Tag Archives: SharePoint

July 25, 2025 · 14:19

Where should we look?

That is at times the issue, I would add to this “especially when we consider corporations the size of Microsoft” but this is nothing directly on Microsoft (I emphasize this as I have been dead set against some ‘issues’ Microsoft dealt us to). This is different and I have two articles that (to some aspect) overlap, but they are not the same and overlap should be subjectively seen.

The first one is BBC (at https://www.bbc.com/news/articles/c4gdnz1nlgyo) where we see ‘Microsoft servers hacked by Chinese groups, says tech giant’ where the first thought that overwhelmed me was “Didn’t you get Azure support arranged through China?” But that is in the back of my mind. We are given “Chinese “threat actors” have hacked some Microsoft SharePoint servers and targeted the data of the businesses using them, the firm has said. China state-backed Linen Typhoon and Violet Typhoon as well as China-based Storm-2603 were said to have “exploited vulnerabilities” in on-premises SharePoint servers, the kind used by firms, but not in its cloud-based service.” I am wondering about the quote “not in its cloud-based service” I have questions, but I am not doubting the quote. To doubt it, one needs to have in-depth knowledge and be deeply versed in Azure and I am not one of these people. As I personally see it, if one is transgressed upon, the opportunity rises to ‘infect’ both, but that might be my wrong look on this. So as we are given ““China firmly opposes and combats all forms of cyber attacks and cyber crime,” China’s US embassy spokesman said in a statement. “At the same time, we also firmly oppose smearing others without solid evidence,” continued Liu Pengyu in the statement posted on X. Microsoft said it had “high confidence” the hackers would continue to target systems which have not installed its security updates.” This makes me think about the UN/USA attack on Saudi Arabia regarding that columnist no one cares about, giving us the ‘high confidence’ from the CIA. It sounds like the start of a smear campaign. If you have evidence, present the evidence. If not, be quiet (to some extent). 

We then get someone who knows what he in talking about “Charles Carmakal, chief technology officer at Mandiant Consulting firm, a division of Google Cloud, told BBC News it was “aware of several victims in several different sectors across a number of global geographies”. Carmakal said it appeared that governments and businesses that use SharePoint on their sites were the primary target.” This is where I got to thinking, what is the problem with Sharepoint? And when we consider  the quote “Microsoft said Linen Typhoon had “focused on stealing intellectual property, primarily targeting organizations related to government, defence, strategic planning, and human rights” for 13 years. It added that Violet Typhoon had been “dedicated to espionage”, primarily targeting former government and military staff, non-governmental organizations, think tanks, higher education, the media, the financial sector and the health sector in the US, Europe, and East Asia.

It sounds ‘nice’ but it flows towards the thoughts like “related to government, defence, strategic planning, and human rights” for 13 years”, so were was the diligence to preventing issues with Sharepoint and cyber crime prevention? So consider that we are given “SharePoint hosts OneDrive for Business, which allows storage and synchronization of an individual’s personal work documents, as well as public/private file sharing of those documents.” That quote alone should have driven the need for much higher Cyberchecks. And perhaps they were done, but as I see it, it has been an unsuccessful result. It made me (perhaps incorrectly) think so many programs covering Desktops, Laptops, tablets and mobiles over different systems a lot more cyber requirements should have been in place and perhaps they are, but it is not working and as I see, it as this solution has been in place for close to 2 decades, the stage of 13 years of attempted transgression, the solution does not seem to be safe. 

And the end quote “Meanwhile, Storm-2603 was “assessed with medium confidence to be a China-based threat actor””, as such, we stopped away from ‘high confidence’ making this setting a larger issue. And my largest issue is when you look to find “Linen Typhoon” you get loads of links, most of them no older than 5 days. If they have been active for 13 years. I should have found a collection of articles close to a decade old, but I never found them. Not in over a dozen of pages of links. Weird, isn’t it? 

