[HN Gopher] On Microsoft, the U.S. Government Must Embrace the S...
___________________________________________________________________
On Microsoft, the U.S. Government Must Embrace the Stick
Author : everybodyknows
Score : 59 points
Date : 2024-03-23 17:43 UTC (5 hours ago)
(HTM) web link (www.lawfaremedia.org)
(TXT) w3m dump (www.lawfaremedia.org)
| darby_eight wrote:
| > Good security happens when the incentives are right.
|
| Has this ever happened before? I can't name a single major
| company on earth that takes customer security seriously except
| through farcical characterization of the concept. It's just too
| much of an impediment to profitable business to be incentivized
| in any serious sense. Even the concept of "security" without
| parameterization of a threat model seems to make a joke of the
| concept.
|
| I'm not claiming that free software offers security that's better
| per threat model, but they at least allow customization of the
| threat model itself. Without this being up for discussion such a
| claim to discuss security in general is extremely difficult to
| take seriously.
|
| The Google threat model openly lauded in the article seemingly
| doesn't take state actors as a serious threat model, for
| instance. They'll just hand your data over to the state that asks
| for it because they want the business that happens under that
| state.
| mupuff1234 wrote:
| > The Google threat model openly lauded in the article
| seemingly doesn't take state actors as a serious threat model
|
| The article specifically mentioned the Google threat model was
| a result of a state actor threat ("Operation Aurora").
| kelnos wrote:
| > _They 'll just hand your data over to the state that asks for
| it because they want the business that happens under that
| state._
|
| In addition to what the sibling poster pointed out about
| Aurora, even Google is starting to wise up about the
| undesirability of holding so much customer data (for Google,
| more from a government subpoena standpoint than from a
| security-from-hackers standpoint), with the recent changes to
| how their location tracking / Timeline feature works.
| gwd wrote:
| > There are simply no viable alternatives to something like
| Excel, for a lot of organizations at least.
|
| Anyone want to educate me on this? Anything I want to do in a
| spreadsheet, I can do in Gnumeric, Libre Office, or even Numbers;
| anything more complicated I'd rather do in a proper programming
| language. What makes Excel really so indispensable?
| naasking wrote:
| Poor vBA support in those alternatives, which is used more than
| you think.
| RajT88 wrote:
| > What makes Excel really so indispensable?
|
| Not having to train all your accountants on something which is
| similar, but different enough they are less effective until
| they know it as well.
|
| The integration is another piece, as the article mentioned -
| the MS ecosystem makes making all documents cloud documents and
| sharable and collaborative within your enterprise a total snap.
|
| I'm not aware of actual core functional pieces of excel which
| matter to most users that you can't get elsewhere.
| Ekaros wrote:
| Also, that it has nearly everything anyone could need in
| single product. Maybe outside some very specialised analysts.
| So one tool works for most people.
|
| And then there is interoperability, everyone is using it and
| everyone accepts it as document format.
| dataking wrote:
| > the MS ecosystem makes making all documents cloud documents
| and sharable and collaborative within your enterprise a total
| snap.
|
| Same for Google Sheets, they're fairly interoperable with the
| MS formats too.
| delusional wrote:
| The most valuable feature of excel is that its available.
| Office is assumed to be installed in most large enterprises. In
| organizations that otherwise love long linear processes with
| many gates, excel is the closest thing many employees get to
| programming without having to constantly justify their use
| case.
| matwood wrote:
| Those other tools have gotten much better over the years, but
| for power users Excel probably still has functionality the
| others do not.
| MadnessASAP wrote:
| How quickly can you connect to just about any arbitrary data
| source, pull a whole pile of data. Do some analytics on it and
| form it into a few glossy 8.5x11 for the next quarterly review.
| You're looking at about 30-60 minutes for an experienced Excel
| user. How about making it update in near realtime and adding
| some interaction for manipulating the data?
|
| More importantly, can you teach an analyst of some sort, who
| while being a power user is not a programmer to do it just as
| efficiently?
