32 replies
3h30m
“If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security,” the company’s CEO, Satya Nadella, told employees.
Satya's model of making security a priority at Microsoft:
- Cram ads in every nook and corner of Windows. Left, right, centre, back, front, everywhere. What else is an operating system for?
- Install a recorder which records everything you do. For the benefit of users of course - you know, what if a user missed an ad and wants to go back and see what they missed.
- Send a mail to your employees and tell them "Do security". Mission accomplished - Microsoft is now the most secure platform.
The Microsoft bribes scandal broke not too long after I had to take the "hey don't do bribes" training at Microsoft.
That event really drove home for me the fact that all of the trainings, emails, processes, etc. are mostly plausible deniability. There are people who care about security at MS. I know, I've met them, but for the most part all of this exists so that Satya can plausibly say in court or in front of congress, "well we told them to do security better. This is clearly the fault of product teams or individual contributors, not Microsoft policy and incentives."
I dunno, that’s a pretty cynical take. Isn’t it just as plausible that they became aware of the bribes internally and were trying to curtail them when the scandal broke out? Or maybe the “don’t do bribes” training actually worked enough for someone to whistleblow even if official internal channels failed? Those who are doing wrong often try to stymie others from making positive changes out of fear, greed, etc.
Edit: I just want to add that there are things to be cynical about - I’m not completely naive. If it’s your legal department heading up the training then you can be pretty sure that there was a cause for it.
Yes, massive companies are a nest of conflicting priorities. The sales team wants to do whatever it takes to win the deal, and the legal team wants everyone to behave ethically at all times. The board wants to be shocked(!) when it turns out those goals are in conflict, with the ethical side sometimes losing out, to remove any personal risk to themselves.
do you really believe that? compliance under scrutiny, more like it
The best job is sitting around and doing nothing. So ideally yes.
But sure, ethically speaking when things get heated they will exploit every loophole they can find to avoid liability. So, lawful evil?
That sounds like a terrible job.
Well you can take it as literally or figuratively as you wish. Depends on the person.
Most corporate law guidance is about risk mitigation, not about ethics. Less activity generally translates to less risk.
You can see a similar phenomenon with security professionals. True, the only secure computer is one disconnected from the Internet, turned off, put in a Faraday cage, on the moon, under armed guard - but that's not useful.
Probably neither, "don't do bribes" training is standard onboarding procedure at any Fortune 500 company. Just ironic timing from OPs POV
Not just onboarding. Most, if not all, large companies waste at least an hour of their employees time on this per year, while themselves bribing politicians in DC.
It was, in fact, a story arc in an at the time recent-ish season of SBC[0].
[0] Microsoft's yearly training that is done in the form of a TV drama about MS employees facing ethical dilemmas
But this is exactly why it's standard procedure. I worked for a huge Credit Reference Agency and it was very obvious that this is ass covering.
Sarah and Bob in the New York Office of Huge Corp must take the training so that the CEO can swear all his employees know not to bribe people. In the event that Manuel, who is given $100 000 per week of company money to bribe the locals in Melonistan so that they don't interfere with Huge Corp's operations is actually brought before the government and forced to spill the beans the CEO will insist they had no idea and some Huge Corp minion gets sacrificed. Manuel will be replaced, Melonistan will be assured quietly that his replacement will provide make up money ASAP.
In Arms this is even worse, because there it's secretly government policy to bribe people, even though it's also illegal. So then sometimes even if you can prove there was a crime, the government will say "We'll take that evidence thank you very much" and poof, the crime disappears, if you make too much fuss you'll be made to disappear too.
That doesn't seem plausible, because you can't stop bribery by telling people that bribery is against the rules. Everybody already knows that.
If they became aware of bribery and genuinely wanted to stop it, the way is to publicly punish the culprits as harshly as they can, to demonstrate to others that enforcement of the rules can happen.
Yes and no. You might not even realize that what you did constitutes giving or receiving a bribe. What cracks me up though is that all large US megacorps give tens of millions of dollars in thinly veiled bribes to officials each year, as they browbeat their employees into not accepting a god damn fruit basket from a thankful client.
Maybe. However such training is essentially considered mandatory compliance at any publicly traded company once you reach a certain size, especially if you sell to the government, and IMO probably not related to any specific event they became aware of.
I've had to do the same mandatory anti-bribing public officials training annually at US companies a fraction the size of Microsoft. The anti-bribe training is so common at large companies in the US, there are companies that sell ready made one-size-fits-all training videos specifically on this topic that are then usually the thing the employee has to sit through anually.
In my experience, different cultures have different feelings on the moral failings of bribes. Some of my colleagues grew up in countries where it is a common business practice, it probably makes sense for large orgs with global employee base to have to establish some kind of baseline for acceptable business practices. Similarly, I know several people who came to study computer science in the US and tried to bribe police officers upon being pulled over for speeding, simply because it's how you handle the matter where they grew up.
