stick, or in a virtual machine.
Downloading Kali from the Microsoft Store is relatively quick. Users who haven't tried the Linux subsystem need to enable WSL first. It's a relatively quick process involving running PowerShell as an admin, pasting in one line of code and restarting the system. (Click here to watch Offensive Security's video setup walkthrough, which includes enabling WSL.)
Next, navigate to the Microsoft Store, search for Kali Linux and press the "Get" button. A short 134MB download later brings a prompt to "Launch" Kali or to "Pin to Start".
Once Kali is launched for the first time, the Microsoft Store process takes care of several steps on the user's behalf. Compared to Offensive Security's January tutorial video for running Kali on WSL, downloading Kali Linux from the Microsoft Store seems like it cuts out about half of the previously required commands.
In as little as a few seconds, a command window opens, the installation finishes, and the user gets a prompt to create a regular user account and enter a password.
This is the spot where Kali Linux on WSL is less intuitive for a Windows native than actually running Kali in a full-on Linux environment would be, for several reasons.
First, once Kali Linux is installed on Windows, you're looking at a blinking command-line cursor. This is an unforgiving command-line environment where you need to have a rock-solid understanding of Linux commands and Linux file structures in order to do anything.
By comparison, Kali in its native Linux environment actually boots into an attractive GUI. Power users may want to operate primarily in the terminal, but beginners can point and click, navigate files and folders graphically, and explore the interface.
The next way the WSL version is limiting for new users is spelled out in the Microsoft Store description: "This image contains a bare-bones Kali Linux installation with no penetration testing tools -- you will need to install them yourself." Users must know what penetration testing tools to look for, where to find them, and how to download and install them.
The default Kali Linux installation, on the other hand, is an inviting interface that encourages exploration. Dozens of attack tools are preloaded and organized logically by function. A user can drag down the Applications menu in the upper-left and browse tools for Information Gathering, Vulnerability Analysis, Password Attacks, Wireless Attacks, Exploitation Tools, Social Engineering Tools and others.
One other caveat in the WSL version mentioned in the Microsoft Store description: "Some tools may trigger antivirus warnings when installed, please plan ahead accordingly." For example, the endpoint protection software on my system was not a fan of several files that Kali WSL tried to download while installing Metasploit, such as Trojan.Gen.2, OSX.Trojan.Gen, Meterpreter or Hacktool, among others. They all got quarantined and, I suspect, prevented Metasploit from launching properly.
For users with intermediate-level Linux skills and strong familiarity with the capabilities of various penetration testing tools in Kali Linux and how to load those tools, this app is a great addition to the Windows Store. It has simplified installation and has brought Kali Linux squarely into the everyday Windows desktop. If you know what you're doing and what you want to do, it can be handy to have that Kali terminal running right inside your Windows environment for easy access.
For those who haven't used Kali much or at all and are interested in learning what its frightening and impressive capabilities might reveal about the security of their corporate environments, the WSL version is less useful. In that case, it's still worth the trouble of jumping through the installation hoops to get a regular Kali environment running on a dedicated physical machine or virtual machine.
Posted by Scott Bekker on March 07, 2018 at 9:54 AM0 comments
The PC and smartphone markets stumbled in 2017 even while servers went on a tear, according to recent data from market researcher IDC.
With most of the publicly traded vendor companies having already released their quarterly financial reports (with all those reports' attendant clues), IDC released a slew of research this week recapping the fourth quarter.
Server market revenues jumped 26 percent year over year to $20.7 billion in the fourth quarter. IDC attributed the momentum to several factors, such as traction for the Purley-based offerings from Intel and the EPYC-based offerings from AMD. The overall server market showed some signs of life, as well, with server shipments increasing nearly 11 percent to 2.84 million units for the quarter.
Yet the factor propping up the server market overall remains the shift in computing from distributed at client sites to centralized at megavendor datacenters.
"Hyperscalers remained a central driver of volume demand in the fourth quarter with leaders such as Amazon, Facebook, and Google continuing their datacenter expansions and updates," said Sanjay Medvitz, senior research analyst for servers and storage at IDC, in a statement. "ODMs [original design manufacturers] continue to be the primary beneficiaries from hyperscale server demand. Some OEMs are also finding growth in this area, but the competitive dynamic of this market has also driven many OEMs such as HPE to focus on the enterprise."