The next part is one that comes from TechCrunch (at https://techcrunch.com/2025/07/22/google-microsoft-say-chinese-hackers-are-exploiting-sharepoint-zero-day/) where we are given ‘Google, Microsoft say Chinese hackers are exploiting SharePoint zero-day’ and this is important as a zero-day, which means “The term “zero-day” originally referred to the number of days since a new piece of software was released to the public, so “zero-day software” was obtained by hacking into a developer’s computer before release. Eventually the term was applied to the vulnerabilities that allowed this hacking, and to the number of days that the vendor has had to fix them.” This implies that this issue has been in circulation for 23 years. And as this implies that there is a much larger issue as the software solution os set over iOS, Android and Windows Server. Microsoft was eager to divulge that this solution is ‘available’ to over 200 million users as of December 2020. As I see it, the danger and damage might be spread by a much larger population. 

Part of the issues is that there is no clear path of the vulnerability. When you consider the image below (based on a few speculations on how the interactions go) 

I get at least 5 danger points and if there a multiple servers involved, there will be more and as we are given “According to Microsoft, the three hacking groups were observed exploiting the zero-day vulnerability to break into vulnerable SharePoint servers as far back as July 7. Charles Carmakal, the chief technology officer at Google’s incident response unit Mandiant, told TechCrunch in an email that “at least one of the actors responsible” was a China-nexus hacking group, but noted that “multiple actors are now actively exploiting this vulnerability.”” I am left with questions. You see, when was this ‘zero day’ exploit introduced? If it was ‘seen’ as per July 7, when was the danger in this system solution? There is also a lack in the BBC article as to properly informing people. You cannot hit Microsoft with a limited information setting when the stakes are this high. Then there is the setting of what makes Typhoon sheets (linen) and the purple storm (Violet Typhoon) guilty as charged (charged might be the wrong word) and what makes the March 26th heavy weather guilty? 

I am not saying they cannot be guilty, I am seeing a lack of evidence. I am not saying that the people connecting should ‘divulge’ all, but more details might not be the worst idea. And I am not blaming Microsoft here. I get that there is (a lot) more than meets the eye (making Microsoft a Constructicon) But the lack of information makes the setting one of misinformation and that needs to be said. The optional zero day bug is one that is riddles of missing information. 

So then we get to the second article which also comes from the BBC (at https://www.bbc.com/news/articles/czdv68gejm7o) given us ‘OpenAI and UK sign deal to use AI in public services’ where we get “OpenAI, the firm behind ChatGPT, has signed a deal to use artificial intelligence (AI) to increase productivity in the UK’s public services, the government has announced. The agreement signed by the firm and the science department could give OpenAI access to government data and see its software used in education, defence, security, and the justice system.”  Microsoft put billions into this and this is a connected setting. How long until the personal data of millions of people will be out in the open for all kinds of settings? 

So as we are given “But digital privacy campaigners said the partnership showed “this government’s credulous approach to big tech’s increasingly dodgy sales pitch”. The agreement says the UK and OpenAI may develop an “information sharing programme” and will “develop safeguards that protect the public and uphold democratic values”.” So, data sharing? Why not get another sever setting and the software solution is also set to the government server? When you see some sales person give you that there will be ‘additional safeties installed’ know that you are getting bullshitted. Microsoft made similar promises in 2001 (code red) and even today the systems are still getting traversed on and those are merely the hackers. The NSA and other America governments get near clean access to all of it and that is a problem with American based servers and still here, there is only so much that the GDPR (General Data Protection Regulation) allows for and I reckon that there are loopholes for training data and as such I reckon that the people in the UK will have to set a name and shame setting with mandatory prosecution for anyone involved with this caper going all the way up to Prime Minister Keir Starmer. So when you see mentions like ““treasure trove of public data” the government holds “would be of enormous commercial value to OpenAI in helping to train the next incarnation of ChatGPT”” I would be mindful to hand or give access to this data and not let it out of your hands. 

This link between the two is now clear. Data and transgressions have been going on since before 2001 and the two settings when data gets ‘trained’ we are likely to see more issues and when Prime Minister Keir Starmer goes “were sorry”, you better believe that the time has come to close the tap and throw Microsoft out of the windows in every governmental building in the Commonwealth. I doubt this will be done as some sales person will heel over like a little bitch and your personal data will become the data of everyone who is mentionable and they will then select the population that has value for commercial corporations and the rest? The rest will become redundant by natural selection according to value base of corporations. 

