Tag Archives: Microsoft

Geekwire Article: Microsoft unleashes ‘Death Star’ on SolarWinds hackers in extraordinary response to breach

In my latest posting on Geekwire, “Microsoft unleashes ‘Death Star’ on SolarWinds hackers in extraordinary response to breach” I draw on my past experiences being on the teams running the biggest incidents at Microsoft. In this I give what I think is the fullest picture ever on what Microsoft has done in a major incident, in this case the ongoing SolarWinds incident.

Microsoft doesn’t do this for all incidents, but this isn’t the only incident they’ve pulled out the stops like this. Unfortunately no one outside of the teams has ever really understood how much they can and do do at times.

In that way, this article is dedicated to the literally hundreds if not thousands of people who have worked these incidents at Microsoft over the years, many of whom I had the true honor and pleasure of working with.

Update 12/28/2020: As a follow up I’m happy to say I’ve heard from several people that this has been making the rounds internally at Microsoft and has made people who otherwise haven’t gotten credit for work feel they got some credit. That makes me very happy.

Also, I’m told that about two weeks after posting, this has racked up around 800,000 page views, making it one of the best performing article ever for Geekwire.

New Geekwire Article on Microsoft’s Pluton

I’m proud to say that I’ve got a new article up on Geekwire.com: With ‘Pluton’ chip, Microsoft shows strength, and proves Trustworthy Computing still matters.

This goes deeper into the story to explain why this announcement is more significant than it may seem and what it tells us about today’s Microsoft and the continuities you can still find with the Gates-era Microsoft.

“Hi We’re from the Government, We’re Here to Help You”

Yesterday the President announced a new executive order “to promote information-sharing within the private sector and with the government” around cybersecurity (I HATE that term).

I work in the private sector he’s talking about and have for nearly 20 years now. And I’ve seen and been part of a lot of really important collaboration and information sharing between government agencies and the private sector.

So I generally think this sort of thing is a good thing. The bad guys of all stripes always benefit when dealing with divided defenders.

But I don’t think this can and will be as successful as it could be or needs to be.

Because the fact is that in the security and privacy community, there’s a lot of lingering suspicion and bad feeling around the activities that government agencies are alleged to have engaged in as a result of the Snowden disclosures.

Information sharing will only happen and so only works where there’s trust. And a lot of people I know in the security and privacy space lost a lot of trust in the US government in the wake of those claims.

And that trust hasn’t been rebuilt or regained at all because there still hasn’t been an upfront discussion about what is and isn’t going on. And in that vacuum, a lot of people are assuming the worst, rightly or wrongly.

I’ve taken a very moderate stance on this all myself. I’ve worked with some very good people with intelligence backgrounds so don’t fall into the facile “the NSA is evil camp”. But I also don’t fall into the other, “the NSA can do no wrong” camp either. My views are more nuanced with an underlying respect, gratitude and appreciation for those people willing to do hard, thankless work to protect us (having done a lot of that myself).

Regardless of my own views on this all though, the fact remains that for any information sharing program to succeed, there has to be trust. And it’s hard to argue there’s trust to fuel information sharing when one of the biggest, most important players is involved in a lawsuit to prevent having to disclose information it believes it shouldn’t have to.

In the end, it’s too bad because the horrible way the Snowden disclosures have been handled in terms of a response will undermine what is an important initiative that ultimately will benefit everyone.

This is yet another example that how you handle and respond to what you do is at least (if not more) important than what you do itself.

Ten Years After Bill Gates’ Trustworthy Computing Memo

Ten years ago yesterday, Bill Gates sent out his Trustworthy Computing memo that marked a significant change in the culture at Microsoft and put security, privacy and reliability at the center of the company as ideals.

I was at Microsoft as part of the Microsoft Security Response Center when that came out. And until I left Microsoft in December 2010, I was involved in security and privacy. So I have a former insider’s long-term view of what that was all like.

As my former colleagues are marking the occasion I’m sharing my own thoughts on what it meant then and what it means for the future.

Here are my comments in Robert X. Cringly’s article “PC security: We’ve come a long way, baby“. And a longer write-up by me over at Betanews “10 years after Bill Gates’ Trustworthy Computing memo: What it meant for Microsoft and why every tech company needs one“.

It was something to be a part of, but the world is different today. Part of my take on it is how this is still relevant in this different world.

Don’t be too Qwik

The latest chapter in the NetFlix situation is a good lesson in the importance of the rule that it’s not just what you do, but how you do it, in terms of perception.