By manufacturer, the HPE/New H3C Group joint venture was tied with Dell for the quarterly revenue lead, followed by IBM, Lenovo and Cisco. Taken as a group, ODM Direct vendors had a slightly bigger share of revenues than either of the leaders.
The picture for personal computing devices, which IDC defines as desktops, notebooks, slates and detachables, wasn't as positive. IDC is projecting that for the full year of 2017, shipments within the sector declined 2.7 percent. IDC published forecasts out through 2022, and expects compound annual growth for the entire sector to be a paltry 0.1 percent over the period. Short-term, IDC is looking for another drop in 2018 of a little more than 3 percent, with slight pickups thereafter due to corporate refresh cycles, and the ongoing popularity of detachables like the Microsoft Surface.
As for smartphones, IDC reports that 2017 marks the first year-over-year decline for the devices, which are now in a two-horse race between Android and iOS. The 1.46 billion devices that IDC estimates shipped in 2017 represented a half-a-percent drop in volume compared to 2016. Through 2022, IDC forecasts a compound annual growth rate of a little under 3 percent.
Posted by Scott Bekker on March 02, 2018 at 9:40 AM0 comments
The years-long tangle between Microsoft and U.S. regulators regarding the extent to which the tech giant can legally protect its customers' privacy against government data requests came to a head on Tuesday.
In a lively one-hour discussion, U.S. Supreme Court justices sparred with lawyers from Microsoft and the U.S. government, covering topics from ranging from privacy rights to latency issues to robots conducting overseas seizures.
At the center of the debate was the question of whether a U.S. court can order a U.S.-based e-mail service provider to comply with a probable-cause-based warrant issued under the 1986 Stored Communications Act (SCA) by disclosing e-mails that the provider has stored abroad.
State of play leading up to the Supreme Court has Microsoft ahead and playing defense. The case started with a Drug Enforcement Agency investigation in 2013. Federal agents persuaded a magistrate judge in the Southern District of New York to issue a warrant for a suspect's e-mails. Microsoft fought the order on the grounds that the e-mails were stored at its datacenter in Ireland. A U.S. District Court rejected Microsoft's appeal, but the U.S. Court of Appeals for the 2nd District ruled in Microsoft's favor.
Discussion on Tuesday settled over and over on a few key topics: the many ways that the outdated SCA is woefully inadequate for the cloud era; whether the court should simply wait for pending congressional legislation to make the questions in the case moot; justices seeking clarification on what exactly happens in the United States and abroad when Microsoft or other service providers produce an e-mail record; domestic versus extraterritorial jurisdiction questions; and back-and-forth about the legal differences between warrants, subpoenas, orders, searches and disclosures.
What Microsoft wants is for the Supreme Court to leave the issue alone and to hope that Congress passes the CLOUD Act, introduced recently with bipartisan and tech industry support.
"There were conversations about where the Internet is headed," Microsoft lawyer E. Joshua Rosenkranz said Tuesday in his closing statement. "There [are] conversations about whether this will kill the tech sector, how much of an international consensus there is about the sovereignty of data. These are all questions that only Congress can answer. Meanwhile, this Court's job is to defer, to defer to Congress to take the path that is least likely to create international tensions. And if you try to tinker with this, without the tools that -- that only Congress has, you are as likely to break the cloud as you are to fix it." (Ed.'s note: All quotations in this article are taken from the 72-page official transcript posted on the Supreme Court's Web site.)
Arguing for the government, Michael R. Dreeben, deputy solicitor general for the U.S. Department of Justice, countered that the court should move before Congress to fix an unsettled legal environment.
Calling Microsoft's position "radical," Dreeben described the current situation as one where no U.S. court gets to try to balance U.S. law with other countries' relevant laws. "If the data is stored overseas, we're just out of luck. We can't even ask a court for an order that would require its production," Dreeben said.
"No other court that has issued a written opinion since Microsoft has agreed with the Second Circuit. And the Second Circuit's decision has caused grave and immediate harm to the government's ability to
enforce federal criminal law," Dreeben argued.