I get that you think this is now becoming ‘conspiracy based’ settings and you resent them. I get that, I honestly do. But do you really trust UK Labor after they wasted 23 billion pounds on an NHS system that went awry (several years ago). I have a lot of problems showing trust in any of this. I do not blame Microsoft, but the overlap is concerning, because at some point it will involve servers and transfers of data. And it is clear there are conflicting settings and when some one learns to aggregate data and connect it to a mobile number, your value will be determined. And as these systems interconnect more and more, you will find out that you face identity threat not in amount of times, but in identity theft and value assessment in once per X amount of days and as X decreases, you pretty much can rely on the fact that your value becomes debatable and I reckon this setting is showing the larger danger, where one sees your data as a treasure trove and the other claims “deliver prosperity for all”. That and the diminished setting of “really be done transparently and ethically, with minimal data drawn from the public” is the setting that is a foundation of nightmares mainly as the setting of “minimal data drawn from the public” tends to have a larger stage. It is set to what is needed to aggregate to other sources which lacks protection of the larger and and when we consider that any actor could get these two connected (and sell on) should be considered a new kind of national security risk. America (and UK) are already facing this as these people left for the Emirates with their billions. Do you really think that this was the setting? It will get worse as America needs to hang on to any capital leaving America, do you think that this is different for the UK? Now, you need to consider what makes a person wealthy. This is not a simple question as it is not the bank balance, but it is an overlap of factors. Consider that you have 2000 people who enjoy life and 2000 who are health nuts. Who do you think is set to a higher value? The Insurance person states the health nut (insurance without claims) or the retailer the people who spend and life live. And the (so called) AI system has to filter in 3000 people. So, who gets to be disregarded from the equation? And this cannot be done until you have more data and that is the issue. And the quotation is never this simple, it will be set to thousands of elements and these firms should not have access, as such I fear for the data making it to the outer UK grounds. 

A setting coming from overlaps and none of this is the fault of Microsoft but they will be connected (and optionally) blamed for all this, but as I personally see it the two elements that matter in this case are “Digital rights campaign group Foxglove called the agreement “hopelessly vague”” and “Co-executive Director Martha Dark said the “treasure trove of public data” the government holds” will be of significance danger to public data, because greed driven people tend to lose their heads over words like ‘treasure trove’ and that is where ‘errors are made’ and I reckon it will not take long before the BBC or other media station will trip up over the settings making the optional claim that ‘glitches were found in the current system’ and no one was to blame. Yet that will not be the whole truth will it?

So have a great day and consider the porky pies you are told and who is telling them to you, should you consider that it is me. Make sure that you realise that I am merely telling you what is out in the open and what you need to consider. Have a great day.

Leave a comment

Filed under Finance, IT, Law, Media, Politics, Science

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

May 20, 2015 · 00:43

Fear is a tool

It started with a thought, one I have had for a little while and one that had been voiced in the past. Today, in the Guardian we see part of this in the article called ‘How we sold our souls – and more – to the internet giants‘ (at http://www.theguardian.com/technology/2015/may/17/sold-our-souls-and-more-to-internet-giants-privacy-surveillance-bruce-schneier). I respectfully disagree with parts of this.

The first premise is the important one.

Did we sell our souls, or were governments on a global scale lacks and slow regarding the rights of privacy?

That is an important question as it is linked all over the place. We tend to look (as I have mentioned numerous times) regarding the information the intelligence community gets, but at the same time we allow ourselves to get mined and exploited by every social network available. A nice example that the article uses is the Hello Barbie. The Washington Post gave us loads of information in March (at http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/11/privacy-advocates-try-to-keep-creepy-eavesdropping-hello-barbie-from-hitting-shelves/), but it did not get the global visibility it required to have.

You see, there is nothing wrong with an interactive toy. I reckon that as programs became more and more interactive, then so would toys and the Hello Barbie doll is the premium evolution for children. The big issue is not the toy, but this simple line: “As the doll ‘listens’, audio recordings travel over the Web to a server where the snippets of speech are recognized and processed. That information is used to help form Hello Barbie’s responses” Why? Why use the web? Why not connect to a device that has the software installed? The answer is simple, this is only in one part about the doll, it is a lot more about collected data and data is value (their marketing department will come with some “it’s  all so much easier via the web answer”). Collecting the questions of children gives way to trendsetting and to marketable exploitation. Of course, in that light the adult edition, where the answer to every question becomes “not now darling, I have a headache” is likely only 6 months away.

