Chapters
Shownotes Transcript
Hey everyone and welcome to this edition of Seriously Risky Business. My name's Patrick Gray. Seriously Risky Business is a newsletter and podcast that are usually put together by our colleague Tom Uren, but he's on leave this week. So I've written it and I've brought Adam Boileau out today to interview me about the newsletter that I wrote for Tom instead of me interviewing Tom about the newsletter that... Anyway, you get the idea. Welcome to the show, Patrick. Thanks for writing a newsletter today. Yeah.
We would like to say thank you to Lawfare who partnered with us on the work that Tom does with us. And also a big thanks to the William and Flora Hewlett Foundation. And this week's edition of this podcast is brought to you by Kroll Cyber Risk. So Adam, I guess it's up to you to ask me about the newsletter that I wrote this week. So I guess this is a pretty well-worn topic for us. What do we do about Microsoft? How do we make Microsoft...
okay, better than it currently is. And that's really what you're focused on today. On Microsoft, the US government must embrace the stick, was your headline. Yes, that is right. Now, look, it might be a well-worn path, but I haven't really sat down and written together a cogent argument about what the root of the problem is when it comes to Microsoft, as far as I see it. And
A lot of this, the reason I wrote this, it all stemmed from an interaction I had at Johns Hopkins University where I went along to speak to Jason Kichter's class and
And this is a story that I've mentioned on the show before where one of the students asked me, well, if Microsoft's a big problem, what do we do about it? And I really didn't have a good answer. The best I could come up with was to say that Microsoft really has a lot of power over its customers. So the best we can kind of do is lobby them and kind of...
conduct diplomacy with them, right? That's kind of the best we do. You don't have the same sort of leverage as a normal supplier. You can't just say you need to do this or we're not going to buy your products anymore. And the reason is that Microsoft products are actually very, very good, right? So the problem with Microsoft is that they have out-competed their challenges. You look at something as simple as Excel,
There is no substitute for Excel. Excel powers an absolutely ungodly amount of... And we hate to admit it, but it's true, right? You do got to hand it to them. So much of the world runs on Excel and it's not like Lotus 1-2-3 is still around. It's not like...
Google Sheets is a real competitor for businesses to Excel. And yeah, Excel works. And that's a hard problem to solve. Great product, not enough competition because they've out-competed everybody. That's right. That's right. And I mean, I asked my Mastodon followers, like, why is it, do you think that US federal government has this lock-in problem with Microsoft products? And I got a great answer from somebody who calls themselves BHCumpy.com.
or Compy, BH Compy, I guess, on Mastodon, who said their reply was, solid products in nearly every business application category, plus generally good integration between said products, along with the OS and communications and file sharing, all tightly wrapped with authentication and provisioning that scales well for any department size, while also not being a black box or on arcane platforms that few support.
And I think that really just does sum it up well, which is Microsoft have got us by the you know what's because they are just very good at this, right? So that then begs the question in this paradigm, how do you get Microsoft to do things like build more sensible cloud architecture, right? And it's hard.
Yeah, it really is. I mean, the traditional answer would be competition. Like that's how it's normally meant to work. But the level of investment required to build and the expertise and the very, very long history behind Windows and Office, like that's not a thing you can magic up as a competitor, right? It's not a thing that someone is going to start a new business to compete with. The vendor lock-in and interoperability and all of the trappings around their products are
make it a very hard ecosystem to walk away from. And because everyone's got to interrupt, you know, we remember back in the, you know, mid 2000s, there was a move towards, you know, like some open source productivity suites, open office, labor office in like Germany, for example, I think made a push to have state services run on free software. And ultimately all of those things fail because, you
The Microsoft stack is just kind of too good and too ubiquitous. And you can get people to support it, right? That's a thing that...
People underestimate how important it is that you can go out to the workplace market and hire people with experience in these products and these services, get them to do what you need, whereas anything more niche than that becomes problematic for you. That is absolutely right. So then that begs the question, you know, what can you actually do about it? And as I said, you know, when I was sitting there, I was thinking, well, you know, diplomacy, something, whatnot, you know, it wasn't really a great answer. So I've been, you know, stewing on this for the last few months and trying to think, well, what can you do?