He also urged the court not to wait for the CLOUD Act: "But as to the question about the CLOUD Act, as it's called, it has been introduced. It's not been marked up by any committee. It has not been voted on by any committee. And it certainly has not yet been enacted into law."
Predicting how justices will decide from the questions they ask in oral arguments is tricky, but there were some hints. Running through the justices in rough order from the liberal to the conservative end of the spectrum:
Justice Sonia Sotomayor asked Dreeben outright why the court shouldn't wait for Congress. "Why shouldn't we leave the status quo as it is and let Congress pass a bill in this new age?" Sotomayor also participated with several of the justices in lengthy exchanges to understand better how Microsoft would technically go about complying with an order to produce e-mails from a U.S. office that are stored in a datacenter in Ireland. At one point, Rosenkranz described the process as similar to dispatching a robot, saying, "If you sent a robot into a foreign land to seize evidence, it would certainly implicate foreign interests." Shortly after that description, Sotomayor joked, "I'm sorry...I guess my imagination is running wild."
Justice Ruth Bader Ginsburg offered similar thoughts on leaving action to Congress: "[In] 1986, no one ever heard of clouds. This kind of storage didn't exist. ... Wouldn't it be wiser just to say let's leave things as they are; if -- if Congress wants to regulate in this brave new world, it should do it?"
Justice Elena Kagan's questions were relatively technical, covering issues around whether judges could weigh other countries' laws in deciding on challenges to warrants, and discussing legislators' intent for specific provisions of the SCA.
Justice Stephen Breyer sought a short-circuit for the whole issue in trying to pin down whether Magistrate Court judges had authority to issue warrants for searches outside their geographic districts -- in this case, New York. "I suspect [that] it just can't be that easy, this case," Breyer said during a light moment in the arguments. Breyer also asked about the feasibility of a middle path involving reading the old statute to adapt to the current cloud environment.
Justice Anthony Kennedy wondered why the discussion about location wasn't broader. "Why should we have a binary choice between a focus on the location of the data and the location of the disclosure? Aren't there some other factors, where the owner of the e-mail lives or where the service provider has its headquarters?"
Justice Samuel Alito came down pretty heavily on the side of action -- the government's preferred position. "It would be good if Congress enacted legislation that modernized this, but in the interim, something has to be done," Alito said. Meanwhile, another question Alito asked established definitively that the nationality of the suspect in the case was not known, which may influence Kennedy's thinking based on his questions about locations. Alito also pressed Microsoft's Rosenkranz about what would happen in a case involving American citizens being investigated for crimes committed in the United States if their service providers store their e-mails outside the country.
Chief Justice John Roberts expressed deep reservations about service providers intentionally using the current legal standard to assist customers in avoiding U.S. investigators.
"There is nothing under your position that prevents Microsoft from storing United States communications, every one of them, either in Canada or Mexico or anywhere else, and then telling their customers: Don't worry if the government wants to get access to your communications; they won't be able to, unless they go through this MLAT [Mutual Legal Assistance Treaties] procedure, which is costly and time-consuming," he said. "Could you provide that service to your customers?"
In a give-and-take discussion, Rosenkranz assured Roberts that Microsoft's motives solely involved customer demands for minimizing latency, which he positioned as the sole reason for Microsoft's investment in half-billion-dollar datacenters all around the world. Roberts did not sound convinced, "Well, but you might gain customers if you can assure them, no matter what happens, the government won't be able to get access to their e-mails."
Justice Neil Gorsuch also seemed to stick to technical questions on subjects like the chain of activity in complying with a court order and the differences between subpoenas and warrants. At one point, Justice Breyer seemed to indicate to Dreeben that Gorsuch and others were "with you on this" but it was unclear exactly what Breyer was talking about.
Justice Clarence Thomas provided no clues as to his thinking during the oral arguments. He upheld his standard practice of asking no questions.
So the quick scorecard from this close read of the transcript is Sotomayor and Ginsburg leaning toward waiting for Congress, Alito and Roberts inclined to act, and the other five justices on the fence. Stay tuned for the decision in June.