Just days ago a major US corporation was found guilty of hiring Death Squads in Columbia. Literally to murder people.
Why do we have this common illusions that corporation will not steep down to the dirtiest crimes they can get away with?
https://www.bbc.com/news/articles/c6pprpd3x96o
Microsoft has for over two decades been one of the largest and most sophisticated employers of security talent in the industry, and for a run of about 8 years probably singlehandedly created the market for vulnerability research by contracting out to vulnerability research vendors.
Leadership at Microsoft is different today than when the process of Microsoft's security maturation took place, but I'll note that through that whole time nerd message boards relentless accused them of being performative and naive about security.
Yes, hence why I take all those company values trainings as Bull******.
Eh. For the most part, the trainings can be taken at face value. Even if the management's dealings with governments and partners are questionable, no company wants random employees accepting personal kickbacks from vendors.
There's a liability avoidance component to trainings, but mostly for non-business misconduct. For example, for sexual harassment, the company will say they tried everything they could to explain to employees that this is not OK, and the perpetrator alone should be financially liable for what happened. That defense is a lot less useful in business dealings where the company benefits, though.
I have no broad evidence of this, but I suspect that the more beginner-friendly Linuxes are guilty of a lot of the sins that you laid out here. I seem to remember some controversy with Canonical recording your searches when hitting the super key, and Ubuntu having Amazon ads built in by default.
People who love to geek out about computers can of course install Arch or Gentoo or NixOS Minimal and then audit the packages that they're installing to see that there's no obvious security violations, but it's unrealistic to think that most non-software-engineer people are going to do that.
I really don't know how to fix this problem; there will always be an incentive for Microsoft (and every other company) to plaster as many ads as they think that can get away with, as well as collecting as much data as possible. I don't know that I would support regulation on this, but I don't know what else could be done.
Debian is a perfectly reasonable choice for casual linux users. Ubuntu's supposed usability improvements over Debian are greatly exaggerated. It's mostly just marketting.
Fair enough. I haven't used Debian in quite awhile (I think since 2009 or so?), so I can't speak to current stuff, but I do remember it being pretty hard to install then. I'm sure they have refined it considerably since then, and of course I am fifteen years more experienced now than I was.
Personally it's hard for me to go back after I accepted the dogma of NixOS, but maybe if I manage to talk my parents into using Linux I'll install Debian for them.
install arch. not even kiding.
make a "shutdown" button on the desktop that locks everything and do a full upgrade.
any issue is solved with, try tomorrow after a reboot. you'd be surprised how fast fixes arrive at rolling distros
I mean, if you have no evidence of this, why even post such an (incorrect) conspiracy theory comment?
Well the Amazon ads in Ubuntu absolutely did happen, as well as the searches with the super key. [1]
I'll admit it's maybe a bit of an extrapolation to assume that they're as bad as Microsoft, which is why I disclosed that I didn't have a ton of evidence for this.
[1] https://www.gnu.org/philosophy/ubuntu-spyware.en.html I realize that GNU is sort of conspiratorial in its own right, but at least one entity seemed to agree that there's problems with it.
Well, here are the facts (I was an insider at the time, and this is my testimony).
Searches were anonymized and sent through Canonical servers to provide extended search result sets. This was configurable and could be disabled. Canonical of course had your IP address so they could reply, just like any and every HTTP server does. Your search query was not stored anywhere or aggregated, and it was not associated back to the originating IP address except to reply. Your privacy was respected and protected at all times.
The Amazon search did appear as a plugin in an early prelease. It was never shipped in a released Ubuntu.
The goal was to make things as easy as possible, even for the technically averse (who were still commonplace a decade ago), while still respecting and protecting your privacy.
Of course, no matter what you do, someone is going to scream for everyone to come witness the oppression inherent in the system. We did it anyway with the expectation of baseless knee-jerk outcry and we were not disappointed.
It's not surprising when a linux distribution was taken over by a capitalistic firm, it decided to forgo good values, and instead prioritized profits over everything else.
Stop using software made by companies that do bad things. Improve the software that doesn't.
Or stop buying their stock... but that is difficult thing to embrace. As, we know, these companies are very profitable.
It was also other way around with Microsoft. If you deploy Ubuntu VM in Azure, they contacted you in LinkedIn to offer commercial support.
Not joking: https://www.theregister.com/2021/02/11/microsoft_azure_ubunt...
I have meetings with adtech guys and this gets pitched every time. Along with "a way to save ads so you can watch them again at home later!" And "alexa enable ads that you can talk to!"
To be fair to Satya, every leader should be judged on what they do not what they say. This isn't a Microsoft or Satya problem, pick a large corporstion and you'll find examples of this behavior everywhere.
Words in an email hold absolutely no weight, when leaders choose to trade security for something else that's all employees need to know.
Say one thing, do another.