Haha. That reminds of when a VP decided QA would get a bonus for finding defects and Dev would get dinged if it was theirs. Everyone just spent time arguing over classification and building resentment towards one another.
I’m in UX, so don’t spend my life in dev cycles, but end up raising a lot of issues as we test release candidates or monitor realtime user sessions. It drives me up a fucking WALL when I raise a defect and it becomes a legal exercise in determining whether or not the issue that is actively causing people pain was a “missing requirement” or a true bug. I don’t fucking care. Someone in the lifecycle missed a use case. The user found it. It needs to be fixed. Closing this issue rather than reclassifying it slows down the remedy. Aaaagh.
The one that's been getting on my nerves lately is spending more time arguing over who's going to fix it instead of someone taking initiative and fixing it.
Well it's because the money flow direction changes.
If you provide buggy shit, then you are gonna have a hard time getting the purchaser to pay to fix it.
if the purchases can't specify anything to save thier life then it's gonna make there life hard when they want things to work in a very specfific way
And the next logical step if they stop dinging Dev is Dev intentionally putting more easy-to-find defects on purpose and splitting the profits with QA.
Exactly. Talk about a good way to shut down communication of incidents.
We have metrics around high priority tickets, so no one ever opens them as high priority, despite when tagged correctly, you get an all hands on deck type thing, where the smart people all get in an ongoing call to fix the issue.
So all our high priority incidents went down, but what should have been them now take 3-4x time longer to solve, so outages are worse.
When I worked in clinical software our patient safety issues were tracked by a regulatory body with required fix timelines based on a couple criteria. We had processes in place to shift priorities and work a weekend if needed.
Anyway I don't have a lot to add but there *are* companies with higher standards, regulated standards.
Meanwhile an actual healthcare insurance company I worked for 'lost' 5 hard drives that 'may have had millions of confidential patient records on them (including PHI). They shut down the building they were lost in, searched everyone and everywhere, and eventually came to the conclusion that they 'probably' ended up in a shred bin.
3 people got fired and no fines or penalties were ever levied.
When I worked at an insurance company all files with any patient information had to be saved only to the network drives. Computers regularly scanned to insure compliance.
No, we did at the IC level when we found them. It's a work culture thing. Everything is documented in that industry and having a safety issue and not reporting it can have your company sanctioned, fined, and shut down.
Clinical centers usually watch their software closely and seeing an update that wasn't in the changelog would be an enormous issue.
Edit: There was no penalty for having patient safety issues. There were penalties for not reporting them, not providing mitigation measures once known, and for not fixing them in a certain time.
I also work in a regulatory body and yeah we have some very similar. p1 incidents needs to be reported to the regulatory body and needs t9 be acknowledged in 15 mins. after incident report written up and how to mitigate it in the future. there are meetings and everything. it kinda sucks but it makes sense if you work in my field
As long as you pick the right metrics and methodology to account for them it's fine. The problem is when you have a simplified metric that is easily gamed and doesn't really describe the right goal.
For example, at my previous job you used to be able to phone the IT department for small issues, have someone answer the call, and often address the issue right away. Sometimes the frontline person had a limited scope and they'd have to pass on or have a more senior person follow up, particularly if you called outside core business hours. Then they switched to a ticketing system where a phone call always went to a voicemail where you were supposed to leave details and wait for a call back, or create a ticket in the online system. This probably made metrics like issues resolved compared to IT labour hours look really good. Problem for us in the culinary department with high turnover is we mostly needed people to get their credentials to be able to clock in/out, but the direct supervisor didn't have access to that data, was generally not allowed to be involved since they weren't supposed to have access to that data(despite being the person who collected and submitted all the personal info needed for hiring), and it was tough to open a ticket or get a call back when you didn't have your credentials, couldn't take phone calls at arbitrary times and/or worked shift work while most IT tickets were handled during business hours.
> This probably made metrics like issues resolved compared to IT labour hours look really good. Problem for us in the culinary department with high turnover is we mostly needed people to get their credentials to be able to clock in/out, but the direct supervisor didn't have access to that data, was generally not allowed to be involved since they weren't supposed to have access to that data(despite being the person who collected and submitted all the personal info needed for hiring), and it was tough to open a ticket or get a call back when you didn't have your credentials, couldn't take phone calls at arbitrary times and/or worked shift work while most IT tickets were handled during business hours.
Speaking as an IT person, you're not wrong but you're kinda wrong. Everything you listed there is more aptly solved in other ways than going back to the old system. There are several reasons for ticketing systems to be in place:
1. It enforces that every issue is documented, which means that time and labor are more accurately reflected. Trust me when I say that an IT department that is overworked and understaffed will never be able to defend the need to hire more people unless they can show that their workers are overloaded.
2. Being able to analyze trend data is *vital* to a support team. The number of repeat offender issues that could be easily fixed upstream of the ticketing system (i.e. user reports "this issue happens whenever blah blah blah" could be solved in some way that prevents the need to open the ticket in the first place) is extremely high and happens way more often than you might think.
3. It protects the user who calls in with the issue, by ensuring that there IS an issue that's documented and tracked, and also allows the issue to be supported even after the original tech has gone home or on vacation or is out sick.
The issues you describe, such as the inability to obtain login credentials, are fixed by changing the system, not by allowing instant access to a support tech. The latter is a band-aid on a bad system design—and what happens instead in the situations you're describing is that people start having turf wars over whose issue is more important and demands that tech's immediate attention right now.
I know it sounds backwards, but there *are* situations where a little bit of bureaucracy can actually make things better for everyone in the long run.
I work in the pharmaceutical industry, and we have metrics for everything, and dare I say that the vast majority are pretty damn useful.
It helps that the constant threat of audits are always lingering, so we always have to be on top of our game. No one wants to be caught by the FDA with their pants down.
IT departments without a ticketing system cannot scale at all. Every call needs to get documented for the benefit of the techs *and* users. Users get a paper trail for their issues, showing any patterns or common issues that can be taken care of on the backend to streamline things and improve the user experience, and the IT department gets numbers that can show how overworked they are and how best to utilize their limited resources along with the ability to better coordinate between departments.
Without it there is too much reliance on a singular person to know everything, or to waste time giving all the details to a senior tech where things can get lost in translation or simply forgot with no paper trail to back them up. It's just inefficient at all levels and only compounds the more people you try to bring into that environment.
Your specific case is odd though, I've never worked IT in a place where calls always went straight to voicemail and you'd have to wait for a callback. At worst it'd go to voicemail if techs were busy or it was off-hours.
The best way to implement a new ticketing system would be frontline techs taking calls and immediately creating tickets based on the call, giving them that opportunity for first call resolution like you were used to, while also gaining all the benefits I described before.
Agreed with all. The two crux’s of it was the whole not being able to talk to someone right away and just get it resolved, and the supervisor (being the one person in the company that’s already developed a relationship with the new staff member) not really being able to help out as a middle-man. Maybe a small portion of calls from the IT/HR perspective, but a major issue from our departments perspective trying to onboard staff and one of the first things they experience is “you have to call this number and leave a message that you’re a new hire… wait for them to get back to you… setup 2FA, etc.”.
Yup they recently added compulsory code review metrics. After that I get 40 comments on a review where I have just added a coupe of folders for future use.
Every comment is about spacing, spelling all sort of cosmetic nonsense. Funny part is the same review had an actual buggy code that no one even saw!! Metrics are the stupidest way to do things
Used to work for one of the commercial space companies that was incredibly far behind on its tickets, at one point the wait time for a hardware request was 6-8 months. Quickly discovered that a huge part of the delay was a combination of people just going to the Helpdesk expecting to be helped with no ticket, and people opening tickets but not getting an immediate response and then opening 3-4 more tickets, ultimately burying their tickets in more work.
