Yes, but it has to be on by default, and try to get the user to set it up by default. Having “good” security, but then insisting a screen door you leave unlocked makes entry easier, doesn't work.

How much does anyone want to bet that in the next year, they still won't have a secure email by default product or practice? If this claim by Microsoft is true, then effective today, within the next 12 months, all emails from Microsoft will be digitally signed, and Outlook with force open encryption with something like PGP. In fact, if you get an email that isn't signed, Microsoft will call it out, and flag it. This is the absolute minimum we can expect if they're going to take security seriously.

This isn't the only move they need to make, but it's one of the most important. Other steps they have to do:

1. Open Source all products.
2. Provide independent third party audits.
3. Remove all tracking and analytic scraping.
4. Remove all Ad ware, and AI (unless they can secure the AI).
4. Remove online accounts by default from Windows.
5. Provide complete process transparency on Windows.
6. Put a Firewall / Security stack in place on Windows, that is actually decent.

Basically they're going to change Windows / Office into Linux / LibreOffice, and also crank the security up, so it's professional. Essentially, Microsoft is going to turn into a respected professional service company, and does anyone believe that?

How? Being able to post, truly, anonymous is hard, you have to willingly strip out information, and any tracking before submission. Even having the IP address of the person posting, or the User Agent, is enough to possibly identity them. If you're careful, and willing you can make an anonymous submission form, but 999/1000 times you hear the “the process is anonymous”, it's a lie.

Try designing a meaningful form that is private, anonymous, trackable, and can collect meaningful information. It's not impossible, but doing so is extremely difficult.

Okay, but there was no need to trash libraries, and a company of Microsoft's size, with the testing protocol they'd have in place, that was an intentional move. This gets back to why did they want to break the Networking Subsystem, because intentionally preventing VPN's from running, is a break in the networking.

Simple, no one cares, and far too many people think the cost of change is unacceptably massive. Think about the time impact of moving from Windows + Tools / Applications to Debian or Fedora + Tools / Applications. How much time would that change take, including the time to get up to speed to where a normal Windows user would be. 1 hour, maybe upwards of 4 hours?

Most tools / applications are cloud based, files are now stored in the cloud, or on external storage. Linux works with the vast majority of hardware, so is there really a loss? If you factor in the improvement from productivity, you'll wipe out that move in a day or two.

I'll keep going back to: “Windows is for people who pretend to do work, and Linux is for people who have to do work.”. At this point, as really for the last few years, Windows has been such a loss of productivity and time sink, that most people are probably at 50%, possibly less, compared to a professional, production real OS.

If the VPNs work before the April update, and break after, what did Microsoft change in the Network Subsystem? There's a small chance this was a true accident, but knowing how violating and abusive Microsoft policy is toward digital molestation, can you trust them?

Microsoft has turned Windows into a joke. No professional can honestly run Windows, and at the same time claim they care about getting work done. The statement: “Windows is for people who pretend to do work, Linux is for people who have to do work.”, keeps, constantly, ringing true.

Once your password manager is hacked, it's hacked. You can no longer make claims about security, robustness, and other avenues. Last Pass was a good password manager, I used it for a few years many years ago, but once it changed into a profit seeking tool, all bets were off.

One year they wanted to charge me ~$30, when they had a deal that US customers could pay ~$3. They refused to match the offer, and insisted I either pay, or, they'd take my “Family Account” away. A week later I was on Bitwarden, and shortly after Last Pass was hacked.

Password managers are not profit seeking tools, they have one major role, and it's to keep your passwords safe and sound. Anything outside of that, it's almost certainly going to lead to problems. There's nothing wrong with charging a reasonable amount of money, but once clueless investors and shareholders get involved, the quality falls sharply. Last Pass is an example of a tool, that can't be trusted under any circumstance. It's not possible to claim it's a secure password manager, and back that claim up.

VPNs and IP Spoofing can mitigate geofencing, which is why IP locking is also important, either by using direct whitelists or some form of IPSec. Now, I know those aren't magical castle level protections, but, if you pair them with TFA, such as a fingerprint + Yubi, then you have some pretty decent front end protection. That's why I didn't throw those suggestions in the MFA group initially, since they're not really MFA.