And I think really what is needed here is big sticks. Yeah. You know, the carrot ain't going to work with Microsoft. So let's make a prediction. The CSRB is finalizing its report into the Chinese APT attack against the State Department and other government agencies in which they somehow magically obtained a signing key that was
Microsoft chose not to rotate for whatever reason because I guess rotating it would break things. I don't know. But the whole point of having key expires is so that you rotate your keys so if one of them gets compromised, this doesn't happen. So look, there's a CSRB report coming into that. I expect it will be a good report. People are already sort of preempting it. Some people are saying, oh...
they're going to go easy on Microsoft because it's Microsoft. I think that that would damage the board's credibility personally, because just from what I know of this incident, like it's pretty egregiously bad and should not have happened. So that's one thing where Microsoft, I think is going to get in trouble, but it's one thing to have the CSRB tell you, you did a bad job, you know, but, but how does that actually change the incentives for Microsoft and get Microsoft to go better? And I think, I think it can in a few ways, right? So,
One thing it does is it's an authoritative report that will be reported up to, you know, multiple levels of government. And it's something for policymakers to look at. And probably a bunch of them are going to conclude if the report is highly critical of Microsoft, which I can't imagine it wouldn't be, they'll look at it and realize they have a Microsoft problem.
And then from there, things could start to unfurl. We've seen the SEC launch an action against SolarWinds because its security inaction didn't match the... Well, this is the allegation. The SEC contends that SolarWinds had a security statement on its website that didn't match reality, you know,
according to Matt Levine's philosophy that everything is securities fraud, bang, that's securities fraud. Could we see something else from the SEC targeting Microsoft? Has Microsoft made statements that it can't support? Would the SEC even go there? Even going after SolarWinds has been quite controversial, but that's one area where we might see some action here. And we have seen a willingness of the US government to start to get into some of these weeds a bit
Like we've seen the White House putting out statements about, you know, secure by design software engineering. And people are starting to realize that this is a thing where the market isn't delivering exactly what customers need. Sure, sure. But Adam, that is pointed at other people, not Microsoft. Yes, but not Microsoft yet. Because Microsoft can say, take your guidance and stick it where the sun don't shine. And what are you going to do about it? Right? And this is the whole problem. So, you know, you've got maybe the SEC could do something there. What about competition regulators? Yes.
Could competition regulators say that productivity apps need to be portable across platform? Do you want to run M365 on GCP?
Why should you not be able to do that, right? Like, would we switch from, you know, Google's productivity suites to M365 if they're available? We're a workspace shop. Like, that's something we could consider. So competition regulators might want to have, you know, a think about it. My point is we need to change the way, well, governments need to change the way they think about how they deal with Microsoft. Another idea, spending caps. You know, only this much, this much proportionally.
of US federal IT spending can be used to buy Microsoft licenses. This will encourage people to shift some money elsewhere. This will encourage competition. It's a fairly radical idea, and I'm sure that anyone listening to this in Redmond right now is probably developing some form of stroke, but this is the point, right?
We can't be same old, same old. We can't be gentle anymore. It's time for regulators to go to their stick armory and have a look and select a few of the correct sticks that they can use to start beating Microsoft up with. Because as I point out in this piece, this is a problem of incentives.
Microsoft is just not incentivized like other organizations to improve its security because of this lock-in. They've launched initiatives and stuff. They say they're working on it. That's great. That's wonderful. But it shouldn't be voluntary.
you know, they should really have strong incentives to fix these problems. Yeah, and I think, you know, the State Department having its email read and then some of the, you know, some of the other scenarios we've seen Microsoft get their customers into. Well, yeah, a couple months later, the SVR is going and doing wild things with OAuth and you think, geez, maybe they should have the Cyber Safety Review Board and then another one just for all of the Microsoft incidents. The Microsoft Safety Review Board. Yes, I like it. I like it. Yeah.
Yeah, I mean, clearly it is time to go to the stick arsenal because, as you say, there isn't real competition. It feels like the market is not delivering what we need out of Microsoft. And there isn't a way for you as a customer, a user of Microsoft's platforms, and especially one as big as the US government...
to go somewhere else easily and do it through the normal mechanism of the market. So yeah. - You don't like our products, go use sheets, peasant is the vibe.
You know, good luck getting your macros to work. Yeah, like maybe Oracle can stand up an Office product. Oh, God, yeah. I mean, look, it did occur to me that we should maybe be careful what we wish for. Well, exactly right. Because the idea of portable apps, you know, but the... So ultimately the idea of something like app portability isn't for people to actually use the portable apps.
It's for Microsoft to get spooked enough to improve things so that people don't use them. Yeah, we have to be careful what we wish for here. We don't want Oracle Office. Yes. Oracle 65. Yeah, Shudder. Shudder. If only Sun was still around. Sun Microsystems would build us an Office suite that didn't suck and wasn't Microsoft. But no, they wouldn't. It'd be terrible. It'd be made of Java. It'd be code exec everywhere. Wait, that's exactly the Office suite we already have. So...
At least then we'd have choice about what we got shelled. We've got choice on which vendor we're using when we get owned. Yes, exactly. Whose Kerberos implementation gets us wrecked. Now, moving onwards, one of the other longstanding things we've talked about in Risky Biz is hound release and going after ransomware through releasing the hounds to go after them and disrupt them.