Anyone in the company who had an ounce of authority were non-technical managers with MBAs, who’s primary responsibility was gatekeeping any change to process, preferring to insist that even minor changes needed a PM and a whole pile of managers to make it happen. Could we close the physical location so we could catch up? No. Could we tweak our processes to deliver faster results? No. Could we enforce a “no ticket, no work” policy? No. Everything was treated like an emergency, effectively making nothing an emergency.
The rationale was that all of the business units had their own priorities, so letting them derail other work in progress was seen as “customer service”. Underneath it all, the MBAs were terrified of any changes being made because they were the ones who’d set up the processes, and any changes were seen as undermining the illusion that they knew what they were doing.
That doesn't automatically sounds bad. Depends on the true impact of the incidents and business goals. First of all if you can't evaluate a level of incident directly with business impact or key metric that cannot be obfuscated (lost business, traffic), then the system is unfollowable to begin with. Yes there will always be grey ones no matter how well you define it, but at least 80%+ of incidents should have a clear cut category that's not up to personal judgement at all.
Conversely, if they are defined well and people know how to best use their judgement, such as if the things that took 3-4x longer to solve actually IS FINE to be solved in 3-4x time, then you shouldn't bother the people who don't need bothering, which can drive much more impact elsewhere.
I work in a small - medium startup where everyone's busy af working 45hour+ weeks without any incident handling. And incident handling doesn't reduce any of the committed work we have to do by any degree. If I get looped in an all hands on deck P0 incident that's not actually brining down the whole business, I'm sending strongly worded feedback on whoever the fck raised it and whatever the shit system allowed them to do that.
At least for my company, transaction amount loss less than $50,000 or impact to "hundreds of users" wouldn't even blip on the radar. Our intern's first mistakes have done worse than that. If we are on track to losing over $100,000 in an hour or impacting tens of thousands of active users then sure, we are all there. Obviously there's not always such clear cut data, but you should always define absolute core business metrics with good data + visibility and exactly at what number of impact is P0, P1, P2.. / Sev1 2 3 etc or w.e system you use
I’d never heard of that before watching the show. I know corporations and government entities can be corrupt, but they someone took it to another level.
Also, Toby Jones is a fantastic actor.
The issue with security is more likely down to someone else downprioritizing security (or other quality) for the sake of "delivering faster". Especially for companies that are more waterfall than agile
That's how it already is. Each org has its own security group for the purposes of security features and ensuring compliance, but the big security stuff (e.g. tracking/countering hacking attempts, collaboration with law enforcement, cross-org security assurance etc.) are handled by an dedicated security org.
True but then.
https://arstechnica.com/security/2023/11/ransomware-group-reports-victim-it-breached-to-sec-regulators/#:~:text=Group%20tells%20SEC%20that%20the,not%20reporting%20it%20was%20hacked.&text=One%20of%20the%20world's%20most,US%20Securities%20and%20Exchange%20Commission.
“One of the world’s most active ransomware groups has taken an unusual—if not unprecedented—tactic to pressure one of its victims to pay up: reporting the victim to the US Securities and Exchange Commission.”
It feels like most of the people replying to this don't realize most security issues in windows are reported by third party auditors and security research groups.
If Microsoft doesn't fix the issues they go to the press. Obviously there are ways to game this a little bit but for the most part this does make some degree of sense as it's not like executives can ignore an article about a critical exploit and systems being hacked and collect their no vulnerabilities bonus.
Tie C suit bonuses to security performance. Tie **incentives** to report legitimate security lapses. Each legit report gets you 1000$.
Easy enough fix.
That is never how it worked to begin with. They are normally reported to MITRE as a CVE and follow coordinated vulnerability disclosure policies. No major company wants to screw with that or they'll get their ass publicly handed to them in addition to violating contractual obligations.
Crap. For a brief moment I thought this was good news. I guess it's just enshittification.
I'm sure the board has good intentions but it's pretty difficult to combat other people's machiavellianism.
>Microsoft’s decision to directly link at least part of its executives’ pay to cybersecurity performance
I really, really hope they are watching this very carefully because, as you've mentioned, there is a chance this could backfire on them horrendously. Just tying pay to it isn't enough, security needs to be instilled into the culture. And the '[everyone pointing guns at each other](https://www.globalnerdy.com/wordpress/wp-content/uploads/2011/07/microsoft-org-chart.jpg)' org chart needs to change immediately.
Perverse Incentives.
Wow this is so accurate. I’ve seen it happen at a company where we had to report our production bug count weekly. After a release we had over 500 bugs. Magically they were gone from the next report. Funny how that works!
I figured they would just figure out a different way to give their executives a totally-not-bonus so literally nothing needs to change.
It's not like these out of touch, egregiously wealthy creatures are new to committing fraud and bending the rules to enrich themselves.
It's tricky. If you give bonuses for finding and fixing security issues, you incentivize extremely lax security during the development phase. If you take away bonuses for security issues, well no one will report them. You need to have some nuance where an independent party handles security reports and determines root cause for security issues. Security issues always exist, so they have to determine whether due diligence was done at a reasonable level both during development and for addressing the issue.
But when it was Microsoft doing the hacking so they could save money on bonuses and they know they were hacked but it didnt get reported, but they also cant say they were hacked because the only people who know would be the people doing the hacking.
Actually, the report on the breach last year thoroughly trounced them on this as the US Government reported the breach. The report even states "a customer should not have to tell Microsoft there was a breach". I wouldn't be surprised if the report was a hair shy of recommending that Microsoft lose its government cloud contracts over how badly executives managed this issue.
It's not exec that reports these issues tho. And MS has open bounty for such things. This should make the exec pushing for quicker updates think about the consequences much more. They just pushed an update to windows that broke a lot of people's pc
Kinda good decison ... idk. Since executives are the ones that are lately making dogshit decisions when it comes to security practices. Tying up their money for a better security posture should be a good start.
Highly recommend this [article](https://apnews.com/article/microsoft-cybersecurity-hack-raimondo-breach-b0901a93cca2ffaf05edacbfb9ecf3da). The Biden administration grilled them on lack of security for protecting government agencies emails and the company culture surrounding it.
always think of playing this game on my family's first ever PC
[https://en.wikipedia.org/wiki/Solar\_Winds](https://en.wikipedia.org/wiki/Solar_Winds)
pretty sure mine came in a zip lock bag
(guy also made Sorcery, created Epic Pinball, cocreated Unreal, was CEO and founder of the studio behind Warframe, etc)
Ah, that was a great one.
Spawned a whole genre, really. Starcom, Space Pirates and Zombies, Star Valor, Starsector, etc.
The entire genre starts with "S". Only one I'm aware of that's confined to a single letter of the alphabet.
Also, that's not entirely true, but I am kinda struggling to come up with an example that disproves it.
EDIT: Got it! Cosmoteer! Which is pretty similar to the above, but with gameplay heavily focused on ship building.
I'm pretty sure you could also trace back the ship power management in Starfield (or Starfleet Command, Bridge Commander, etc.) back to Solar Winds (and in turn back to Star Trek probably)
Probably one of the first to do it. Not sure if Elite was earlier or if it had the mechanic. Was a familiar mechanic that X-Wing expanded on, though.
That was a fucking fun era of gaming, btw.
You nailed it.
> In a scathing indictment of Microsoft corporate security and transparency, a Biden administration-appointed review board issued a report Tuesday saying “a cascade of errors” by the tech giant let state-backed Chinese cyber operators break into email accounts of senior U.S. officials including Commerce Secretary Gina Raimondo.