|
| Doing math on a 2D grid of cells is the technology that Excel
| perfected in the 80s, the power of Excel is in the connectors,
| services, and interoperability that surround it. It's no small
| feat to have an application that can guide a beginner through
| grabbing 10k rows out of an Oracle database and putting it on a
| graph, while also having the power to allow experienced users
| the ability join arbitrary sources and construct models around
| the results then present it in a logical fashion.
|
| I am very much not a fan of the current state of affairs, but
| unfortunately nothing does Office like Microsoft Office.
| yellow_postit wrote:
| Ecosystem, Developers, and entrenched education/skills win
| the day.
| robertlagrant wrote:
| This doesn't seem like anything that Microsoft is doing in a
| monopolistic way, though. I'm sure LibreOffice could do this
| if they wanted to. I'm sort of surprised they don't, given
| LibreOffice presumably has access to JDBC.
| kelnos wrote:
| > _This doesn 't seem like anything that Microsoft is doing
| in a monopolistic way, though._
|
| That's the thing that I was wondering about here. I don't
| really know this space very well, and still have bad
| feelings toward Microsoft for their behavior in the 80s and
| 90s, but is MS actually abusing their monopoly position
| here? I guess the article hinted at a few things; e.g. if
| you are an Office365 customer you have to be an Azure
| customer, and can't run it on AWS or GCP. But I didn't see
| a compelling case for how MS is using its Excel (or Office
| as a whole) dominance to actually harm consumers or
| competitors. Excel's features aren't magic and AFAIK don't
| require backroom deals to enable. Anyone can implement
| them, given a lot of time and hard work.
|
| I think the main compelling part was that MS doesn't have
| an incentive to focus on security as much as they should,
| because people will keep using Office365 regardless, as
| there are no viable alternatives. But that doesn't seem
| like an anti-trust issue to me. That's fixable through
| legally-mandated fines for security incidents, fines that
| actually hurt MS significantly, not just token fines that
| are shrugged off as the cost of doing business. Make it
| significantly cheaper for MS to develop a better security
| posture, and they probably will do just that.
| WWLink wrote:
| If I had to point a finger at something I'd say it's
| probably how they bundle everything, market everything,
| have cultured decades of cult-like loyalty in business IT
| employees, and so on.
|
| That is, aside from the bundling I'm not sure MS has done
| anything particularly illegal or immoral? Just incredibly
| good business sense.
|
| And I say that as someone with a stubborn disdain for
| microsoft lol.
| kbolino wrote:
| > Doing math on a 2D grid of cells is the technology that
| Excel perfected in the 80s
|
| Lotus 1-2-3 gets that specific credit, I think. But Excel is
| so much more than that (for good or ill).
| chuckadams wrote:
| Visicalc would have been the first. In the early years of
| the PC, Visicorp was bigger than Microsoft -- mostly from
| their sales on the Apple II. They never had much success on
| the PC platform, which is where Lotus ate their lunch.
| kbolino wrote:
| Yeah, "first on micros" definitely goes to VisiCalc. But
| "perfected in the 80s" I definitely think goes to Lotus.
| And while Microsoft was a contemporary developer of
| spreadsheet software, Excel didn't become dominant until
| the 90s.
| mistrial9 wrote:
| "Microsoft released the first version of Excel for the
| Macintosh on September 30, 1985, and the first Windows
| version was 2.05 (to synchronize with the Macintosh version
| 2.2) on November 19, 1987"
| eastbound wrote:
| I'm sorry, did Microsoft really design Excel for the Mac
| first?
| seabass-labrax wrote:
| It is indeed true. Windows had only just been released at
| this point, and was still limited by running MS-DOS in
| something of a pseudo-multitasking mode. The Macintosh
| platform, however, was slightly more mature, having
| already been publicly available for a little over a year.
|
| The majority of Microsoft's software was being written to
| target non-Microsoft platforms at this point, which
| started to change with their increasingly anti-
| competitive marketing techniques (such as the so-called
| 'AARD code'[1] in 1991).