You think I am kidding? Data is the core of value, marketability of data is the new ‘O’ for industrials. Knowing how to push the button by answering the not asked questions in advertisement is the rage, the El Dorado of the marketing industry. So when we see the quote at the end of the article “Mattel and ToyTalk, the San Francisco-based start-up that created the technology used in the doll, say the privacy and security of the technology have been their top priority“, we should state that if security and safety were such important parts, you would have kept these issues local and not via the web. As for security, if hackers can take down Sony, then Mattel might not be that much of a challenge and in that light, that collected data would be worth a fortune, so people will get that data one way or another.

Beyond the toy need of a child is the need for health. That part is dealt with in “Many medical devices are starting to be internet-enabled, collecting and reporting a variety of biometric data. There are – or will be soon – devices that continually measure our vital signs, moods and brain activity“, now we get to the juicy stuff! You see in the UK there is the Data Protection Act 1998. Yet here we see the following issue:

Section 36 gives us: ‘Personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) are exempt from the data protection principles and the provisions of Parts II and III’. So Barbie is already exempt in this case.

Even though section 2 gives us in section 11 ‘Right to prevent processing for purposes of direct marketing’, which is in part II, so Barbie is again exempt.

However, we do see protection under part one section 8. Here we see: ‘Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data’. Yet the danger here is that this regards ‘personal data‘, the definition under part one states: “personal data means data which relate to a living individual who can be identified”, which is not the part that is transferred, so it does not count. The personal data is what mommy, daddy or junior enter within a website or social media, outside of the UK (or Commonwealth), so that they can receive a much more personal ‘experience‘ with Miss Barbie. This is at the core of the problem, but it is only one factor. The same applies in 99% of the cases to healthcare and fitness equipment that connects through the Bluetooth, Wi-Fi and the web link. All this gets collected. So when we wonder regarding the excuses on software on cheaper through the online experience, several parts give clear indication that this is about collecting data, because data is the new gold. How much do you think a health care provider is willing to pay, so that they have data that allows to cut off, or additionally charge the riskiest 10%? Even though those people are already paying premium, to have a check on the safest group and to flag the least safe group is worth a bundle. Anyone selling that data for less than a 9 figure number is getting royally screwed.

And it goes on beyond the mere computer and the internet. More precisely your smartphone. The apps you install track you here as well. They track your location and sometimes download your address book, calendar, bookmarks and search history. Not to mention a host of other parts. The most annoying part of it all is that you the user gets to pay for your bandwidth, so if your data gets downloaded, you are likely to see background usage of the data and the bandwidth used goes to your total usage.

The gem of the Guardian article is shown near the end “And it’s all possible because laws have failed to keep up with changes in business practices

This has been the number one issue for well over 4 years now and the lawmakers have basically been sitting on their hands, pretty much all over the commonwealth I might add, because data is money and those captains of industry require overhead (read data profits). It comes down to the same issue with the laughingly disturbing discussion on movie piracy. Telco’s rely on bandwidth, without that, there profits go down to the basement, in that same light their reliance on data seems to hinder governments to react in a timely manner. Research, investigations and commissions. We have seen data issues since before Edward Snowden. Yes, in all these years, how many successful alterations were made to the Data Protection Act 1998, via either legislation and/or the House of Lords? You do the math, yet the answer is simple. As I see it, look at your two hands and do not use the 10 fingers that is how often, a mere ZERO times! Just like the internet consumer change, the internet data change has seen just as many evolutions.

The worst is however yet to come!

You see, the newer mobile phones often have the capacity that surpasses many laptops and tablets. I witnessed just 4 days ago how a friend used his mobile as a SharePoint because he had to update his PS4. What He had not realised is that the PS4 also started to update his installed games. It took him less than two minutes to realise this and in that time his 2GB bandwidth was gone! Welcome to 4G bandwidth!