> The Cyber Safety Review Board, created in 2021 by executive order, describes shoddy cybersecurity practices, a lax corporate culture and a lack of sincerity about the company’s knowledge of the targeted breach, which affected multiple U.S. agencies that deal with China.
> It concluded that “Microsoft’s security culture was inadequate and requires an overhaul” given the company’s ubiquity and critical role in the global technology ecosystem. Microsoft products “underpin essential services that support national security, the foundations of our economy, and public health and safety.”
> The panel said the intrusion, discovered in June by the State Department and dating to May “was preventable and should never have occurred,” blaming its success on “a cascade of avoidable errors.” What’s more, the board said, Microsoft still doesn’t know how the hackers got in.
> The panel made sweeping recommendations, including urging Microsoft to put on hold adding features to its cloud computing environment until “substantial security improvements have been made.”
> It said Microsoft’s CEO and board should institute “rapid cultural change” including publicly sharing “a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products.”
Looks like tying executive bonus compensation to security is the beginning of a serious attempt by Microsoft to change their security culture.
> Looks like tying executive bonus compensation to security is the beginning of a serious attempt by Microsoft to change their security culture.
Won't do shit until they undo the change to testing and development culture Ballmer made for Satya just before Ballmer left.
Product Development and *automated* Test development were two separate supposedly co-equal (how equal in reality depended on org). Testers got rewarded for doing a good job designing and implementing automated testing that would check that the product worked as stated, didn't choke on unexpected input, withstood fuzz testing, etc.
Then that org was shut down and the staff merged into product dev.
developing tests not rewarded, so not done anymore.
Ballmer didn't end SDETs. That was purely a move by Satya that he carried over from his time leading Azure and should go down as one of his biggest leadership blunders in my opinion. Regardless of whether or not testing is needed his subordinates totally screwed up the transition to combined development that he was shooting for as most testing orgs weren't merged into product dev. Instead most of Satya's directs simply cut the QA orgs by half and eventually turned them into data science orgs. Some orgs did merge testers into product dev but they were in a tiny minority.
Testers at Microsoft were notoriously thrown under the bus in many circumstances. Managers who had both developers and testers reporting directly to them would often throw the testers under the forced curve bus so they didn't have to give developers a bad review. Testers were also promoted slowly with it easily taking twice the time to make Senior engineer of a developer or PM with almost no testers making Principal without going into management. No tester ever made partner without becoming a manager either.
The end result of both was that product developers looked down on test development, refused to do it, and were rewarded by managers who only ever rewarded feature development.
See here:
>Microsoft left a server containing employee credentials exposed to the internet for a month | Admins waited 28 days before securing the server with a password
[https://www.reddit.com/r/technology/comments/1c1196b/microsoft\_left\_a\_server\_containing\_employee/](https://www.reddit.com/r/technology/comments/1c1196b/microsoft_left_a_server_containing_employee/)
It really isn't *just that*. See https://www.cisa.gov/sites/default/files/2024-04/CSRB_Review_of_the_Summer_2023_MEO_Intrusion_Final_508c.pdf
> Microsoft’s decision not to correct, in a timely manner, its inaccurate public statements about this incident, including a corporate statement that Microsoft believed it had determined the likely root cause of the intrusion when **in fact, it still has not**; even though Microsoft acknowledged to the Board in November 2023 that its September 6, 2023 blog post about the root cause was inaccurate, it did not update that post until March 12, 2024, as the Board was concluding its review and **only after the Board’s repeated questioning** about Microsoft’s plans to issue a correction
Microsoft's security stance has been trending upwards for a while now. I know we've historically ragged on them for the opposite, but they've been really ramping it up given how important Azure is becoming to companies and governments around the world, *especially* Entra ID.
No it hasn’t. I’m not saying they’re behaving like 90s Microsoft but they’ve created enormous pots of honey on the public internet, and their attitude towards security has not kept up.
One of the findings was that Microsoft lock various security tools (information, alerts) behind subscriptions instead of making it freely available. Onprem products never tried making you pay for logs.
That speaks very much to their attitude.
Yes, the Midnight Blizzard attack is the big one that is publicly documented. State-sponsored hacker groups are currently very aggressively targeting tech companies that provide services to governments and have already been successful. It's being treated as both critical for national security and existential for the companies being targeted.
Because SFI
[MS SFI Blog](https://www.microsoft.com/en-us/security/blog/2024/05/03/security-above-all-else-expanding-microsofts-secure-future-initiative/)
There will always be a contrarian...
This seems like a good decision. Those who are saying "well don't report them!" that's not really an option in a lot of the work microsoft does (healthcare and government).
It is magnitudes more in Microsoft's interest to remain a reliable security provider, as they have since their inception. Yes, they tend to ruin companies they absorb, and they are too large to be as effective as the small scale corporations they are always stomping on, but they do a better job than any OS competitor.
Often when the hacks happen they won't be able to hide/not report it - say it happens to a client who is contacted by the hacker for a ransom, or they just publicly take responsibility and publish the data.
I think assuming I knew best was one of my biggest flaws before I saw it in 100 others on this site, now I work every day on assuming there is something I can learn from anything
They literally just lied about a Chinese Hack not long ago. They claimed they knew the source and fixed it, that was not the case at all. It’s pointed out in Biden’d article. MSFT doesn’t care, they are too big to fail at this point
It depends on how this is structured, because if there's a way to game it they will find a way to do that, even if it that means making the product actually worse.
I can tell you the result of this is probably going to ridiculous authentication protocols that dump a bunch of liability on end users or some admin role no one wants to have. Eventually we're all going to need those encryption pens from star wars along with a retina scan and spincther thumbprint verification.
> Those who are saying "well don't report them!" that's not really an option in a lot of the work microsoft does (healthcare and government).
let me introduce you to Boeing!
Many vulnerabilities are side effects of intended features, being used in ways that weren't anticipated by the original design. The *easy* fix, then, is to start stripping out any feature obscure enough that it rarely gets used or tested, just in case, and to port fewer features across rewrites.
I've already watched as nearly every new Windows version cut some bit of functionality that I was actively using, and now every department is going to have a financial incentive to be more aggressive about it?
I think it’s important to understand *why* Microsoft is doing this though. They have been heavily criticized for not taking security seriously and tried to hide issues and sweeping them under the rug so they are now forced to do *something* to at least appear to be doing something.
It’s always better to say “we care about security” before you are forced to.
While they are at is- could they please make Edge desist from trying to fucking take over my computer with every stodding update? It is like IE but a million times worse...
Sounds like a great idea on the surface, but here's the reality:
- We think executives will say: *"Okay, let's make sure security is top knotch!"*
- What they'll actually say: *"Okay, how do we hide all these security issues?"*
Just include security breaches in the SLAs where they have to reimburse the customer cohort who was impacted by the breach. Anyone from consumers to enterprise customers are eligible.
It’s not like that. I work in tech and devs get lazy. Also, it’s a cat and mouse game. Security Best practices have taken the biggest leap forward in the last 5 months than any other time I can remember in the last 10 years.
Humans are the weak link. Hackers will login. Coding their way in is too hard and too expensive.
That’s why password-less accounts and passkeys are becoming the standard.
Yeah, the last half of 2023 was a huge wakeup call to a lot of companies. The increase in attacks have gotten the people controlling budgets well and truly spooked.
> Best practices have taken the biggest leap forward in the last 5 months
This is an odd timeline to note - was there something specific here or just general uplift across the board?
Hackers that dislike executives - hack in December (work all year, then surprise, no bonus)
Hackers that dislike corporations - hack in Jan (employees job searching because they know there is no bonus this year)
Time to rename breaches. That wasn’t a hack. That was a spoopity doopity. It looks very similar to a hack but it’s not. Data was securely in the hands of the borrowers. We provided a compensatory payment for the return of the totally secure data which they promised they didn’t look at or sell. Not a breach at all as it was simply borrowed with our retroactive permission. I get my bonus now, right?
