[pbhjpbhj]

From scanning the page it sounds like Huawei used a hack to make their MateBookService unkillable, unremovable, by unhooking in to services.exe. That in the process of that they left the possibility that the device they were using HwOs.*\.sys was only protected from being used by checking the program had the right path, thus leaving it open to crackers (it being basically g+rw) to use to get the ring-0 permissions needed to run the "stay resident"-type hack Huawei were using. And that in turn meant a process could overwrite MateBookService and gain it's own privelege escalation??

Am I close, if so: is there evidence that Huawei were using that access maliciously or was it just "to make sure their 'management software' retained it's place in the OS"??

We're talking about computers manufactured by Huawei here? Surely they can run code at a far lower level, is this MS and Huawei fighting over which of them "owns" the users computer?

[Slight aside: The MS page reads a lot like an advert. Nice link through to a page that itself has "start trial or buy" up top above the hero shot. Name drops some big vulns, Wannacry, DoublePulsar. Devalues the piece IMO because it seems the reason for them doing the work is solely to create an advert.]

[wyattpeak]

Not addressing the main point but the aside - I like it when companies have a clear financial interest in solving a problem.

Sure I get the warm fuzzies when a company like Google circa 2005 does something to help people with nothing obvious to gain from it. But in my experience companies like Google circa 2005 tend to become companies like Google circa 2019. People acting in their own interest are reliable.

[DanielBMarkham]

Apologies for digressing, but this is an important point.

Instead of the facile happytalk "Don't Be Evil", a much better slogan might be "Be as evil as you want, just don't hide anything from me and let's have an open and honest relationship"

Companies keep using the average user's technology ignorance against them. That was kinda cool and probably acceptable when you were the smart kid making a few dollars here or there, everybody loves the story of some genius hacker able to figure out the stock market and made a small fortune on a stunt they could never repeat, but this has gotten completely out of hand. It's gotta stop. We need to start acting in the user's best interests as if they knew as much about the business as we do. That's the only ethical way forward from here.

[mortb]

Word. I very much miss a serious ethical discussion in the tech crowd that I see myself as part of, being a developer. I think we should admit that we are part of a technocracy. If you know the tech you may pull any stunt off, even when you're a big company. The people that need question our actions are not likely to understand the problem.

To cut short to my conclusion: We should be more humble about our less tech educated users and act accordingly.

[HeWhoLurksLate]

  Companies keep using the average user's technology ignorance against them.

So, then, do OSS things like vsCode, which are made for developers, go in the "Company plays to the users technological strengths" column"?

[skybrian]

The problem is that most incentives can be gamed. There are good and bad ways to get customers to buy more or make the stock price go up.

People are smarter than metrics. Increase the incentives and you also increase the incentive to cheat. Sometimes the best you can do is insulate people from incentives, so people have the leeway to do the right thing without acting against their own best interest.

[kbenson]

Well, that's why there's generally a difference between market incentives and regulatory incentives. In this case, I believe we are referring to market based incentives, where gaming them is of limited use because the market should respond to that gaming.

That said, regulatory incentives and punishments have their place too, IMO generally where the market isn't responding well, or information isn't available enough to allow for an efficient market, or as a response to some other regulatory market effects. But, as you noted, you'll often get some interesting behavior right at the edge of where the regulation kicks in because there's often a hard change instead of a gradual shift as an efficient market would allow.

[skybrian]

If gaming the markets is of limited use, I wonder why market participants put so much effort into it?

I mean, consider Wall Street, Las Vegas, used car sales - the list goes on and on. It's a rich area of storytelling that goes back to the dawn of recorded history.

[kbenson]

If you say what you mean by gaming the system with any of those, Wall Street, Las Vegas, used car sales, maybe I can respond intelligently. As it is, I'm not sure what you're referring to. Most things I think of that would be considered gaming the system to do with those have to do with human rules applied to a system, instead of emergent market economics, and that's what I was referring to.