We've seen some people questioning how well that has worked lately. There's been some big ransomware groups shut down or attacked, and then they bounce back and keep on working. And so you wrote this week about...
you know i guess revisiting our release the hound's doctrine and what it looks like these days well i think it's more restating it because i've always seen this as a problem of people not a problem of tor hidden services on the internet yes and the problem with a lot of these disruption campaigns that have been going on is they've been hitting the infrastructure which is great right and i i even say in the piece they should keep doing that it's a good thing it it it
frustrates them. I think the takedowns have been a little bit more successful than some commentators think because, you know, sure, these groups come back, but like in the case of Alfie, as soon as they hit a big payday, they immediately exit scammed because they probably don't want to get taken down again by the FBI. Lockbid is out there saying, I'm still fierce. I'm still a big boy. And not really. So I think this stuff is effective, but I think if you want to have an enduring impact...
You've got to play it a little bit more hardball. And again, this is stuff that we have spoken about a fair bit on the weekly show. Funnily enough...
But Grok and Tom Uren in the Between Two Nerds podcast did have a conversation about this very topic, which I actually listened to after I wrote this, which is funny because I was driving home from dinner last night and listened to it. And I'm like, well, this is exactly kind of what I'm getting at. Grok makes the point that these criminal organizations are systems and the best way to take out a system is to identify the weak points and go for them and the weak points of the people and blah, blah, blah, blah, blah.
So look, this piece is intended to be entertaining more than anything else. But it's also trying to make a point, which is that, you know, there's a better way, right? I've given some examples of things that you could do
theoretically, which would make life very difficult for ransomware operators. For the actual people rather than just their infrastructure. Yes. I mean, imagine if you could just target the top 50 ransom, people who sit at the top of the apex of what I've called as the ransomware industrial complex in this piece. You know, you take them out, all of a sudden this problem...
looks very different. And, you know, them being in Russia is a challenge because you can't extradite them. But then I pose the question, how hard is it to get a Russian in trouble?
Yes, the environment there is ripe for getting into trouble if you were to misbehave on the internet, on the Russian internet. And you've come up with a list of options for some of the people doing this work to consider. Well, a lot of these would be illegal, right? Illegal schmigel, right? But they're not supposed to be like, oh, these are policy ideas that you should absolutely put into action. The point is it's different thinking.
Okay, it's different thinking. I want to point out too, like when I was listening to that podcast, Tom used a great example of a disruption operation that the ASD ran against some people who were using malware to try to capture Australian COVID relief payments and whatnot. So very quickly, I think they took over the person's account, put some bugs in the malware.
in the person's malware and then spun up a bunch of accounts pretending to be annoyed customers, saying that the malware didn't work, which now, thanks to what they'd done, it didn't, and problem went away. So that was a really effective disruption operation. They didn't just go and try to nuke a Tor hidden service, right? Like this was really about destroying the vendor's reputation, which is what got the job done. I will note too that the only Australian ransomware disruption event we've seen was Alexander Omikov, who is the person behind the Medibank hack.
mysteriously, he is in prison now. Yes, because he attacked a Russian organisation and ransomed them, which... Well, it's a historical thing, but I do wonder, and I've got no information to suggest that this is the case, but I do wonder if perhaps one of the reasons Russian authorities obtained evidence of his involvement in crimes in Russia was because of some sort of AST action. I do wonder about that. So I think we've got to...
realize that we don't know everything about every single disruption operation that's happened so far. It's not all just deleting Tor hidden services. I think ASD might have done something a bit more creative and exotic. Again, I don't have any information to suggest that, but
That would be a great example if it were true. We don't know whether it is or isn't, but that's exactly the sort of thing. That's right. And based on their previous work, you know, it's not just doxing like they have been known to sort of do the mind game stuff. So good on them. But here are my ideas, which are, as I say, thought exercises.
One thing that you might consider if you're trying to disrupt a ransomware operation is to join yourself as an affiliate somehow or take over some other affiliate's access and then just go wild. Start attacking Russian companies. You don't even need to deploy the cryptos. You just need to make it look like you're about to.
So you can essentially conduct zero harm attacks that are going to make Russian authorities extremely nervous. Now, how do you think it's going to go down when the FSB...
People turn up and you say, well, that was an affiliate acting without our authorization. And then it keeps happening. Yeah, exactly right. Eventually you're going to get shut down. Yeah, you can make these problems pretty real. Or at the very least cost you a lot more in bribes and kickbacks and so on, like to make it economically less viable. It's a great option. I mean, other things you could do. You could post pro-Ukrainian statements to their infrastructure. You know, grab some stolen Russian data or even fake stolen Russian data, put it behind a timer and say glory to Ukraine. Right.