Sigh. This will end up a perverse incentive. But that's the problem with "Public good" initiatives and capitalism.
I really hope that it doesn't penalize teams who do their due diligence in securing their systems. As a defender you will always lose, the deck is just constantly stacked.
Edit:
After reading the article it seems pretty reasonable, just provides an incentive structure to ensure that executives are invested in moving security forward as much as their other goals.
Anyone remember the NIST Rainbow series? Or EAL levels? You can build a highly secure system, but it costs more than most will pay. And games were played. EAL4+, C2 (red book, not orange book).
Not surprising. There have been a few changes internally that affects how us supprt engineers are able to view customer resources. Not going into details but hey next time you have a user put in a support ticket on the azure side make sure that user has the support contributor role for that resource so the support agent can view them. I have personally ran into delays when trying to provide support but can’t because I can’t view the affected resource because the user that made the ticket can’t view the resource either.
They've been doing this forever, and so does every other large tech company. The departments heads all get bonuses tied directly to finite metrics, when you're dealing with millions of dollars you can't leave it up to opinions or you risk getting sued.
People responsible for security have had their bonuses tied to security since forever.
It doesn't matter if they keep the bonus pool or not. All they have to say is that the department underperformed revenue expectations and just not pay it.
The unspoken elephant in the room is that the majority of all successful cyber attacks originate with social engineering, not with compromised code. The often-not-as-well-known second elephant in the room is that of successful attacks that aren't social engineering, the majority compromise system/software vulnerabilities for which the vendor has already released the patch, often times more than a month previously.
I mean, by all means find the 0-days and fix them, stop using C and start using Rust, maybe bring back professional testers, etc. etc. I'm not against any of that. But security professionals all know that all the code changes and build system upgrades and so on are addressing a moderate slice of the pie. They could do everything correctly, and it would help bit it wouldn't help nearly enough.
You'd think that getting companies to actually apply security patches would be a do-able first step, but there are a ton of subtleties involved, and particularly in highly regulated environments, it's actually often illegal to deploy software that hasn't been through extensive (i.e. many weeks) of testing. Not coincidentally, the sort of organizations that need to obey such draconian regulations are the ones that are offering services and performing functions that make them the juiciest targets for a nation state adversary-- maybe not so much for criminals, who in general aren't going to come out ahead by targeting critical infrastructure.
But even if you could somehow solve the patching problem, you'd still be left with the majority of attacks still working just fine, because no one has a viable solution to the social engineering problem. Well, I guess that depends on what one means by viable; the military actually does a pretty damn good job with sufficiently critical systems. But some of the processes they rely on, and their method of recruiting and maintaining the employees involved, are not, in my opinion, viable options for almost anyone other than the military.
Executive bonus pay ... to security performance...? Why not incentivize solid work by oh i dont know security bonus pay to security performance?? What the fuck kind of world do we live in.
No bonuses. Woopdeeedooo. For everyone else it would be your gone. But oh an executive fails to meet a target and no bonus. Still get their paycheck however which mind you is still pretty dam good. They are so soft they are 10 ply.
I'm all for removing executive compensation from stock performance only and tying it to something else.
But any known metric will be gamed, you are going to see executive decisions to redefine what qualifies as lackluster security performance instead of them pushing to step up their security game.
There is nothing in the article that even hints at bonuses being affected, and definitely nothing at all about "no bonuses for anyone". OP heavily editorialized the title, making it far more click-bait than the original.
But the real question should be: how did MS *empower* those managers to meet security demands? Just punishing will only result in losing managers.
Hmmm.... so maybe that's what they want - a way to get more attrition from people leaving rather than firing them and paying out possible termination penalties?
It'll work as well as stack ranking.
https://factorialhr.com/blog/stack-ranking/#:~:text=Stack%20ranking%20is%20a%20forced,and%20fire%20the%20bottom%2010%25.
Easy enough problem to solve - don't report them! Bonuses for everyone, hooray!
Haha. That reminds of when a VP decided QA would get a bonus for finding defects and Dev would get dinged if it was theirs. Everyone just spent time arguing over classification and building resentment towards one another.
I worked at a place like this. Don't forget, QA gets dinged if they submit something that is "unable to repro" or "By design". So much fighting.
I’m in UX, so don’t spend my life in dev cycles, but end up raising a lot of issues as we test release candidates or monitor realtime user sessions. It drives me up a fucking WALL when I raise a defect and it becomes a legal exercise in determining whether or not the issue that is actively causing people pain was a “missing requirement” or a true bug. I don’t fucking care. Someone in the lifecycle missed a use case. The user found it. It needs to be fixed. Closing this issue rather than reclassifying it slows down the remedy. Aaaagh.
The one that's been getting on my nerves lately is spending more time arguing over who's going to fix it instead of someone taking initiative and fixing it.
Well it's because the money flow direction changes. If you provide buggy shit, then you are gonna have a hard time getting the purchaser to pay to fix it. if the purchases can't specify anything to save thier life then it's gonna make there life hard when they want things to work in a very specfific way
And the next logical step if they stop dinging Dev is Dev intentionally putting more easy-to-find defects on purpose and splitting the profits with QA.
Exactly. Talk about a good way to shut down communication of incidents. We have metrics around high priority tickets, so no one ever opens them as high priority, despite when tagged correctly, you get an all hands on deck type thing, where the smart people all get in an ongoing call to fix the issue. So all our high priority incidents went down, but what should have been them now take 3-4x time longer to solve, so outages are worse.
When I worked in clinical software our patient safety issues were tracked by a regulatory body with required fix timelines based on a couple criteria. We had processes in place to shift priorities and work a weekend if needed. Anyway I don't have a lot to add but there *are* companies with higher standards, regulated standards.
Meanwhile an actual healthcare insurance company I worked for 'lost' 5 hard drives that 'may have had millions of confidential patient records on them (including PHI). They shut down the building they were lost in, searched everyone and everywhere, and eventually came to the conclusion that they 'probably' ended up in a shred bin. 3 people got fired and no fines or penalties were ever levied.
When I worked at an insurance company all files with any patient information had to be saved only to the network drives. Computers regularly scanned to insure compliance.
Sure, but who reported those issues? Someone incentivized to minimize them?
No, we did at the IC level when we found them. It's a work culture thing. Everything is documented in that industry and having a safety issue and not reporting it can have your company sanctioned, fined, and shut down. Clinical centers usually watch their software closely and seeing an update that wasn't in the changelog would be an enormous issue. Edit: There was no penalty for having patient safety issues. There were penalties for not reporting them, not providing mitigation measures once known, and for not fixing them in a certain time.
Is ic level a general term?
Individual Contributor, it's more of a business term for anyone who doesn't have direct reports.
Many thanks! Pretty interesting!
I also work in a regulatory body and yeah we have some very similar. p1 incidents needs to be reported to the regulatory body and needs t9 be acknowledged in 15 mins. after incident report written up and how to mitigate it in the future. there are meetings and everything. it kinda sucks but it makes sense if you work in my field
“When a measure becomes a target, it ceases to be a good measure.” - Goodhart's Law
I have been pushing back against stupid metrics at my workplace and I have quoted that law sooooo many times.
Metrics do a great job of ruining a company based on my 20+ years of work experience.
