Rather than go into OrgKit tonight, I want to explain why Windows networks have been historically insecure. 🧵
Computing does not have a long history. Its progression goes industrial IBM solutions with all services included, to piecemeal solutions separating software and hardware, to innumerable OS options and hardware, to standardized hardware and narrowing OS options, to 90’s businesses
As these options narrowed, Windows offered a solution in NT Domains with a compelling, if junior way, to solve the hardest problem in computing: Interoperability and per-user security across server and client. There were others we won’t get into them. It was a huge success.
There is a large history of disparate and converged services in computing. Microsoft eventually combined many academic/corporate solutions into a cohesive offering: Active Directory.
Kerberos for authentication. LDAP for directory. SMB for file services. Group Policy for mgmt etc
The problem here was Microsoft created a monstrously powerful solution, with essentially a blank-slate administrative paradigm you had to design and deploy (they didn’t know what was the right way either yet and didn’t want to prematurely designate), and gave it away for free.
Directory solutions and admin delegation of rights had previously been entire jobs that committees debated and defined and slowly developed tools for.
Active Directory had that, in an almost infinitely adaptable way, for people with no experience or knowledge. It just worked.
Microsoft had tribulations in its management and investment in Active Directory. Some of which I know, most I don’t.
But they had unleashed the greatest networking tool ever for making computers be talking together and be managed. Effortlessly. And, they were mostly all isolated.
Some things, I blame Microsoft. Others I say what they were doing had literally never existed at scale. And without hindsight. Others, were a failure to renew an ownership in results.
Anyway. The years go on. The Internet is omnipresent. And the attacks start against customers.
Microsoft begins to have a Very Bad Time. A combination of code security issues leading to worms, and executable control+privilege level on arbitrary code – leading to users compromising themselves by installing innocuous-seeming malware – becomes crisis. Guess what. They respond
In 2002, Bill Gates releases one of the most consequential pieces of corporate writing in history. The “Trusted Computing Memo.”
This dramatically led to changes making exploiting Microsoft products substantially harder. It led to internal revolution.
But.wired.com/2002/01/bill-g…
What Microsoft could not do was fix the networks their customers had already built. Further, they failed to radically transform the administrative surface of Active Directory and its default state, to make it administratable by commoners.
This is one of their greatest failures.
Active Directory remains without reasonable roles for segregation or responsibility. Like, “desktop administrator” or “server adninistrator” or “network service querying logged-in user.” They just don’t exist. And most customers do not have the specialization and skill to do it.
Neither do OU (folders) exist to correctly delineate these objects into their roles and ability to access. Or organizationally delegate.
So what do Microsoft customers do? They exploit the worst decision in the history of computer. That I feel bad highlighting.
“Domain Admins”
Because Microsoft abdicated its role in strongly defining an administrative theory for Active Directory - which all products today have - their customers have rights to everything assigned to innumerable people. Sane account they access their email can ransom the entire company.
Now; there are firms that nominally try to do it right. Where Helpdesk are not Domain Admins. But innumerable network services with hijackabke credentials are. And the helpdesk people are admins to Domain Admins. So they own the domain admins. AD offers nothing to detect/address.
This is just a sample of 2 issues that fostered our reality. Microsoft is now investing again into AD. With a product leader I’d like to call a friendly acquaintance.
But where was the money before. Where was the leadership that obligated the resources. When they made our world.
Lucky for Microsoft it kinda seems like Twitter broke this thread somewhere so you won’t see it. But yeah. I’m called a Microsoft shill because my criticisms don’t fit in a funny anecdote about the Start Menu.
If anyone knows a similar write up or course that explains the actual motivating issues into WHY our networks are like this @ me a link so I don’t have to write it and then never do it.
(The AD team has been working on great stuff, public, announced, and stuff I’ve heard. This is NOT a criticism of them. I’m trying to describe the history of how we got to today. Which they may disagree with. But I don’t pass stuff by Microsoft. I’m actually independent.)
• • •
Missing some Tweet in this thread? You can try to
force a refresh
I was among the first in world to have a laptop/tablet at school, due to an accommodation IEP... and living in Silicon Valley. It was a Toshiba Portege 3500 I got ~2005. I was the literal first wave of the populace to do this. These are my thoughts on its impacts, looking back.🧵
Giving students electronics is generally not a good idea. It is not a replacement for books. I've looked in despair as this has happened. I loved my machine, it helped. But I had my Windows XP Tablet before schools had WiFi. Before there were online apps. I used OneNote offline.
I also had a Sony Clie ~NX70. Truly one of the most beautiful devices I've ever touched. Magical stuff. It similarly had no WiFi. So every morning I synced ComputerWorld RSS(?) to the device to read when I was bored in math class due to a disruptive student. I still suck at math.
There is just a level of destiny, of purpose, seemingly not appreciated at-large. The US and its allies built weapons of war for a single purpose. An opponent of doom, under auspices of preventing the greatest calamity in the history of Man.
And now its void-fillers are target.
Generations of technology earnestly endeavored under cause of never succumbing to invasion – and thus preventing it. All that purpose, imbued into stored product. Mislaid but appreciated by soldiers of another worldly action. Now, returned to the chance of original fulfillment.
The today rulers of Russia – inheritors of an arsenal they insist still potent – are not in any way a lineage of it. They do not deserve these things pilloried and assigned in upheaval. They are the stolen dreams of better future funneled to graft. We needn't pretend legitimacy.
I imagine it can be hard to start with nothing to do, but learning to endlessly optimize and improve in small ways showed me how much time I could free up. Went from 14 Helpdesk ppl 10 years later to ~5. And so I had free time to run this account too. That work made me who I am.
Note the downsizings were not my idea and would have mostly happened regardless, the point is I increased free time as resources shrank. That's the dumb business assumption of how it's supposed to work but rarely actually does. But you can do it for yourself. For your career.
It really crushes me to see junior employees without drive intrinsic or inspired. I don't blame them I'm not living their lives and incentives and calcified structures. But the resignation to this state is always disappointing, even if doing more won't pay off literally today.
Free advice, worth what you paid, for reasons I won't convey: Confident incorrectness is very dangerous in high-level work. It's been made clear to me if I don't know something for a fact as of today and the CISO asks, you go check first. You are not here to bullshit visibility.
Something time in IT and Cyber teaches you is the sheer monumental weight that "incorrect assumptions" and "configuration drift" cause. It's basically everything. You're getting paid to find out how your system is configured RIGHT NOW, not HOW YOU CONFIGURED IT YESTERDAY.
The model of how your IT systems work is different between operations staff, engineering staff, management, senior management, and the computers' actually loaded configuration in memory. This is a massive forever-task to congeal. This is where gaps become chasms.
wtf Temu's email unsubscribe link goes to a webpage that says your WiFi is disconnected
Here's the link, stripped of my identifying information. If you click unsubscribe on Temu the website says your WiFi is disconnected. Over HTTPS. temu.com/bgms_unsubscri…
It appears Temu's latest email has an unsubscribe link that works, but for whatever reason this old one is saying your WiFi is disconnected how would you even code that
I have C-suite asking for how we and our vendors are planning to avoid a Crowdstrike scenario. If you're a security vendor you need to document this right now and also get on improving it. There's discussions about risk reductions.
Crowdstrike situation is putting a very firm pressure on removing software agents without mandatory need, especially kernel-mode. This is real I'm in the middle of it.
We recently tested but ultimately rejected a software tool because they bundled it all into a massive agent that all got installed we only needed one feature of. In the spirit of risk reduction not just to BSoD's but reliability and performance and root cause analysis in general.