AskWoody Free Newsletter Logo
ISSUE 19.04.F • 2022-01-24

In this issue

ON SECURITY: Twenty years of trustworthy computing

Additional articles in the PLUS issue

LANGALIST: Inaccessible backups, and a dead laptop

PUBLIC DEFENDER: ‘Fake’ HDMI 2.1: The standard that isn’t

FREEWARE SPOTLIGHT: Info-Base — Map your brain

MICROSOFT NEWS: $68.7 billion? Peanuts.

Become a Plus Member today!
Get MS-DEFCON Text Alerts! Gift Certificates now available!

We help teams move faster

The first project management platform built for users by users.


Twenty years of trustworthy computing

Susan Bradley

By Susan Bradley

Are we more secure now?

It’s been 20 years since Bill Gates wrote the “trustworthy computing” memo and had Microsoft’s developers take a coding pause so they could be trained in how better to write secure software.

Twenty years later, are we more secure? Do you feel more secure?

I’m not sure I do. You know I watch this every hour of every day, and it sure feels like we are doing the same updating and patching dance over and over, without feeling more secure. We are promised that the hardware and software we buy will meet the safety promises. We certainly deserve that — period.

I think all the vendors need to do a better job in securing the hardware, operating systems, Web browsers, and software applications we use on a daily basis.

Microsoft seems to have a Jekyll-and-Hyde mentality about this. On the one hand, the company has pushed for secure options; on the other, it has pushed options that raised many questions and objections in the user base. Since Version 7 was released, Windows has been set up to allow us to configure a reasonably secure system, but the onus ends up on us to choose the right settings and configurations.

But therein lies the rub — how can we tell whether Microsoft’s choices are designed for our security and safety or are an attempt to funnel us into online subscription services? A simple example of this is the ever-increasing difficulty of configuring Windows to use a local account. Meanwhile, Windows, especially version 11, puts a lot of pressure on us to sign up for that Microsoft account. The company touts the advantages, including security, of its online services rather than making sure those good solutions are built into the products it sells outright.

Dwell time

Recently, I recorded for my local certified public accounting society a seminar on the topic of security. My copresenter was a former supervisory special agent with the Federal Bureau of Investigation (FBI), Brad Maryman. We talked about how long attackers will lurk inside your computer or your network, waiting for the right time to attack. Often it’s not immediate, but more like a time bomb waiting to go off if not discovered first. Many times, the attacker’s goal is to gain information from your system without letting you know it’s happening. As we stated in the presentation, FireEye has noted that the median dwell time for ransomware attacks is 72.75 days before the attack is launched! As Brad emphasized repeatedly during his presentation, users must enable logging so they can fully know how, where, and when attackers have gained access to our information.

The Microsoft 365 subscription that most people purchase does not have logging enabled that would be able to meet that dwell time. Brad recommended that any firm, regardless of size, have at least six months of logging enabled on their mail servers and networks. Yet it’s only after you purchase the most expensive Microsoft 365 Enterprise license, E5, that you are able to configure a year’s worth of logging for your cloud mail server. (For those businesses acquiring the less expensive E3 subscription, only 90 day’s worth of logging is enabled.) An E5 license is US$57 per person per month.

The E5 license is also the only one that gives businesses use of a setting called “MailItemsAccessed,” which allows you to know whether an attacker actually read your email. Without it, you know only that an attacker gained access, but not exactly what they gained access to. Thus you’ll need to assume that everything was breached.

A good explanation of this is available in the Microsoft Public Sector Blog article Discovering Microsoft 365 Logs within your Organization.

Smaller businesses get a break

Microsoft has made some concessions to smaller businesses in its pricing of Microsoft 365 solutions. Recently, it started a public test of its Endpoint detection services in a specially priced Microsoft Defender for Business that can be purchased separately and will be included in Microsoft 365 Premium. This solution is limited to businesses with under 300 users. It allows small businesses to enjoy some of the same security solutions and recommendations that are included in the top enterprise subscription, E5. Primarily, it provides a console that an administrator can use to help guide the administrator in deploying Attack Surface Reduction rules and other security guidance. But, once again, the administrator has to purchase the security subscription and deploy it.

Alex Fields has just started a series called Unboxing Microsoft Defender for Business, which I can recommend.

Recommendations for consumer and home users

If you go to any retail technology store, you will often be steered toward Chromebooks as a more secure solution because the applications are being run in the cloud, not on the local PC. This may be misleading, especially for home users. First of all, cloud applications are also targets for attackers, as weekly news reports tell us. Secondly, the total security picture includes the Web browser used to access the cloud services. But there are concerns about security of the Chrome platform.

Not a month goes by that we don’t learn of a zero-day vulnerability in the Chrome browser. To the best of my knowledge, there have been a few Chrome browser zero days that have also impacted Chromebooks, so one should never assume that a Chromebook is immune. And, of course, a Chromebook operating system is reliant on one major weakness — the password! Too many of us re-use passwords, especially on cloud services, and we thus introduce the risk that attackers who manage to harvest a password from one of our activities will simply try that credential on different services. Chromebooks and the Chrome browser also suffer from a problem I call the “plugin/extension risk” — malware found in extensions. When cleaning computers, the browser extensions are the first place I look. When I don’t recognize an extension, I immediately remove it.