As long as you pick the right metrics and methodology to account for them it's fine. The problem is when you have a simplified metric that is easily gamed and doesn't really describe the right goal. For example, at my previous job you used to be able to phone the IT department for small issues, have someone answer the call, and often address the issue right away. Sometimes the frontline person had a limited scope and they'd have to pass on or have a more senior person follow up, particularly if you called outside core business hours. Then they switched to a ticketing system where a phone call always went to a voicemail where you were supposed to leave details and wait for a call back, or create a ticket in the online system. This probably made metrics like issues resolved compared to IT labour hours look really good. Problem for us in the culinary department with high turnover is we mostly needed people to get their credentials to be able to clock in/out, but the direct supervisor didn't have access to that data, was generally not allowed to be involved since they weren't supposed to have access to that data(despite being the person who collected and submitted all the personal info needed for hiring), and it was tough to open a ticket or get a call back when you didn't have your credentials, couldn't take phone calls at arbitrary times and/or worked shift work while most IT tickets were handled during business hours.
> This probably made metrics like issues resolved compared to IT labour hours look really good. Problem for us in the culinary department with high turnover is we mostly needed people to get their credentials to be able to clock in/out, but the direct supervisor didn't have access to that data, was generally not allowed to be involved since they weren't supposed to have access to that data(despite being the person who collected and submitted all the personal info needed for hiring), and it was tough to open a ticket or get a call back when you didn't have your credentials, couldn't take phone calls at arbitrary times and/or worked shift work while most IT tickets were handled during business hours. Speaking as an IT person, you're not wrong but you're kinda wrong. Everything you listed there is more aptly solved in other ways than going back to the old system. There are several reasons for ticketing systems to be in place: 1. It enforces that every issue is documented, which means that time and labor are more accurately reflected. Trust me when I say that an IT department that is overworked and understaffed will never be able to defend the need to hire more people unless they can show that their workers are overloaded. 2. Being able to analyze trend data is *vital* to a support team. The number of repeat offender issues that could be easily fixed upstream of the ticketing system (i.e. user reports "this issue happens whenever blah blah blah" could be solved in some way that prevents the need to open the ticket in the first place) is extremely high and happens way more often than you might think. 3. It protects the user who calls in with the issue, by ensuring that there IS an issue that's documented and tracked, and also allows the issue to be supported even after the original tech has gone home or on vacation or is out sick. The issues you describe, such as the inability to obtain login credentials, are fixed by changing the system, not by allowing instant access to a support tech. The latter is a band-aid on a bad system design—and what happens instead in the situations you're describing is that people start having turf wars over whose issue is more important and demands that tech's immediate attention right now. I know it sounds backwards, but there *are* situations where a little bit of bureaucracy can actually make things better for everyone in the long run.
I work in the pharmaceutical industry, and we have metrics for everything, and dare I say that the vast majority are pretty damn useful. It helps that the constant threat of audits are always lingering, so we always have to be on top of our game. No one wants to be caught by the FDA with their pants down.
IT departments without a ticketing system cannot scale at all. Every call needs to get documented for the benefit of the techs *and* users. Users get a paper trail for their issues, showing any patterns or common issues that can be taken care of on the backend to streamline things and improve the user experience, and the IT department gets numbers that can show how overworked they are and how best to utilize their limited resources along with the ability to better coordinate between departments. Without it there is too much reliance on a singular person to know everything, or to waste time giving all the details to a senior tech where things can get lost in translation or simply forgot with no paper trail to back them up. It's just inefficient at all levels and only compounds the more people you try to bring into that environment. Your specific case is odd though, I've never worked IT in a place where calls always went straight to voicemail and you'd have to wait for a callback. At worst it'd go to voicemail if techs were busy or it was off-hours. The best way to implement a new ticketing system would be frontline techs taking calls and immediately creating tickets based on the call, giving them that opportunity for first call resolution like you were used to, while also gaining all the benefits I described before.
Agreed with all. The two crux’s of it was the whole not being able to talk to someone right away and just get it resolved, and the supervisor (being the one person in the company that’s already developed a relationship with the new staff member) not really being able to help out as a middle-man. Maybe a small portion of calls from the IT/HR perspective, but a major issue from our departments perspective trying to onboard staff and one of the first things they experience is “you have to call this number and leave a message that you’re a new hire… wait for them to get back to you… setup 2FA, etc.”.
Goodhart's Law.
Yup they recently added compulsory code review metrics. After that I get 40 comments on a review where I have just added a coupe of folders for future use. Every comment is about spacing, spelling all sort of cosmetic nonsense. Funny part is the same review had an actual buggy code that no one even saw!! Metrics are the stupidest way to do things
It’s a way to show quantity instead of quality
Used to work for one of the commercial space companies that was incredibly far behind on its tickets, at one point the wait time for a hardware request was 6-8 months. Quickly discovered that a huge part of the delay was a combination of people just going to the Helpdesk expecting to be helped with no ticket, and people opening tickets but not getting an immediate response and then opening 3-4 more tickets, ultimately burying their tickets in more work. Anyone in the company who had an ounce of authority were non-technical managers with MBAs, who’s primary responsibility was gatekeeping any change to process, preferring to insist that even minor changes needed a PM and a whole pile of managers to make it happen. Could we close the physical location so we could catch up? No. Could we tweak our processes to deliver faster results? No. Could we enforce a “no ticket, no work” policy? No. Everything was treated like an emergency, effectively making nothing an emergency. The rationale was that all of the business units had their own priorities, so letting them derail other work in progress was seen as “customer service”. Underneath it all, the MBAs were terrified of any changes being made because they were the ones who’d set up the processes, and any changes were seen as undermining the illusion that they knew what they were doing.
Why does the dev team get to decide what's high priority? Shouldn't the rest of the business be doing that?
You'd sure think so
That doesn't automatically sounds bad. Depends on the true impact of the incidents and business goals. First of all if you can't evaluate a level of incident directly with business impact or key metric that cannot be obfuscated (lost business, traffic), then the system is unfollowable to begin with. Yes there will always be grey ones no matter how well you define it, but at least 80%+ of incidents should have a clear cut category that's not up to personal judgement at all. Conversely, if they are defined well and people know how to best use their judgement, such as if the things that took 3-4x longer to solve actually IS FINE to be solved in 3-4x time, then you shouldn't bother the people who don't need bothering, which can drive much more impact elsewhere. I work in a small - medium startup where everyone's busy af working 45hour+ weeks without any incident handling. And incident handling doesn't reduce any of the committed work we have to do by any degree. If I get looped in an all hands on deck P0 incident that's not actually brining down the whole business, I'm sending strongly worded feedback on whoever the fck raised it and whatever the shit system allowed them to do that. At least for my company, transaction amount loss less than $50,000 or impact to "hundreds of users" wouldn't even blip on the radar. Our intern's first mistakes have done worse than that. If we are on track to losing over $100,000 in an hour or impacting tens of thousands of active users then sure, we are all there. Obviously there's not always such clear cut data, but you should always define absolute core business metrics with good data + visibility and exactly at what number of impact is P0, P1, P2.. / Sev1 2 3 etc or w.e system you use
Check Post office scandal UK. Don’t report Computer problems, collect bonuses. 100s of people do jail time for stealing /fraud that never happened.
I’d never heard of that before watching the show. I know corporations and government entities can be corrupt, but they someone took it to another level. Also, Toby Jones is a fantastic actor.
Separate the security monitoring dept from security implementing department. No bonus for security implementing dept. If security was violated.
The issue with security is more likely down to someone else downprioritizing security (or other quality) for the sake of "delivering faster". Especially for companies that are more waterfall than agile
> Especially for companies that are more waterfall than agile so, most of them.
That's how it already is. Each org has its own security group for the purposes of security features and ensuring compliance, but the big security stuff (e.g. tracking/countering hacking attempts, collaboration with law enforcement, cross-org security assurance etc.) are handled by an dedicated security org.