Specifically, the handling of the short-lived and now defunct “Qwikster” project, NetFlix’s attempt to split their DVD rental business off onto a separate brand has been an abject failure. Certainly it’s been a failure from a business and customer satisfaction point of view. NetFlix has had to completely reverse direction based on another wave of customer ire and dissatisfaction. Reversing direction on a major initiative like that is never a success.

Beyond that though, the entire Qwikster episode, from start to finish, has caused an important hit in terms of perception by making NetFlix look like they don’t have a plan and are making major decisions without thought, deliberation, and research. It’s one thing for your image to take hits around customer satisfaction and even “being out of touch”. But for people outside to look at you and start saying “What the heck is going on there? Who’s making these decisions and how are they making them” hurts a business’ image at very fundamental levels. It shakes or even shatters the trust people have in the leadership of the company. That’s particularly bad from an investor relations point of view: if these major decisions are being made in such a reactive, ad hoc manner, why should you expect the company will respond any better to future challenges?

All major reversals like this have some degree of reputational damage around leadership. Whether it’s “New Coke” or the Microsoft KIN, major reversals have led outsides to ask how those failed decisions were made. But the Qwikster episode has been executed in a way that makes these questions more acute. It was clear at the outset that the decision to spin off Qwickster was a rushed, reactive plan.

One need only look at the debacle around the Qwikster Twitter handle where the handle wasn’t under their control and in fact was already being used by someone Tweeting on topics no marketing person would want associated with a brand new brand. That said clearly that this wasn’t a planned launch at all: it was a reactive, ad hoc decision.

That misstep could have been overlooked and eventually forgotten if Qwikster had been a success. Sometimes companies have to move quickly and the furor that NetFlix was facing over their new fees was intense and clearly they felt they had to do something. But rather than quell the customer anger over the fee changes, this decision stoked it even more. And so in less than one month, they’ve had to suddenly reverse their previous hasty decision. And now, in addition to the customer anger over the fee increases (which still hasn’t abated), NetFlix now has to cope with serious questions about their decision making process and capability. That hit to their reputation comes through loud and clear in this Wall Street Journal article by Stu Woo and Shara Tibken:

While investors and customers expressed some relief Monday, concerns still remain about Netflix’s recent actions and future. Adam Hanft, chief executive of consumer marketing and branding firm Hanft Projects, said it is difficult to understand Mr. Hastings’s thought process in planning to separate its businesses.

“He’s usually a much better chess player than this,” Mr. Hanft said. “It’s a total blunder, and he misread consumer intentions and interest completely. … It’s clearly a company that’s lost its way, which is unusual for a CEO with a pretty firm grip on things.”

What should NetFlix have done differently? It goes back to planning and the original fee increase announcement. Delivering negative or potentially negative news should be carefully planned. The decision makers should work with those who work most directly with customers to understand the likely response. They should also work with industry experts and analysts to understand the likely response and pitfalls. Then, they should build a plan to mitigate the risks that are identified. In this case, a plan for what to do if customer response is so overwhelmingly negative that they suffer major losses in customers. And if the worst happens, you break out the plan and implement it. You show that you’re adaptable but that you are in control and have a direction. This underscores why it’s so important to involve people with expertise in crisis communications and reputation management in the planning for major announcements: we can help you identify the risks and plan for them.

In the case of NetFlix, I would have recommended that their recovery plan around the fee announcement involve giving customers options around the fees. Either more granular ability to limit the impact of the fee increases or a promise that they won’t raise fees for some set period of time. And if the fees are driven in part by fee increases by the content providers, they should have been more up front about that. Customers don’t like but understand when you have to pass on increased costs from your suppliers. And, anyway, there’s few industries that already have as bad an image as the large entertainment conglomerates.

NetFlix now has to start working to repair its relationships with its customers and rehabilitate its image around corporate decision making. A first step in that latter process will be to do all they can to make the next major step they take a success. Hopefully they’ll do better planning for that next step.

Lead or go out of business

That’s increasingly the reality around communications and online security/privacy incidents. If you don’t lead in providing information then others will do it for you. And that can mean your company could be out of business in just a few days. Google, Microsoft, Mozilla and the Dutch government have all made this point very clear over the course of the past few days in regards to the DigiNotar compromise.

You can get full details in Gregg Keizer’s story but the important facts are that DigiNotar is a Dutch company that issues digital certificates used for secure web browsing. Around August 29, 2011 Google discovered a forged DigiNotar certificate was being used on the Internet. In real terms, this means that someone could use this certificate to watch what you’re doing on the Internet when you’re using a secure channel without you knowing it. Google, Microsoft, and Mozilla all responded by making the forged certificate unusable in their browsers but keeping the rest of DigiNotar’s certificates usable. This is a standard response when situations like this have happened in the past.