|
| [1]: https://en.wikipedia.org/wiki/AARD_code
| mulmen wrote:
| Yes. Excel for Mac was actually released before Windows.
|
| https://en.m.wikipedia.org/wiki/Microsoft_Windows
|
| https://en.m.wikipedia.org/wiki/Microsoft_Excel
| jonathankoren wrote:
| > the power of Excel is in the connectors, services, and
| interoperability that surround it.
|
| Hell, Excel still has the absolute best text/csv import of
| any spreadsheet I've used.
|
| Fixed versus delimited columns. Arbitrary delimiters. And
| best of all, split existing column on delimiter to create
| multiple columns.
|
| None of these are that fancy of functions. And there's no
| reason why every other spreadsheet couldn't implement them.
| But they don't.
|
| Maybe because it's not sexy. Maybe because of bias against
| spreadsheets. I don't know. I just wish Excel competitors
| would add them.
| npunt wrote:
| Its amazing how many products have little moats like this.
| Things that are days to at most weeks away from adding to
| any product, but that no other product seems to care enough
| about to build.
| a1o wrote:
| The csv importer of Libre Office is fine. Excel gets the
| staying power because it's already in the contracts for all
| things Microsoft. I think Teams is the new powerhouse that
| makes the office suite indispensable in large offices.
|
| At home environment Google Sheets works just fine.
| okanat wrote:
| > anything more complicated I'd rather do in a proper
| programming language.
|
| Yes you can. Most people cannot or don't want to. Programming
| is just a skill used to reach an end and if your job
| description doesn't require it, you skip it.
|
| Excel democratizes the data analysis better than any open
| source alternatives and programming languages. It is easier to
| use and relatively less buggy than all of the open source and
| proprietary alternatives. When one really needs programming,
| VBA is there and it provides a much shallower learning curve
| for the curious.
|
| From a corporate point of view MS Office has unmatched
| integration with Windows, Active Directory, Sharepoint,
| SQLServer and many other programs. A huge amount of financial,
| management and engineering software tightly integrates with
| Microsoft software to provide functionality like automatic BOM
| dumps to Excel and then integrating that with manufacturing,
| currency conversion. The developers of such software are pretty
| content with it, especially due to long-term backwards
| compatibility MS provides for their APIs for all their
| products.
| mopsi wrote:
| Excel is ahead of LibreOffice and others by laps. Just take a
| *.csv file and try importing it into LibreOffice and into Excel
| (with Power Query) and see how many additional processing
| options you are offered to format, interpret and transform the
| data. Next to Excel, CSV importing in LibreOffice is very
| barebones and not much better than a primitive example found in
| a programming tutorial.
|
| Screenshots tell the difference rather nicely:
|
| https://ift.wiki.uib.no/images/7/71/Csv_import_libreoffice.p...
| (LibreOffice)
|
| https://learn.microsoft.com/en-us/power-query/media/power-qu...
| (Excel)
|
| And even there, Excel tucks away a ton of functionality behind
| tabs and submenus: https://learn.microsoft.com/en-us/power-
| query/power-query-ui
|
| Most people who say that Google Docs or other alternatives are
| good enough, or that they can program what they need in Python,
| barely scratch the surface of what Excel offers out of the box
| with little effort once you've mastered its concepts and
| workflows. It's like doing version management with
| "final_report_draft_v2_final (copy 2).txt". Might work for most
| people, but git offers so much more for those who know how to
| use it. Excel is the git of the business world.
| kbolino wrote:
| It has been a few years, but the last time I tried importing
| CSVs into both programs, LibreOffice had a much lower chance
| of mangling the data. Excel loves to be "helpful" which often
| resulted in turning lots of things that aren't dates into
| dates.
| Qem wrote:
| Same experience. If your main language has a decimal comma
| instead of decimal point, and you CSVs must use alternative
| delimiters, in my experience LibreOffice CSV importer is
| better.
| kelnos wrote:
| > _anything more complicated I 'd rather do in a proper
| programming language_
|
| First you need to understand that this is a minority position.