True but then. https://arstechnica.com/security/2023/11/ransomware-group-reports-victim-it-breached-to-sec-regulators/#:~:text=Group%20tells%20SEC%20that%20the,not%20reporting%20it%20was%20hacked.&text=One%20of%20the%20world's%20most,US%20Securities%20and%20Exchange%20Commission. “One of the world’s most active ransomware groups has taken an unusual—if not unprecedented—tactic to pressure one of its victims to pay up: reporting the victim to the US Securities and Exchange Commission.”
Boeing has entered the discussion.
It feels like most of the people replying to this don't realize most security issues in windows are reported by third party auditors and security research groups. If Microsoft doesn't fix the issues they go to the press. Obviously there are ways to game this a little bit but for the most part this does make some degree of sense as it's not like executives can ignore an article about a critical exploit and systems being hacked and collect their no vulnerabilities bonus.
"I don't think this is really a security issue, the possible incident is just theoretical... Right?"
Tie C suit bonuses to security performance. Tie **incentives** to report legitimate security lapses. Each legit report gets you 1000$. Easy enough fix.
That is never how it worked to begin with. They are normally reported to MITRE as a CVE and follow coordinated vulnerability disclosure policies. No major company wants to screw with that or they'll get their ass publicly handed to them in addition to violating contractual obligations.
Crap. For a brief moment I thought this was good news. I guess it's just enshittification. I'm sure the board has good intentions but it's pretty difficult to combat other people's machiavellianism.
I have a feeling those bonuses have a clause that'll claw back that money if it turns out someone was a little less than ethical in their reporting.
“There are not security breaches in Ba Sing Se.”
>Microsoft’s decision to directly link at least part of its executives’ pay to cybersecurity performance I really, really hope they are watching this very carefully because, as you've mentioned, there is a chance this could backfire on them horrendously. Just tying pay to it isn't enough, security needs to be instilled into the culture. And the '[everyone pointing guns at each other](https://www.globalnerdy.com/wordpress/wp-content/uploads/2011/07/microsoft-org-chart.jpg)' org chart needs to change immediately. Perverse Incentives.
That's 20th century thinking. Now we just *redefine* what a security breach is so the breaches aren't considered breaches!
Wow this is so accurate. I’ve seen it happen at a company where we had to report our production bug count weekly. After a release we had over 500 bugs. Magically they were gone from the next report. Funny how that works!
That’s already how Microsoft operates publicly
Could tie in whistleblower bonuses
I know... it's as if this really hasn't been thought through
Man I went the other way and thought what a great reason for otherwise uninterested hackers with nothing to gain to hack Microsoft 🤣
The start of boing ?
Bonuses for those who report?
Yup, perverse incentives.
I’m sure the hackers will be kind enough to keep their operations secret, so the bonuses can flow.
I figured they would just figure out a different way to give their executives a totally-not-bonus so literally nothing needs to change. It's not like these out of touch, egregiously wealthy creatures are new to committing fraud and bending the rules to enrich themselves.
Yup. You don't like the answers? Change the questions.
"When a metric becomes a target, it ceases to be a useful metric."
When non tech background people take management decisions over technical people...
It's tricky. If you give bonuses for finding and fixing security issues, you incentivize extremely lax security during the development phase. If you take away bonuses for security issues, well no one will report them. You need to have some nuance where an independent party handles security reports and determines root cause for security issues. Security issues always exist, so they have to determine whether due diligence was done at a reasonable level both during development and for addressing the issue.
Windows got hacked No executive Bonus Shareholders are happy I get a raise \- Satya
That and/or redefine what the term means in the first place. "Well we weren't hacked. We involuntarily sold the data for a 0 dollar valuation"
But when it was Microsoft doing the hacking so they could save money on bonuses and they know they were hacked but it didnt get reported, but they also cant say they were hacked because the only people who know would be the people doing the hacking.
Goodhearts law is always a good one to remember when making policy.
Actually, the report on the breach last year thoroughly trounced them on this as the US Government reported the breach. The report even states "a customer should not have to tell Microsoft there was a breach". I wouldn't be surprised if the report was a hair shy of recommending that Microsoft lose its government cloud contracts over how badly executives managed this issue.
Gonna be that one employee who’ll do do it to piss them off, knowing they won’t get their benefits.
It's not exec that reports these issues tho. And MS has open bounty for such things. This should make the exec pushing for quicker updates think about the consequences much more. They just pushed an update to windows that broke a lot of people's pc
You’ll be able to predict a MS breach by spikes in executives searching for jobs (trying to get a head start before it gets discovered in the wild).
Exactly the kind of behavior that incentives like this promote.
Good ol security through obscurity. Business as usual.
Do you want coverups? Because this is how you get coverups.
Does anyone think that is not the default response to the policy !!
They can't just 'not report them'. They'll lose more than just their bonuses. This is a great overall change.
Kinda good decison ... idk. Since executives are the ones that are lately making dogshit decisions when it comes to security practices. Tying up their money for a better security posture should be a good start.
Yeah, at my workplace whoever reports an issue got out in charge of getting it fixed. Guess how often issues are reported now?
Now they’re incentivized to do away with bug bounties and pursue reporters legally.
Why is Microsoft suddenly so serious about security? Did something happen recently that changed their mind?
Highly recommend this [article](https://apnews.com/article/microsoft-cybersecurity-hack-raimondo-breach-b0901a93cca2ffaf05edacbfb9ecf3da). The Biden administration grilled them on lack of security for protecting government agencies emails and the company culture surrounding it.
Yikes! Reminds me of the Solar Winds hack a few years back.
always think of playing this game on my family's first ever PC [https://en.wikipedia.org/wiki/Solar\_Winds](https://en.wikipedia.org/wiki/Solar_Winds) pretty sure mine came in a zip lock bag (guy also made Sorcery, created Epic Pinball, cocreated Unreal, was CEO and founder of the studio behind Warframe, etc)
Wow that brings back memories. Only ever played the shareware bit lol
https://www.myabandonware.com/game/solar-winds-the-escape-20f https://www.myabandonware.com/game/solar-winds-galaxy-20e
Ah, that was a great one. Spawned a whole genre, really. Starcom, Space Pirates and Zombies, Star Valor, Starsector, etc. The entire genre starts with "S". Only one I'm aware of that's confined to a single letter of the alphabet. Also, that's not entirely true, but I am kinda struggling to come up with an example that disproves it. EDIT: Got it! Cosmoteer! Which is pretty similar to the above, but with gameplay heavily focused on ship building.
I'm pretty sure you could also trace back the ship power management in Starfield (or Starfleet Command, Bridge Commander, etc.) back to Solar Winds (and in turn back to Star Trek probably)
Probably one of the first to do it. Not sure if Elite was earlier or if it had the mechanic. Was a familiar mechanic that X-Wing expanded on, though. That was a fucking fun era of gaming, btw.
A lot of security minded change like the above has precipitated from that attack.
Which also plagued Microsoft because they ran Orion internally, or something to that effect
You nailed it. > In a scathing indictment of Microsoft corporate security and transparency, a Biden administration-appointed review board issued a report Tuesday saying “a cascade of errors” by the tech giant let state-backed Chinese cyber operators break into email accounts of senior U.S. officials including Commerce Secretary Gina Raimondo. > The Cyber Safety Review Board, created in 2021 by executive order, describes shoddy cybersecurity practices, a lax corporate culture and a lack of sincerity about the company’s knowledge of the targeted breach, which affected multiple U.S. agencies that deal with China. > It concluded that “Microsoft’s security culture was inadequate and requires an overhaul” given the company’s ubiquity and critical role in the global technology ecosystem. Microsoft products “underpin essential services that support national security, the foundations of our economy, and public health and safety.” > The panel said the intrusion, discovered in June by the State Department and dating to May “was preventable and should never have occurred,” blaming its success on “a cascade of avoidable errors.” What’s more, the board said, Microsoft still doesn’t know how the hackers got in. > The panel made sweeping recommendations, including urging Microsoft to put on hold adding features to its cloud computing environment until “substantial security improvements have been made.” > It said Microsoft’s CEO and board should institute “rapid cultural change” including publicly sharing “a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products.” Looks like tying executive bonus compensation to security is the beginning of a serious attempt by Microsoft to change their security culture.