He’ll lose an additional $10, so he did not think it was a biggie, but now consider how much data can be passed over to wherever the applications decides. So when we get these small messages, when we are lulled into a sense of ‘security’ consider where your data is and who else has access. That is at the heart of the matter, as well as the heart of the legislative failing. Who else has access! When data is stored at any third party provider, the app maker might guarantee that THEY will not allow access to the data, but that does not state that this is the case, you see, if they have the data parked in any other provider, what does the rules of those providers stipulate? Only they? Only the executing service agents? The world of data is quite literally the new Wild West of Business and IT, a reasonable untapped frontier and we all forgot that we think that data is there and only we can access our little field of data, whilst in reality and corporation with a tractor can get to any part of that data field. It is all nicely settled in the line “are exempt from the data protection principles”, so as we consider our data and why we are not keeping it local, consider one final ‘deletable’ part, which is also in the Guardian article “In 2009, Amazon automatically deleted some editions of George Orwell’s Nineteen Eighty-Four from users’ Kindles because of a copyright issue. I know, you just couldn’t write this stuff anymore ironically“, yet even though the irony is out there, consider that your data is also on the cloud. So what happens when that gets deleted? Not by you or by the provider, but by a third party who got around it all? You might wonder why that is an issue, if you do then consider the final question in this dilemma: ‘Who is the owner of a deleted file?’

So here is the fear part:

Where is your data?
Who ‘owns’ it?
Who has access to it (besides you)?

These are one side of the fear equation, on the other side you have the data local storage, which you must personally manage, you must backup this data and you must keep track whether it is all backed up. Some users feel uncomfortable with that. A nice example can always be found when someone in your vicinity cries over a crashed mobile and all contacts lost (I saw that a few times happen to people I know in 2014).

One fear or another, they’re gonna getcha!

So you the user have gone with the flow and the privacy for billions is up for grabs because no one wondered, asked or pressured, now that part is almost indefinitely gone, only by adjusting the laws can we see a restoration of proper privacy of data and information, but those who rely on the value of data are extremely intent on not letting those changes happen. Consider this part from an earlier Guardian article “Facebook places tracking cookies on users’ computers if they visit any page on the facebook.com domain, including fan pages or other pages that do not require a Facebook account to visit“, do you think Google is any different? So as you are tracked and as data is combined from social media, from websites, devices and even toys. How much privacy do you think you are enjoying at present?

Now we get to a truly speculative part. Consider Google with its Nexus range. Now the new Nexus 6 looks nice (way out of my budget range), there is a 32GB and a 64GB version. No issues here! In all aspects a decent game changer for the Nexus fan. Now we get to the Nexus 9, the tablet. Before I give my view, let’s refer you to Forbes, here we see some interesting details (at http://www.forbes.com/sites/ewanspence/2013/01/29/apples-128GB-ipad-just-gave-every-android-tablet-manufacturer-a-headache/), an important fact is that this is a January 2013 review, so more than two years old! In that regard the specs do not seem to have changed! So this ‘new’ tablet is only to be begotten in a 16GB or 32GB version. So it has a lot less storage than the Nexus 6 mobile phone. It has a few more weaknesses, but basically, as Apple already had a 128GB edition, Google remains at 25%. In my view this was intentional! The machine was released late November 2014. Why would they not have a version that is at least 64GB? My iPad 1 (yes version One) which I bought in 2011 already had 64GB). This is not a mere oversight from a bungling manager, as I see it this is an intentional drive to get people towards Google drive, with data stored in a place where some might have access (the non-user that is). Remember, this is pure speculation on my side! Google could have made a contender and is offering nothing more than a consolation price. Offering it at a very competitive price, but it comes with the foresight that people will be driven to the Google Drive, sooner rather than later!

Please feel free to reject this notion, but ask yourself, in the fight between IOS and Android, why would Google not offer a machine a lot more competitive? This is at the heart of the matter, this is as I see it the crux of it. There is of course a danger that we make ‘relationships’ between fiction and facts in events that are a figment of our imagination, but in the competitive industry that is called ‘mobile devices’ to remain behind to this extent to that degree calls for questions, does it not?

There is one part to add, the Guardian article was originally adapted (by the Guardian) from ‘Data and Goliath’ by Bruce Schneier, Bruce Schneier is a security technologist and CTO of Resilient Systems Inc. He can also be found tweeting his heart out as @schneierblog.

 

Leave a comment

Filed under IT, Law

Tagged as , , , , , , , , , , , , , , , , , , , , , , ,