But over the next four days, it emerged that DigiNotar had been aware of this attack since mid-July, that it was broader than a single certificate and had said nothing. In response to that lack of transparency and communication Google, Microsoft, Mozilla, and the Dutch government, now involved because they used DigiNotar for sensitive government websites, took an unprecedented step in response. They revoked all certificates that DigiNotar has issued or will ever issue, basically putting them out of business. It would be like United States Government declaring that a state’s driver’s license issuing procedures were so weak that none of their licenses will be accepted as valid IDs ever again.

If you need any proof that the lack of transparency and communication was the chief driver of this decision,  Johnathan Nightingale who is Director of Firefox Engineering over at Mozilla cites the lack of notification as the first reason behind their decision. He goes on to talk about  how “Incidents like this one demonstrate the need for active, immediate and comprehensive communication”. While his comments are to this specific incident, they apply to any online security/privacy incident.

DigiNotar had two chances to take the lead in this situation. First, when it was discovered in mid-July, and then when it first broke publicly in late August. If they had made a point to be the source of authoritative information at either of these junctures, they may have been able to keep control of the situation and keep from being shunted to the sides and shuttered by the other affected parties. As it is, though, they’ve become a cautionary tale of how fast things move in Internet time and how quickly one poorly handled incident can close down a business.

Hacking the Press: What the bogus IE users are dumb story tells us

It is a rare thing to have my background in online security and dealing with “hackers” and my work in PR and communications come together outside of online security and privacy incidents.

But the “Are Internet Explorer (IE) users dumb” story that broke late last week really brings those two worlds together in very interesting, and enlightening ways.

To recap, late last week we saw a spike in stories claiming that a Canadian company had done research that they believed showed a correlation between IE usage and lower IQ scores. They wrote about it on their blog and managed to get broad, mainstream press pickup pretty quickly. This CNN story is a good example of the coverage we saw.

I’m not surprised at how broadly the story went. It had a nice mixture of scientific authority, average-reader comprehensibility, and taps into a pervasive, latent anti-Microsoft sentiment (I should know about that, I dealt with it when working there).

We have found out now that the “study” that formed the lynchpin of this whole story was bogus. How do we know this? Well, the people that make the fake helpfully came clean and admitted it on their site. To add insult to injury to all those reporters who now have to explain why front page and “most viewed” stories on the CNN and BBC sites (among others) were bogus, the folks behind the fake “helpfully” detail five eight reasons why people should have known this was a hoax.

This is hardly the first time people have gotten hoaxes into the news pipeline. But this is one of the more audacious examples I’ve seen. It’s also one of the more egregious failures on the part of the press to detect fraud. And the authors of this “study” listing five reasons we should have known it was fake really begs the question of how something as fake as this could get out there so widely.

First, it looks to me like a variation of what an online security expert, Rob Rosenberger termed “False Authority Syndrome” back in 1997. That is when someone gives an “expert” a degree of authority that they shouldn’t be entitled to. In the case of this issue, the people creating the fake made it plausible enough to seem like they had the authority that they claimed. They borrowed text from legitimate websites, and gave the site enough depth to look like it had been up for a while when looking at it (you could only figure out it was new if you dug into the internet registration records).

Next, the challenges around time pressures in the press arena really come into play. Reporters often don’t have the time to contact other known, credible sources when they’re dealing with an unknown “expert”. In the case of this story, the time element was exacerbated by the natural sensationalism of the piece, the clear simplicity of the message and the catchiness of the narrative. Any reporter and editor worth his or her salt could see this is a story that would have a lot of immediate pick up. And in the age of “viral” sharing, if you don’t get your story out first, your competition will. That makes it even harder to take time to get it right and do deep and thorough checking. In an era of easy updating with corrections, it’s often OK to just go with what you’ve got now to land the eyeballs, and worry about tidying any errors later.

Another piece of this, which the authors may or may not be aware of, is that they posted later in the week when we start to see major news cycles wrapping up in a way that opens up space for late-in-the-week new stories. That the news in the US had been inundated with debt ceiling stories all week also created a pent-up demand for something, anything different. And with the heavy diet of debt ceiling stories that week, a lighter, snarky story like this is a welcome counterbalance for readers.

A final piece of why this happened is perhaps one of the most maddening of all. It happened just ‘cos. I say you can only assess part of the factors that make a story interesting. There’s always a host of unknown and unknowable factors that come together to set in motion a huge story (or fail to and the story disappears without a trace). Everything from the time of day the posting RSS hits, to what reporter is at his or her desk, to if that reporter still has a story to file for that day, all of these and more play a role. Ultimately, I lump all of these unknowns under the title “luck” and accept the reality of that, frustrating though it is.