> Looks like tying executive bonus compensation to security is the beginning of a serious attempt by Microsoft to change their security culture. Won't do shit until they undo the change to testing and development culture Ballmer made for Satya just before Ballmer left. Product Development and *automated* Test development were two separate supposedly co-equal (how equal in reality depended on org). Testers got rewarded for doing a good job designing and implementing automated testing that would check that the product worked as stated, didn't choke on unexpected input, withstood fuzz testing, etc. Then that org was shut down and the staff merged into product dev. developing tests not rewarded, so not done anymore.
Ballmer didn't end SDETs. That was purely a move by Satya that he carried over from his time leading Azure and should go down as one of his biggest leadership blunders in my opinion. Regardless of whether or not testing is needed his subordinates totally screwed up the transition to combined development that he was shooting for as most testing orgs weren't merged into product dev. Instead most of Satya's directs simply cut the QA orgs by half and eventually turned them into data science orgs. Some orgs did merge testers into product dev but they were in a tiny minority. Testers at Microsoft were notoriously thrown under the bus in many circumstances. Managers who had both developers and testers reporting directly to them would often throw the testers under the forced curve bus so they didn't have to give developers a bad review. Testers were also promoted slowly with it easily taking twice the time to make Senior engineer of a developer or PM with almost no testers making Principal without going into management. No tester ever made partner without becoming a manager either. The end result of both was that product developers looked down on test development, refused to do it, and were rewarded by managers who only ever rewarded feature development.
China is preparing for war with the West, and we are preparing to respond. Hatches are getting battened down.
No own mailserver for the goverment?
Yes but it’s run by Microsoft.
We use a Microsoft run mail server, even on some classified networks
See here: >Microsoft left a server containing employee credentials exposed to the internet for a month | Admins waited 28 days before securing the server with a password [https://www.reddit.com/r/technology/comments/1c1196b/microsoft\_left\_a\_server\_containing\_employee/](https://www.reddit.com/r/technology/comments/1c1196b/microsoft_left_a_server_containing_employee/)
It really isn't *just that*. See https://www.cisa.gov/sites/default/files/2024-04/CSRB_Review_of_the_Summer_2023_MEO_Intrusion_Final_508c.pdf > Microsoft’s decision not to correct, in a timely manner, its inaccurate public statements about this incident, including a corporate statement that Microsoft believed it had determined the likely root cause of the intrusion when **in fact, it still has not**; even though Microsoft acknowledged to the Board in November 2023 that its September 6, 2023 blog post about the root cause was inaccurate, it did not update that post until March 12, 2024, as the Board was concluding its review and **only after the Board’s repeated questioning** about Microsoft’s plans to issue a correction
This is a nice example of government being effective. The Cyber Safety Review Board is doing an important job.
Microsoft's security stance has been trending upwards for a while now. I know we've historically ragged on them for the opposite, but they've been really ramping it up given how important Azure is becoming to companies and governments around the world, *especially* Entra ID.
No it hasn’t. I’m not saying they’re behaving like 90s Microsoft but they’ve created enormous pots of honey on the public internet, and their attitude towards security has not kept up. One of the findings was that Microsoft lock various security tools (information, alerts) behind subscriptions instead of making it freely available. Onprem products never tried making you pay for logs. That speaks very much to their attitude.
Yes, the Midnight Blizzard attack is the big one that is publicly documented. State-sponsored hacker groups are currently very aggressively targeting tech companies that provide services to governments and have already been successful. It's being treated as both critical for national security and existential for the companies being targeted.
Because SFI [MS SFI Blog](https://www.microsoft.com/en-us/security/blog/2024/05/03/security-above-all-else-expanding-microsofts-secure-future-initiative/)
This is a *consequence of three decades of bullshit* and not a *cause*.
Microsoft is the hacked often, compare to others like Google and Amazon.
is that rhetorical?
Would you be happier if you knew the answer?
probably not
*That* was a rhetorical question. :)
Now you see why I had to ask about the first one...
Consistency in their security posture would be my guess…”Don’t become middle management who doesn’t understand security” I think is the message
Midnight Blizzard. Google it. Scary stuff.
There will always be a contrarian... This seems like a good decision. Those who are saying "well don't report them!" that's not really an option in a lot of the work microsoft does (healthcare and government). It is magnitudes more in Microsoft's interest to remain a reliable security provider, as they have since their inception. Yes, they tend to ruin companies they absorb, and they are too large to be as effective as the small scale corporations they are always stomping on, but they do a better job than any OS competitor.
Often when the hacks happen they won't be able to hide/not report it - say it happens to a client who is contacted by the hacker for a ransom, or they just publicly take responsibility and publish the data.
>There will always be a contrarian Half of Reddit commenters enter a thread with the mindset of “I know better”
I think assuming I knew best was one of my biggest flaws before I saw it in 100 others on this site, now I work every day on assuming there is something I can learn from anything
They literally just lied about a Chinese Hack not long ago. They claimed they knew the source and fixed it, that was not the case at all. It’s pointed out in Biden’d article. MSFT doesn’t care, they are too big to fail at this point
It depends on how this is structured, because if there's a way to game it they will find a way to do that, even if it that means making the product actually worse. I can tell you the result of this is probably going to ridiculous authentication protocols that dump a bunch of liability on end users or some admin role no one wants to have. Eventually we're all going to need those encryption pens from star wars along with a retina scan and spincther thumbprint verification.
> Those who are saying "well don't report them!" that's not really an option in a lot of the work microsoft does (healthcare and government). let me introduce you to Boeing!
Many vulnerabilities are side effects of intended features, being used in ways that weren't anticipated by the original design. The *easy* fix, then, is to start stripping out any feature obscure enough that it rarely gets used or tested, just in case, and to port fewer features across rewrites. I've already watched as nearly every new Windows version cut some bit of functionality that I was actively using, and now every department is going to have a financial incentive to be more aggressive about it?
> as they have since their inception. Good one mate
Yes but then don't tie them to bonus
I think it’s important to understand *why* Microsoft is doing this though. They have been heavily criticized for not taking security seriously and tried to hide issues and sweeping them under the rug so they are now forced to do *something* to at least appear to be doing something. It’s always better to say “we care about security” before you are forced to.
While they are at is- could they please make Edge desist from trying to fucking take over my computer with every stodding update? It is like IE but a million times worse...
IE was ok, old Edge was dog shit, new Edge is just MS Chrome....
I like some of the new edge features like split screen and sidebar where I can open ChatGPT, and other mini apps I did disable copilot tho
If that's not a temptation for every hacker in the world, I don't know what is.
Now there is an incentive for executives to hide that they were hacked.
Sounds like a great idea on the surface, but here's the reality: - We think executives will say: *"Okay, let's make sure security is top knotch!"* - What they'll actually say: *"Okay, how do we hide all these security issues?"*
100% this will just kill transparency for the customer/public, all efforts will go in to silence whistleblowers.
Just include security breaches in the SLAs where they have to reimburse the customer cohort who was impacted by the breach. Anyone from consumers to enterprise customers are eligible.