Posted by Scott Bekker on February 28, 2018 at 9:09 AM0 comments
Expect to hear a lot about artificial intelligence (AI) at Microsoft Inspire, the company's annual July partner confab being held this year in Las Vegas.
Gavriella Schuster, corporate vice president for Microsoft One Commercial Partner (OCP), talked about Inspire in an interview posted this week on Vince Menzione's "Ultimate Guide to Partnering" webcast.
"The hottest topic at Inspire is probably going to be all about our data service and how to unlock that through artificial intelligence. That is clearly what all of our partners want to learn more about. It's what all of our customer engagements are about and every single one of our partners is buildings some sort of a data service, AI service, into their applications of the service that they deliver. That will be the theme of the whole event," Schuster told Menzione.
Schuster and her team at Microsoft made clear earlier this year that AI would be a major area of emphasis for partners in calendar year 2018.
On Jan. 24, Microsoft launched an AI Practice Development Playbook for partners. Based on detailed input from a dozen early-adopter partners and a survey of another 550 partners, the 144-page playbook goes through the basics of defining strategy, building a team, operationalizing a practice, going to market and closing deals.
Microsoft's intention with the playbook is to give its sizable partner base clear guidance on starting up AI practices, which would help Microsoft grab AI mindshare in what IDC calls a "Battle of AI Platforms" between Amazon, Google, IBM and Microsoft.
"Partners can build a roadmap that helps customers layer in sophisticated AI capabilities with minimal training," wrote Melissa Mulholland, cloud profitability lead for Microsoft, in the blog post introducing the playbook. The end game, she suggested, was for partners to "use AI technologies pragmatically to differentiate their current services, so they can re-engage customers with enhanced end-to-end systems that learn from data to deliver new insights and efficiencies."
In Schuster's interview this week, she suggested that, in keeping with the main idea of Inspire as a conference, hearing about AI successes and best practices would get partners thinking. "The more you hear about what partners are doing today and about what customers are doing, the more it sparks your imagination of what's possible and how to bring these different elements of the technology together," she said.
According to IDC analyst Steve White, that's probably the appropriate messaging for the current state of the AI opportunity. "AI is currently what cloud was a number of years ago," White said in an interview. "It's really, really interesting. It's going to be big in the future. Customers are going to be interested, but we haven't turned the corner yet on it. If you are an analytics partner, it should be an easy add. Those playbooks that Microsoft built are detailed. If you want to make that dive into it, they're a great place to start."
Posted by Scott Bekker on February 28, 2018 at 9:46 AM0 comments
A discrete cyber-espionage group operating on behalf of North Korea is responsible for a years-long series of cyberattacks, security researchers at FireEye said this week.
FireEye dubbed the group APT37 in its report, "APT37 (Reaper): The Overlooked North Korean Actor." The report connects APT37 to other attacks dating back to 2014, including the recent zero-day vulnerability CVE-2018-4878 that was disclosed on Feb. 1. Successful exploitation of that Adobe Flash Player vulnerability could allow an attacker to take control of an affected system.
FireEye's report ties that vulnerability to activities reported by other researchers, including Kaspersky Lab, which identified a group of attackers as ScarCruft, and Cisco's Talos unit, which identified the activities of a Group 123. The FireEye report goes further in pinpointing the group's origin as North Korea.
"We assess with high confidence that this activity is carried out on behalf of the North Korean government given malware development artifacts and targeting that aligns with North Korean state interests," FireEye wrote in the introduction to the report.
"We judge that APT37's primary mission is covert intelligence gathering in support of North Korea's strategic military, political and economic interests. This is based on consistent targeting of South Korean public and private entities and social engineering. APT37's recently expanded targeting scope also appears to have direct relevance to North Korea's strategic interests."
What's interesting about the report is that FireEye views APT37 as separate from the internationally isolated country's main suspected cyber-espionage and operations unit, which researchers call Lazarus. According to FireEye, the capabilities of APT37 are increasing, the unit's international scope of operations is expanding, and the group is likely to become another tool in North Korea's global cyber-operations arsenal.
Posted by Scott Bekker on February 21, 2018 at 11:57 AM0 comments