| Despite the last decade or so of "software eating the world",
| most line-of-business type people are not programmers, and
| couldn't write a python script if their life depended on it. I
| don't say this to criticize; I couldn't put together a
| corporate financial statement if my life depended on it either.
| Not everyone has the professional time (or desire) to learn to
| program.
|
| But if you have this tool, Excel, that is critical to your job
| in many non-programming-y ways, but can manipulate data in ways
| that programmers would usually use code to accomplish, well...
| that's great, you use it, and are able to do your job better
| and more efficiently. And it flows naturally from the skills
| that you already have.
| polyomino wrote:
| You could totally put together a corporate financial
| statement if your life depended on it.
| jvanderbot wrote:
| This is true, but doesn't answer the question of why not use
| another spreadsheet program? It's a minor learning curve to
| move to googles offering, and while it may not be as useful,
| "less useful alternatives exist" is not a viable monopoly
| case, is it?
| vundercind wrote:
| There are entire multi-step multi-document workflows _all
| over_ the corporate world, which are built on excel. You
| can't just drop Gnumeric in and keep going. The investment
| in it is incredibly large and the cost of switching to
| another system far too high to be feasible--and if any one
| company does it they'll _still need excel_ because it's how
| they interface with the rest of the world.
| jrm4 wrote:
| Who said "Hell is other people?"
|
| Anyways, that's your answer. I'm guessing you, like me, pretty
| much never have _personal_ problems with your own data and
| stuff that only you work on; you keep backups and such and know
| about cross-platform things and so on.
|
| We're the extreme minority. Most folks rely on what was sold to
| them, idea-wise or other. Since I've been doing more
| independent real-life IT work along with my IT teaching, I've
| learned to be less judgey -- and even though I know the tech
| up-and-down, I've learned it's infinitely harder to get a
| significant number of people to see things the way people like
| you and me do.
| euroclear wrote:
| Addons are one part of it. At my current job at a financial
| services company, there are plugins to access the firm's
| internal analytics library, the risk system, as well as to
| integrate with the front end trading systems and external
| vendors such as Bloomberg.
| zer00eyz wrote:
| >> Anything I want to do in a spreadsheet, I can do in
| Gnumeric, Libre Office, or even Numbers; anything more
| complicated I'd rather do in a proper programming language.
| What makes Excel really so indispensable?
|
| Are you a vim user. Great I want you do that in emacs, or an
| ide, or vs code or...
|
| You are looking at the problem at the wrong level. Excel is an
| IDE with a built in programing language for array/set based
| processing (it a matrix but hard to work with in that frame).
| Even if it looks 90% the same that last 10 is a huge change for
| power users of the system. Those power users (10x accountants
| and analysts) are going to fight you. The organization is going
| to fire you when you kill their productivity.
| GiorgioG wrote:
| Have you never worked for a big company? Business people use
| Excel - that's it. Nobody cares what you (surely a developer of
| some sort) rather use. There's just no way around it. I once
| worked for a health insurance company whose claims processing
| system was fed by...Excel spreadsheets for all of their offered
| plans. To be fair, it was nuts - but it worked for a very long
| time (to the tune of processing billions of dollars of claims
| per year.)
| giancarlostoro wrote:
| Heck, we saw a Show HN of a direct excel competitor for much
| larger spreadsheets that churns through them like if its nothing,
| made by former Amazon S3 engineers:
|
| https://news.ycombinator.com/item?id=39551064
| donmcronald wrote:
| The first thing I do for anything like that is click the
| pricing tab. Then I see subscription only options, close the
| tab, and never think about it again.
|
| Maybe I'll go for it in 10 years once MS forces Excel to
| subscription only licenses and all the current perpetual
| options are EoL, but until then I'd rather own my data and
| tools.
| lcvw wrote:
| Isn't excel subscription only now?
