News: 1724883612

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Microsoft hosts a security summit but no press, public allowed

(2024/08/29)


op-ed Microsoft will host a security summit next month with CrowdStrike and other "key" endpoint security partners joining the fun — and during which the CrowdStrike-induced outage that borked millions of Windows machines will undoubtedly be a top-line agenda item.

We won't know for sure, however, because the summit will be held behind closed doors. It won't be live-streamed, and Redmond has said members of the press aren't welcome.

"This event will not be open to press, and the company has nothing else to share at this time," a Microsoft spokesperson told The Register .

[1]

In announcing the September 10 Windows Endpoint Security Ecosystem Summit to take place at its Redmond, Washington headquarters, Microsoft Corporate VP Aidan Marcuss [2]said participants will discuss steps that vendors can take to "improve security and resiliency for our joint customers."

[3]

[4]

Marcuss cited the [5]July CrowdStrike fiasco and the "important lessons" learned from that disaster. "Our discussions will focus on improving security and safe deployment practices, designing systems for resiliency and working together as a thriving community of partners to best serve customers now, and in the future."

While he didn't specify what these measures might involve, we'd bet that [6]booting security vendors off of the Windows kernel is one of them, and it's likely to be met with a great deal of pushback from providers.

[7]

In addition to its fellow software manufacturers, Microsoft will also "invite government representatives to ensure the highest level of transparency to the community's collaboration to deliver more secure and reliable technology for all."

US Senator Ron Wyden (D-OR), who has been very [8]critical of Microsoft's shoddy security performance while raking in [9]billions of dollars in government contracts, didn't get an invite, we're told.

So…some friendly government officials and security vendors but no press or members of the public ensure "the highest level of transparency" in Microsoft's book?

[10]

We shouldn't be surprised. Redmond follows a very specific playbook following all of its security snafus. Transparency about what happened, along with concrete measures to actually fix the problem, isn't part of it.

[11]Post-CrowdStrike, Microsoft to discourage use of kernel drivers by security tools

[12]Microsoft answered Congress' questions on security. Now the White House needs to act

[13]US government excoriates Microsoft for 'avoidable errors' but keeps paying for its products

[14]Microsoft security tools questioned for treating employees as threats

Granted, this latest fiasco is a CrowdStrike — not Microsoft — blunder. But the Windows giant is facing mounting criticism of its own security practices following [15]years of breaches by [16]Chinese and [17]Russian nation-state hackers and teenage [18]Lapsus$ hoodlums alike.

Earlier this summer, [19]Microsoft president Brad Smith testified before Congress about his company's repeated security failings. This was in response to a Homeland Security report blasting the IT giant for allowing Beijing-backed cyberspies to [20]steal tens of thousands of sensitive emails from the Microsoft-hosted Exchange Online inboxes of high-ranking US government officials.

In most of these major mishaps, Microsoft rolls out a shiny new security initiative such as its [21]Secure Future Initiative after the most recent Cozy Bear attack.

With this, and all of its carefully cultivated wordy efforts, Redmond [22]promises transparency and accountability . But at the same time, it pushes back against things like minimum cybersecurity standards for government technology vendors, as Wyden has previously suggested, and independent audits, which also go a long way in trying to prove transparency and openness.

So do open summits, like the one happening next month. Instead of talking about transparent — or security, for that matter — simply doing it would be a welcome change. ®

Get our [23]Tech Resources



[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zs-yZ1kz04-aS1Sgk6yccAAAAIc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[2] https://blogs.windows.com/windowsexperience/2024/08/23/microsoft-to-host-windows-endpoint-security-ecosystem-summit-in-september/

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zs-yZ1kz04-aS1Sgk6yccAAAAIc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zs-yZ1kz04-aS1Sgk6yccAAAAIc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://www.theregister.com/2024/07/25/crowdstrike_timeline/

[6] https://www.theregister.com/2024/07/29/microsoft_crowdstrike_kernel_mode/

[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zs-yZ1kz04-aS1Sgk6yccAAAAIc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[8] https://www.theregister.com/2024/01/24/microsoft_latest_breach_cozy_bear/

[9] https://www.theregister.com/2024/06/04/pentagon_doubling_down_on_microsoft/

[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zs-yZ1kz04-aS1Sgk6yccAAAAIc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[11] https://www.theregister.com/2024/07/29/microsoft_crowdstrike_kernel_mode/

[12] https://www.theregister.com/2024/06/15/microsoft_brad_smith_congress/

[13] https://www.theregister.com/2024/04/05/microsoft_government_contracts/

[14] https://www.theregister.com/2024/08/27/microsoft_workplace_surveillance/

[15] https://www.theregister.com/2024/04/05/microsoft_government_contracts/

[16] https://www.theregister.com/2023/09/06/microsoft_stolen_key_analysis/

[17] https://www.theregister.com/2024/03/08/microsoft_confirms_russian_spies_stole/

[18] https://www.theregister.com/2022/03/21/microsoft_lapsus_breach_probe/

[19] https://www.theregister.com/2024/06/15/microsoft_brad_smith_congress/

[20] https://www.theregister.com/2023/09/28/chinese_hackers_stole_60000_state/

[21] https://www.microsoft.com/en-us/security/blog/2023/11/02/announcing-microsoft-secure-future-initiative-to-advance-security-engineering/

[22] https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/final/en-us/microsoft-brand/documents/SFI-updates-5-1-24.pdf

[23] https://whitepapers.theregister.com/



Having a private...

chuckufarley

...Party has got to be less expensive and less trouble than actually making their software secure. In the short term anyway. Sooner or later people will realize that having all of their eggs in Microsoft's basket is the best way to get screwed. Don't get me wrong. My windows install is there in lonely little VM. Once a month is boots up, installs updates, then shuts down again. It there just in case I need it. Otherwise I stick with my FLOSS software because at least I can trust it to get updates and be open with world about security.

Every vampire needs a CoPilot

Anonymous Coward

Pheeew! Glad I read the article and figured this is not about Dracula Nadela or Nosferatu Marcuss leading a closed-doors meeting of like-minded data blood-sucking enthusiasts to discuss new potions, curses, and hypnosis strategies to entrance the public into surrendering to them, more of its hard-earned individuality and related PI. Developing one's individual, distinctive, and remarkable personality, among a sea of competing others, takes massive building and maintenance efforts, and shouldn't just be given away, without a fight, cheaply, or even for free, really.

This here cybersecurity meeting on the other hand, with the likes of MS and CrowdStrike, that'll be more like Alcoholics Anonymous IMHO, with lots of shame to be shared but not judged, pledges to stick-to, or restart, the twelve steps, stuff that's best kept closed-doors. We've all been there ...

"Transparency"

David 132

" 'My motives, as ever, are entirely transparent.', said Lord Vetinari.

Hughnon Ridcully reflected that 'entirely transparent' meant either that you could see right through them, or that you couldn't see them at all .”

When a place gets crowded enough to require ID's, social collapse is not
far away. It is time to go elsewhere. The best thing about space travel
is that it made it possible to go elsewhere.
-- R. A. Heinlein, "Time Enough For Love"