Another significant aspect of this, session timeouts. How long do the sessions stay passable for? A general maximum threshold should be 24 hours, with shorter sessions generally being better, although it's a balancing act between security and usability. Another good layer to try to introduce, public / private keys, that are signed with something like PGP, so you can have identity validation with an SSH Key. I'm pulling this one out of the air, so, ideally that should allow you to leverage PGP to validate the identity of the key, so you can do a double pass on that layer.

In any case, the main issue, yet again, is the security standards. Stuff should be hard to log in to, and SFA is absolutely useless, as a protective measure. The difference between great login security with MFA (not just 2FA), and SFA, might be a minute, that 60 seconds, can save millions, if not billions, down the road.

I absolutely believe that!

Why wasn't the session doing geolocation and IP lookup? Even if someone got the credentials, they shouldn't have worked from the wrong location(s). Tie that in with address verification, and hardware based MFA (not SMS based), and you have a semi-decent login system. You could extend it by additional layers, and really for Health Care you want TFA or Three Factor, which would be something like Password + Yubi + Fingerprint. Geolocation and address verification would bring it up to FFA or Four Factor, possibly Five Factor.

When will it sink in that doing the minimum is never good enough? How many executives and managers said (to paraphrase): “Least viable effort”, when discussing the requirements, or cut funding, or went with the populate option because they heard of it before. This has all the hallmarks of bad design, through intentional bad design.

Right, so putting dipshit hacker in jail only solves one part of the problem, in my mind, the lesser of the two. I like to take the stance that my data will get stolen, so it's better to protect it once that happens. That doesn't mitigate the work leading up to preventing the theft, but it does mean you need to encrypt your data.

Years ago, I had to get a DoD contractor to certify a product was safe. We gave them the software / hardware, and I included a USB key, which had a copy of the data. The data was stored in the same state that it was in the DB, and the guy leading the test looked at me like I was an idiot. I told him that if they couldn't get into the DB, then they could separately test the data. A week later he gave me the key back, they couldn't get the data into a readable state, and didn't get into the DB. According to the lead guy, no one had ever had given him the data outside the DB to prove their point.

How exactly did he access the DB? The issue is more on the side of the DB lacking security, then him “stealing” the information. Since the DB lacked proper security, the party at fault is the company who offered the DB, and or, the company who used it. It's worth asking why the data wasn't meaningfully encrypted, that would have mitigated the entire mess.

Lock this guy up for being a cyber criminal, but don't let him take all the blame, lacking proper and decent cybersecurity, places a lot of the blame onto the company who used the DB and stored the information.

Did the cybersecurity legislation get updated following this case? If it didn't, then you know the government never cared, and sides with the exploitation of its people.

A man who spawned one of the most successful software companies in history didn't really retire? When you had that much influence, or even much less, at a company, you never really retire. I've left companies 10 years ago, who still reach out, and all I did was write some firmware, but imagine standing up a Trillion-dollar company, who really thought Gates left and closed the door?

They got hacked because they have bad network policies. Anything IoT is absolutely untrusted, and must be placed in a segmented VLAN, that has zero access to anything you would rate as: “If it dies, I don't care”, level of importance or higher. If someone was able to jump from a sensor in a fish tank, to anything that could access an important node, the network engineer failed, or, there are some companies who need to be answering questions.

Even if you wanted to log the data to an analytic engine, first dump it to server that has zero importance. Then run a sterilization process on the logs / data, and upload that to a secondary server which will examine, tag and encrypt the data. Send that encryption to a third server, to verify the information, decrypt, sanitize and sterilize the data again, making sure it's in plain text of some kind. Finally, send it to the logging server, which again can't reach out to anything significant. That way, even if someone did get into that VLAN, it wouldn't matter.

This is just hand waving and trying to make a big deal out of something the government will never legislate away. If the government cared about companies or organizations collecting location data, they would block the collection, and force technology to intentionally obfuscate it.

In Canada, our government loves to talk about the privacy issues surrounding social media, but has never, even by accident, passed laws or bills, to force companies to make data private through intentional action. Think about it, is anyone forced to store your data in an encrypted state, where you own / control the private key? Does the government force personal responsibility for data, or government forced responsibility?

Have you ever heard of a government ran initiative, to force addressing that is free from tracking? Have ever seen a government force obfuscation for identification? What about forcing anonymous identification requirements? Governments do not want the tracking, or the identification removed, they want to rake in millions, well exploiting the same systems and policies, they fine companies over.

Out of interest, how much of that money is going to be paid to the customers violated? If the government cares, 100% of it.