I mean, you know, just make these people look like they're enemies of the Russian state. You could steal Russian government information and leak it via ransomware as a service infrastructure. I mean, this type of operation would need to be really compartmentalised and very, very secret because if it leaked, obviously it would be very damaging and quite escalatory as well. So I'm not suggesting that we let...
the FBI go and do this. I'm saying a very small team of people with very high clearances doing it in an extremely deniable way. Why not hack into their desktop computers, their endpoints? Send a couple of bomb threats to the Kremlin from their email.
Yeah, that's a long and proud tradition of getting people swatted in the US. They've got plenty of expertise at that. Why not do that in Russia? Do some business email compromise from their infrastructure. Targeting CIS countries, Russia and friends of Russia. That'll do. Yeah, I mean, I could see some Ukrainians getting on board with this to help out. I mean, you could steal their Bitcoin. I reckon they would have been looking at this already in terms of seizing Bitcoin. Yeah.
But, you know, if they're using hardware wallets, which would make that very, very hard, you know, do some research. See if you can find a way to configure their computers with the correct malware so that next time they plug in their hardware wallet, you brick it. Yeah, like the firmware or something like that. Yeah. No more Bitcoin. You know, you've just destroyed it. You don't even need to seize it. You've just destroyed it.
And even if the particular wallet that you nuke that day doesn't have any Bitcoin in it, I mean, you imagine what that's going to do to their paranoia. Yeah. I like it. And there's plenty of smart hardware hacking resources available in the national security apparatus that could build one of those. I mean, this one's just for shiggles. But if you could own the right systems, put these guys on, you know, make it look like they signed up for service in Ukraine. Yeah.
You know, congratulations, Gunnery Sergeant Lockbit Sup. Yeah, welcome to the front lines. You're off to the front lines, you know? And, you know, another one that we've mentioned on the show a bunch of times is just really listing ransomware actors' personal details and net worths publicly or giving it to criminals or even corrupt officials. Just making it known, this guy lives at this apartment...
and has $20 million in a cold wallet somewhere. Get your rubber hose, and it's yours. Yep, that would also work pretty well. And, you know, all of those options, you know, definitely things worth talking through with your team of lawyers. And I'm sure, you know, CIA has a long history of doing all sorts of shady things. Like, they must be... It seems well below their normal level of, you know, shady stuff they've done in history. Like, this seems, you know, low bar for them. Yeah, but the problem is, right, and this is...
I think the root of this issue is that for too many senior policymakers, they see this as a law and order issue, not a national security issue. This is something that I vehemently disagree with. I believe it is a national security issue. I know that senior policy figures in some countries agree with me, but in others they don't. And they're like, this is law and order. This is about computers being hacked, ransomware is being delivered, you know, but we didn't send the FBI after Somalian pirates, right?
No. Did he? The US sent the Navy. Yes. And this is kind of my point. I'm not trying to throw shade at FBI. I'm trying to say that this response that we've been dealing with has been designed by senior policy figures. You know, we'll tighten up KYC regulations for crypto. You know, we're going to get the FBI to do takedowns and gather evidence and whatnot.
It's the wrong approach. That's just my two cents. And I think that there's, you know, it's the senior policy people who are kind of to blame here for treating this as a problem you can solve with the regular tools instead of one where, you know, you need to get a little bit creative and prepare yourself for the possibility that your actions may cause some of these people to be harmed. I mean, I think starting with law enforcement, you know, is the right place to go. Like we shouldn't go straight to extrajudicial measures. Straight to 11. Yeah, but...
Yeah, it doesn't feel like it has been effective as it needs to be. You know, people operating out of pariah states that are shielded by their governments. You know, we do need a little more creative solution, and I think... Well, and I think that, and again, just to reiterate, I think the fact that these people are operating from authoritarian states is something that we can use to our advantage. It's an opportunity, yes. That's right.
Yes, indeed. Well, I think that on that note, we can wrap it up. And, you know, I'm sure you've given plenty of food for thought for the listeners of this show and readers of the newsletter in various policy circles around the world. And, you know, we never get to really see what comes out of some of these ideas that we plant in people's heads. But hopefully... Hopefully mysterious ideas
Bad things will start to happen. Before people that we don't like. So, yes. We leave it in your capable hands, agents of the various governments who are listening. So, anyway, thank you for your time, Pat. It's funny being on this side of the equation. But, yeah, I guess we'll have Tom back next week and then we'll be a slightly more normal show and maybe less crimes we recommended.
Thanks, Adam. And I just got to say too, I haven't written anything in a long time. For those who don't know, I started my career as a writer. So it was really fun to actually sit down and actually type one out. So I hope you all enjoyed it.