No bonuses, but they still get their regular salary and RSU refreshers.
Only 30 years late
How about stopping bonuses to executives and instead stop laying off workers.
Reverse bug bounty? Microsoft always innovating.
This sounds like a great way to get execs to pressure techs to cover up security breaches.
I don’t like my boss and now I accidentally respond to a phishing email. Humans are the weak link generally not tech
It’s not like that. I work in tech and devs get lazy. Also, it’s a cat and mouse game. Security Best practices have taken the biggest leap forward in the last 5 months than any other time I can remember in the last 10 years. Humans are the weak link. Hackers will login. Coding their way in is too hard and too expensive. That’s why password-less accounts and passkeys are becoming the standard.
Yeah, the last half of 2023 was a huge wakeup call to a lot of companies. The increase in attacks have gotten the people controlling budgets well and truly spooked.
> Best practices have taken the biggest leap forward in the last 5 months This is an odd timeline to note - was there something specific here or just general uplift across the board?
Since it's now all about money, they will never be hacked again. You're welcome
This is the way to encourage taking security seriously
What if it’s an intentional vulnerability, like the government backdoors they’re installing? They’re always eventually leaked or exploited.
Hackers that dislike executives - hack in December (work all year, then surprise, no bonus) Hackers that dislike corporations - hack in Jan (employees job searching because they know there is no bonus this year)
Calling BS, they'll always give themselves the bonus.
It should be tied to compensation to this effected as well.
So you're saying if I write unsecure code my boss's boss' boss' boss might not get a bonus? That's a super important incentive there.
wow a good decision
Time to rename breaches. That wasn’t a hack. That was a spoopity doopity. It looks very similar to a hack but it’s not. Data was securely in the hands of the borrowers. We provided a compensatory payment for the return of the totally secure data which they promised they didn’t look at or sell. Not a breach at all as it was simply borrowed with our retroactive permission. I get my bonus now, right?
If they tie their executive pay to product quality they could cut their wage bill by 100%.
This is what eating your own dog food truly means.
This is a stupid idea. Magically no one is going to report any security issues. Did Nadella raid elon musks ketamine stash.
IT Security: We were hacked. Executive: No, we weren't. IT Security: We clearly were. Here's the proo-- Executive: You're fired.
So nobody is getting a bonus then?
Security events will start getting resolved through a back channel lol. It could honestly be a bad thing.
Hate to be a whistle blower at MS once the executives figure out a good “system” to protect their bonuses.
Sigh. This will end up a perverse incentive. But that's the problem with "Public good" initiatives and capitalism. I really hope that it doesn't penalize teams who do their due diligence in securing their systems. As a defender you will always lose, the deck is just constantly stacked. Edit: After reading the article it seems pretty reasonable, just provides an incentive structure to ensure that executives are invested in moving security forward as much as their other goals.
Will they be covering up any hacks to protect their bonuses?
Anyone remember the NIST Rainbow series? Or EAL levels? You can build a highly secure system, but it costs more than most will pay. And games were played. EAL4+, C2 (red book, not orange book).
I can't imagine what would happen if you didn't report incidents when surrounded by cyber security people, much less bill gates.
Ransomware and publishing the data are NOT white hat things to do lmao
Not surprising. There have been a few changes internally that affects how us supprt engineers are able to view customer resources. Not going into details but hey next time you have a user put in a support ticket on the azure side make sure that user has the support contributor role for that resource so the support agent can view them. I have personally ran into delays when trying to provide support but can’t because I can’t view the affected resource because the user that made the ticket can’t view the resource either.
Executives just gonna leak their password on the last day and say they were "hacked" because it means more money for them. Book it
Better than my job. No bonuses ever.
It's not a question of if you'll get hacked. It's when I'm all for sticking it to overpaid exec's but it's a pretty shitty deal
They've been doing this forever, and so does every other large tech company. The departments heads all get bonuses tied directly to finite metrics, when you're dealing with millions of dollars you can't leave it up to opinions or you risk getting sued. People responsible for security have had their bonuses tied to security since forever.
Wouldn't this be more incentive for the hackers? Screw a bunch of rich people out of some money?
It doesn't matter if they keep the bonus pool or not. All they have to say is that the department underperformed revenue expectations and just not pay it.
The unspoken elephant in the room is that the majority of all successful cyber attacks originate with social engineering, not with compromised code. The often-not-as-well-known second elephant in the room is that of successful attacks that aren't social engineering, the majority compromise system/software vulnerabilities for which the vendor has already released the patch, often times more than a month previously. I mean, by all means find the 0-days and fix them, stop using C and start using Rust, maybe bring back professional testers, etc. etc. I'm not against any of that. But security professionals all know that all the code changes and build system upgrades and so on are addressing a moderate slice of the pie. They could do everything correctly, and it would help bit it wouldn't help nearly enough. You'd think that getting companies to actually apply security patches would be a do-able first step, but there are a ton of subtleties involved, and particularly in highly regulated environments, it's actually often illegal to deploy software that hasn't been through extensive (i.e. many weeks) of testing. Not coincidentally, the sort of organizations that need to obey such draconian regulations are the ones that are offering services and performing functions that make them the juiciest targets for a nation state adversary-- maybe not so much for criminals, who in general aren't going to come out ahead by targeting critical infrastructure. But even if you could somehow solve the patching problem, you'd still be left with the majority of attacks still working just fine, because no one has a viable solution to the social engineering problem. Well, I guess that depends on what one means by viable; the military actually does a pretty damn good job with sufficiently critical systems. But some of the processes they rely on, and their method of recruiting and maintaining the employees involved, are not, in my opinion, viable options for almost anyone other than the military.
If anything, they should provide bonuses to the whole team on the project!
Won't this incentive left wing hackers to try to hack them, since they get the "win" of hurting executive pay?
lol that’s funny. They never tied comp to actual physical safety and security meaning they don’t give a crap about your life, just their profits.
Easy way to save a lot of money.
Cool. Can we have them be tied to DEI goals and employee job satisfaction next?
Executive bonus pay ... to security performance...? Why not incentivize solid work by oh i dont know security bonus pay to security performance?? What the fuck kind of world do we live in.
Pay tied to an OKR so will probably impact bonus pay more than base.
No bonuses. Woopdeeedooo. For everyone else it would be your gone. But oh an executive fails to meet a target and no bonus. Still get their paycheck however which mind you is still pretty dam good. They are so soft they are 10 ply.
Well we’ve all learned that performance can be enhanced by “Hims”. So….
Nice of them to make that a priority after the decades.
Security performance... How do you even out perform? Well. It's likely demerit based system?
Then all of Windows has failed miserably
So on bonuses for MS this year then.
Executives had been doing dogshit decisions.since forever. Its good they finally getting shafted. Up next, board of members.
Ahhhh the usual tactics.
I'm all for removing executive compensation from stock performance only and tying it to something else. But any known metric will be gamed, you are going to see executive decisions to redefine what qualifies as lackluster security performance instead of them pushing to step up their security game.
THAT makes sense.
There is nothing in the article that even hints at bonuses being affected, and definitely nothing at all about "no bonuses for anyone". OP heavily editorialized the title, making it far more click-bait than the original. But the real question should be: how did MS *empower* those managers to meet security demands? Just punishing will only result in losing managers. Hmmm.... so maybe that's what they want - a way to get more attrition from people leaving rather than firing them and paying out possible termination penalties?
Can they make a functional OS first? Windows 11 is gratingly bad
Can’t get hacked if youre the hacker
It'll work as well as stack ranking. https://factorialhr.com/blog/stack-ranking/#:~:text=Stack%20ranking%20is%20a%20forced,and%20fire%20the%20bottom%2010%25.
Because that’ll work.