Taking all this and putting it together: why did this fake story succeed in getting bigger and broader coverage than most legitimate stories? Because it was a well-crafted hoax that told an interesting and amusing story that successfully exploited weaknesses in the press “system” related to time pressures that ultimately got lucky.

Any of you with a background in online security will recognize that I’ve essentially outlined there a successful “hack”. They found vulnerabilities in a system (time pressures and susceptibility to catchy stories), built a good exploit (the hoax) and got lucky.

Unfortunately, those vulnerabilities aren’t going away anytime soon. Which means we may see more of these in the future.

[Updated to reflect that there were eight reasons why the hoax should have been caught and not five as I originally posted. Because, well, I can’t count.]

The Skype Blogger Proxy War

I said last week it would be interesting to see how the Skype story about firing executives ahead of the Microsoft acquisition would play out. And this week is proving me right, though in unexpected ways. With the latest developments, the Skype story has turned into a full-blown blogger proxy war. Third party bloggers are making arguments for and against Skype while the main players sit on the sidelines feeding the bloggers ammunition for their cases. What’s most interesting in this is that Skype appears to making no effort to manage the story openly in the mainstream press. Blogger proxy wars aren’t unheard of, but letting that be the only avenue you pursue in managing a situation is unusual and bears watching for lessons.

As a reminder, last week’s story focused on eight executives being let go by Skype ahead of the acquisition. Skype gave little real information about the move. That naturally begged questions that third parties were happy to try and answer, suggesting the motivation was greed on the part of Skype’s owners, the private equity firm Silver Lake Partners. Apparently someone at Skype or Silver Lake wasn’t happy with that story and “unnamed investors” started giving interviews explaining that it wasn’t greed, that the firings were part of a planned restructuring by the CEO. Most notably, this explanation was never delivered by Skype through any official, named sources. Skype opted to let the unnamed spokespeople carry their key message, something most of us would strongly recommend against (and I did last week).

Now, another phase in the story has come out, with a former Skype executive, Yun Lee, who voluntarily left, detailing how vested stock options were yanked back by Silver Lake after he left. He doesn’t argue that they had the right to do that, but he is making the case that it’s sketchy thing to do. His story handily picks up and builds on the “greed” narrative that started last week. Because Skype didn’t actively work to shut down that narrative, it is fertile ground for Lee’s claims and, predictably, his claims are taking hold.

On the heels of last week’s tactics working poorly for Skype, they are, amazingly, following the exact same playbook. Skype’s official spokesperson has again issued a vague statement at the start of the cycle that fails to address the questions and concerns that reasonable people might have. Again, more detailed information about Skype’s point of view is coming out through interviews with “unnamed investors”. And once again, we’re not hearing that more detailed information come from any official, named sources at Skype.

At this point, this somewhat bizarre, disengaged public relations strategy on the part of Skype and Silver Lake has turned this story into a proxy war. There are bloggers/reporters like Sarah Lacey and Henry Blodget who are talking with these unnamed investors and themselves making the case for why Skype acted in a reasonable way. Meanwhile, lining up on the opposite side, you have Michael Arrington and most notably Felix Salmon who has written on this three times in the past two business days and used “evil” in every posting title.

It can be argued that Skype’s approach has succeeded in keeping this story out of the mainstream press generally. Aside from an article last Friday at Bloomberg Businessweek which has Skype’s only official statement, there’s not been much coverage. But it would be a mistake to count that as a clear victory. Damage to reputation doesn’t have to be widespread to be harmful. Felix Salmon’s most recent post on this touches on the impact of this all on Silver Lake’s reputation. While he doesn’t think Silver Lake will suffer, an Investment Banker who Tweets under the handle EpicureanDeal calls out the harm this will have to their reputation within their business community and that could be very bad for Silver Lake.

It remains to be seen how this will sort out. But Skype and Silver Lake’s failure to openly engage on this story means they’re relying on the skill of their blogger proxies and luck for this not to end badly for them. That’s not an approach I would ever recommend. As I said last week: Skype should go out and tell their story openly and engage with the mainstream press who have written about this. That doesn’t preclude arming their blogger proxy allies: it supports it.

UPDATE: Kara Swisher over at AllThingsD has a posting with information from an internal presentation that bolsters some of the arguments in favor of Skype’s and Silver Lake’s position. But, yet again, this appears to be information being passed on background directly to specific bloggers/reporters. There’s still no public statement of the case by a named Skype or Silver Lake spokesperson.