| thunfisch wrote:
| Did I read this wrong, or is the article essentially "Microsoft
| screws up security over and over again. Let's throw humans in
| Russia that are exposing these vulnerabilities under the bus of a
| dictatorship and possibly get them killed in a war. Instead of
| forcing the gigantic cooperation to not screw up security over
| and over again and finally clean their house"?
|
| Wow.
| hyperpape wrote:
| I agree with your top level point, but I find your phrasing
| absurd.
|
| The "humans who are exposing those vulnerabilities" are doing
| it to profit by committing extremely disruptive attacks on
| random businesses, hospitals, and important infrastructure.
|
| I don't support literally getting them killed, but they're not
| innocent hackers driven by curiosity the way your comment makes
| it sound.
| tw04 wrote:
| > Let's throw humans in Russia that are exposing these
| vulnerabilities under the bus of a dictatorship and possibly
| get them killed in a war.
|
| Am I reading this right that you're more concerned with Russian
| assets that hack US companies for both financial gain and
| political leverage, than the US citizens whose lives are put at
| risk? What exactly do you think happens when a ransomware gang
| locks down a hospital?
| thunfisch wrote:
| I'm concerned with suggesting that it's enough to fight one
| group of adversaries, which will then be replaced with
| another group, and another, instead of actually fixing the
| underlying issue. Suggesting threat of life to those people
| (which is a very real thing for russians now) is no better
| than what happens when a ransomware gang locks down a
| hospital. That would be fighting fire with fire.
| dralley wrote:
| Por que no los dos.
| MattGaiser wrote:
| > exposing these vulnerabilities
|
| For profit. These people are criminals who are stealing from
| American companies.
| wolverine876 wrote:
| > That describes Google's experience. After the Operation Aurora
| attacks in 2009, Google went about designing and implementing a
| completely different, secure IT model that still powers the
| company today.
|
| > But what are the incentives guiding Microsoft toward, in the
| words of public relations weasels the world over, "taking your
| security very seriously"?
|
| Seven years before that, in 2002, Bill Gates, then CEO, sent an
| immediately famous email to all of Microsoft:
|
| https://www.wired.com/2002/01/bill-gates-trustworthy-computi...
|
| _Over the last year it has become clear that ensuring .NET is a
| platform for Trustworthy Computing is more important than any
| other part of our work. If we don 't do this, people simply won't
| be willing -- or able -- to take advantage of all the other great
| work we do. Trustworthy Computing is the highest priority for all
| the work we are doing. We must lead the industry to a whole new
| level of Trustworthiness in computing._
|
| It gets stronger and better from there. I don't love Microsoft,
| but the OP's history is wrong.
| politelemon wrote:
| I find this author's opinions written in bad faith and outright
| ignorance -- if it's deliberate ignorance, that's even worse.
|
| > there aren't many incentives in this scenario for Microsoft to
| really improve the security
|
| This is wrong, the incentives already exist through financial and
| legal means, and anyone who works in an enterprise with their
| sprawling estate can tell you that they are constantly working on
| security controls and tooling. The key thing to remember is the
| _sprawling estate_ , more surfaces means more attack vectors, and
| patches. I hope a cybersecurity professional isn't equating more
| mitigations with a poor security posture. It's when things are
| silent that you ought to be terrified.
|
| > The FBI and the U.K.'s National Crime Agency, for example, have
| done a tremendous job of gaining access to things like the Tor
| hidden services that underpin attacker infrastructure, collecting
| evidence from them, and then shutting them down.
|
| > when Western authorities started "disrupting" ransomware crews
|
| Conveniently ignores that a lot of them work directly with MS to
| take down botnets and ransomware threat actors. No mention
| whatsoever of MS' role in this.
|
| I struggled to take any of this seriously, especially when it
| came to the pretentious I-am-very-smarter-than-you attitude.
|
| > as I looked around the room I couldn't help wonder if the way
| to really deal with this problem would be found in a different
| venue ... perhaps at a capture-the-flag hacking contest being
| held in a dimly lit casino ballroom in Las Vegas.
___________________________________________________________________
(page generated 2024-03-23 23:00 UTC)