There is gaming of markets, but I think generally if it's not based on some regulation, it's because of information asymmetry (which is a market inefficiency).

All I was trying to point out in the prior comment is that there are different kinds of incentives. There are incentives that are constructed, and there are incentives that are natural. Constructed incentives are much easier to game. Natural incentives are emergent. Microsoft is incentivized to have good security for their OS now by the market in general, because it hurts them to not have good security (compared the the bast, where they could get away with lax security until it became a problem). That's emergent from the market and people deciding to use or not use their product. I wouldn't consider that "gaming the system", and if they did game it by talking a lot about security but not actually doing much, eventually the market should note that and respond appropriately.

Alternatively, Microsoft can reduce their tax burden by shifting business entities to different countries and shuffling how it appears their profit is created, so it's registered in a country with very little taxes, leading them to pay fewer taxes (not that they do, I don't know. I believe Apple and Google are reputed to do this). That's based on rules set by people, such as country boundaries and tax rates. Doing this could be considered "gaming the tax system". It requires specific changes to the rules to fix, it won't just shift naturally.

To me it appeared the comment you were responding to originally was using "incentive" in the pure form, meaning "benefit for doing so", and it appeared you were referring to incentive in the regulatory sense, where it's a human construction to influence behavior, but that's only a subset of the meaning.

[skybrian]

At a high level, the market is supposed to provide an incentive to serve customers - "solving a problem" or "help people" as the original post put it.

My point is that real-world incentives are never perfectly aligned with such lofty, nebulous goals. They are about things you can measure such as how much money you can make. Making money is not the same as helping people and no incentive scheme is clever enough to make it so. Customers are often smarter than rules but even then, customers can be fooled. So there will always a way to make money without helping people and when you increase incentives, it also increases incentive to do things that aren't actually the goal.

This means that to some extent we rely on people to follow the spirit of the incentives and not to simply be amoral incentive-maximizers.

(This is closely related to the principal-agent problem, except the principal here is society in general.)

[nisa]

I guess it's because Defender ATP is basically some kind of cloud-service for security and because everyone is running Windows for everything it's targeted at managers or so. I have no idea how useful it is, but I guess they have some advanced techniques to detect certain attacks (like this one, or the dropped DoublePulsar) - If you have to defend some important Active Directory Setup it's probably not a bad deal.

It's still ironic that Huawei get's some free audit for their stuff now and it's sold as they are bad, while everything is terrible - I won't install Logitech software after this epic bug here: https://bugs.chromium.org/p/project-zero/issues/detail?id=16...

[iliketosleep]

I just looked into that Logitech issue, it's interesting to note that contact was made with Logitech engineers in September. The engineers provided assurance that the issue was understood and would be fixed. Months pass... updates were released, none of which contained the security fix. December arrives and finally the vulnerability is made public, picked up by the media, and Logitech releases a fix within days.

It's a familiar pattern. If a large company were a biological organism, one of it's main pain signals would be negative PR. Prod the beast in other ways and it doesn't respond.

[pbhjpbhj]

Wow, that Logitech app is crazy huh, they just opened a port from all their Logitech Options users to anyone enabling them to make a remote keylogger.

MS must have written a huge exposé on that one, can't seem to find it on their Security site though.

[mastax]

Google writes about the bugs they find, Microsoft writes about the bugs they find. What's strange to you?

[pbhjpbhj]

Meh, I just suspect they're not as forthcoming about bugs they find for their preferred hardware partners no matter how crazily bad they are. Partialism like that makes me distrust them, perhaps my skepticism falls the wrong way here, maybe I'm reading an undercurrent that's not there.

[HeWhoLurksLate]

I at least trust that the things they report on to be accurate.

[undecisive]

It's not a question of who owns the computer; the software was trying to do things that Microsoft totally agree with - so much so that Microsoft have a published "right way" of doing it.

[thought_alarm]

When you buy a computer, whom do you trust? Microsoft, for keeping the manufacturers at bay?