Begging the Question

Over the weekend the news broke that ahead of the acquisition by Microsoft, Skype has let eight of its executives go. Bloomberg ran the story Sunday night with early rumblings of the story starting over at the Skype Journal.

Bloomberg ran the story with an angle saying that the execs were canned so the company wouldn’t have to pay them as much. Since Bloomberg led the story, we see that angle in a number of today’s follow on pieces and is leading to some snarky comments about corporate greed like Preston Grella’s over at Computerworld.

However, today we find another angle starting to emerge: that this isn’t about the money but is instead part of an already-planned shake up. Sarah Lacy’s article over at TechCrunch takes this line, quoting an unnamed investor.

Whatever the real reason is, the initial story angle isn’t a positive one and it’s giving the event a more negative tone and broader coverage than I think Skype (or Microsoft) wanted. You typically want announcements like this to come and go quickly. And with a pending acquisition, that goal is even more important to help keep things moving on the acquisition and not inadvertently drag your acquisition partner into a negative coverage cycle.

So far, this has spawned two waves of coverage rather than one. Fortunately for Microsoft, it’s not hitting them, at least not yet. But that’s no thanks to Skype and their handling.

What caused this is that Skype failed to look at their news like a regular person, figure out any logical, reasonable questions, and answer them in their communications.

This is their official statement: “Skype, like any other pragmatic organization, constantly assesses its team structure to deliver its users the best products. As part of a recent internal shift Skype has made some management changes.”

Companies don’t typically lose eight execs all at once, particularly when going through an acquisition. So people are naturally going to ask:

  1. Why are you getting rid of this many execs at once?
  2. Is this related to the acquisition

By failing to account for these questions in their statement, Skype’s handling simply begged those questions, and Bloomberg was happy to try and fill in the gap.

Given that “unnamed investors” are talking to the press today and giving a different story, it’s clear that the theme of the first wave isn’t what at least some people at Skype wanted out there. But having this new theme come out through unofficial channels only confuses the issue any more.

If the goal at Skype is to kill the theme of “they were fired to save money”, they need to get out on their blog with a statement clarifying the story, follow up with Bloomberg and try to get the right story out so that it overtakes the initial theme.

It will be interesting to see how this plays out.

In the meantime, the lesson here is that while we want to follow the rule of “less is more” when communicating bad news, you want to make sure your “less” isn’t begging questions. If it is, you can lose control of the story like has happened here.

Say You Want a Revolution

In the interest of full disclosure, this is adapted from a comment I made in Robert Scoble’s blog today.

So Microsoft today spent 6 Billion on an advertising company, aQuantive. First, I have to say, that’s one of the ugliest sounding names I’ve heard in quite some time.

More importantly, I think if they rummaged around in the sofa they could’ve found another billion and bought Chrysler instead. Given the complete lack of any stated vision or direction coming out of Microsoft these days, buying aQuantive isn’t all that different from them buying Chrysler. I doubt Ballmer et al. really know what they’ll do with it. They’ve just got some vague idea that since other people are doing well with advertising, they need to as well. Setting aside the fact that I’m deeply skeptical about online advertising at all (how much money have you spent, dear reader, as a result of clicking on a “sponsored link”?) this is another demonstration of weakness from Microsoft.

The current strategy there seems to be to copy a lot of other people’s stuff (Apple: Vista; Google: Search) that than really find anything new on their own. OK, so that’s not the first time the charge has been made but I’d argue things are different now from the past. In the past, when Microsoft followed others into established markets there was some direction to it. Now there’s no plan. It just looks like they’re just doing stuff to do stuff.

As a long time watcher of Microsoft, I have to say it’s pretty clear that Ballmer is grossly incompetent as a CEO. Carly Fiorina was sacked over her performance and he’s done significantly worse for Microsoft than she did for HP. The fact that he’s not been sacked speaks to a board that is failing its shareholders. And I think that’s the why of the stock price. It’s going nowhere because of a Ballmer tax. No one has faith in the value of the company under his leadership and they don’t think he’s going anytime soon because MS has a rubber-stamp board. Buying MS is essentially buying to hold until Ballmer is gone and someone with vision comes to the helm.

The words of Cromwell to the rump parliament apply to Ballmer and the board:
You have sat too long for any good you have been doing lately… Depart, I say; and let us have done with you. In the name of God, go.

It really is time for a shareholder rebellion. The only people doing well at Microsoft are the executives and the board. Time to remind everyone who they all work for: the shareholders.

Of course, the biggest shareholder IS one of the executives. And that means nothing’s going to change soon.