Recently, the French government fined Google (and Facebook), saying, “the way the companies employ ‘cookies’ — small amounts of data generated while users browse websites and which can be used to track their activity — affects the ‘freedom of consent,’ as Facebook and Google make it much easier for netizens to authorize that data-tracking rather than to decline it.”

With free services, far too often we are the product, and our data is sold to the highest bidder.

Apple, too, could do better

While Apple is gaining the reputation of putting privacy and security first, it could also do a better job of being trustworthy. Our own Brian Livingston recently detailed how AirTags can be used to stalk people (Look who’s stalking: Protect yourself from Apple AirTags, 2022-01-10). iPhones have been used worldwide in targeted attacks by the spyware Pegasus. Apple is notoriously slow in fixing security bugs, to the point where researchers have resorted to the low tactic of shaming Apple to get items fixed.

Recommendations for business users

Many business users depend on Microsoft Windows to run critical line-of-business applications, and they simply can’t move away easily. But that doesn’t mean that we aren’t without options. Unfortunately, as I’ve indicated above, it means that we must deploy the solutions — they won’t be automatic. Recently, Mandiant released a white paper showcasing some of the steps to take to better defend yourself from attacks, and Microsoft indicated that nation-states appeared to be launching destructive attacks against computers — to the point that the boot sector was damaged. This type of attack is best protected by an old-fashioned backup routine, one that Microsoft doesn’t make easy to do nor even enable by default. The emphasis is on cloud storage rather than full-image backups.

Do you feel more secure?

So? Do you feel more secure? Given the millions of dollars in Bitcoins that ransomware operators get every day, I’d say we aren’t more secure now than we were 20 years ago. Given the increase in cyber-insurance premiums, I’d say insurance companies don’t think so, either.

Bill Gates had three major tenets that he wanted to stress: availability, security, and privacy. He said:

Microsoft’s products should always be available when our customers need them. System outages should become a thing of the past because of a software architecture that supports redundancy and automatic recovery. Self-management should allow for service resumption without user intervention in almost every case.

The data our software and services store on behalf of our customers should be protected from harm and used or modified only in appropriate ways. Security models should be easy for developers to understand and build into their applications.

Users should be in control of how their data is used. Policies for information use should be clear to the user. Users should be in control of when and if they receive information to make best use of their time. It should be easy for users to specify appropriate use of their information, including controlling the use of email they send.

Twenty years on, we’re still in the same boat. Systems still are not self-managing and are not inherently resilient. We still have a long way to go. Will it take another 20 years? More?



Talk Bubbles Join the conversation! Your questions, comments, and feedback
about this topic are always welcome in our forums!

Susan Bradley is the publisher of the AskWoody newsletters.

Shared hosting with Namecheap!

Stories in this week’s PAID AskWoody Plus Newsletter
Become an ASKWOODY PLUS member today!


Fred Langa

Inaccessible backups, and a dead laptop

By Fred Langa

How can you repair what you can’t get at? Today’s column covers two problems caused by very different access issues.

In one case, a subscriber is locked out of her old, obsolete backup files; she can neither access nor delete them and thus cannot recover the huge chunk of disk space they occupy.

In another, a different subscriber needs to data-wipe (“sanitize”) the hard drive of a fatally damaged laptop. But how can he wipe the drive when the laptop won’t even turn on?


Brian Livingston

‘Fake’ HDMI 2.1: The standard that isn’t

By Brian Livingston

If you’re interested in buying new monitors for your business or home that support the latest HDMI 2.1 standard — such as many displays that were demonstrated at CES (the Consumer Electronics Show) earlier this month — you may be surprised to learn that HDMI 2.1–certified monitors may not necessarily support the enhanced features that have been heavily promoted.


Deanna McElveen

Info-Base — Map your brain

By Deanna McElveen

Sometimes I can’t remember why I walked into a room. Why should I think I’ll remember my daughters’ mailing addresses if I don’t write them down? Will I remember where I wrote them down? What was I talking about?

Oh yes, Info-Base! What is it? It’s a free program created by Jochanan Agam of Zurich, Switzerland. It’s actually an improved clone of the original DOS program called “Tornado,” which then became “Info-Select” (for DOS) and later “Info-Select” (for Windows). Jochanan renamed it “Info-Base” and added a zillion features.


Will Fastie

$68.7 billion? Peanuts.

By Will Fastie

Frenzy around corporate acquisitions is nothing new; but this time, for Microsoft, it seems overstated.

Last week, Microsoft announced its planned acquisition of Activision Blizzard, the well-known maker of such game franchises as Candy Crush, Call of Duty, and World of Warcraft. Part of the frenzy surrounded the price — almost three times more than Microsoft’s previous large acquisition, LinkedIn.

You’re welcome to share! Do you know someone who would benefit from the information in this newsletter? Feel free to forward it to them. And encourage them to subscribe via our online signup form — it’s completely free!

RoboForm box

Like what you see in the AskWoody FREE newsletter?

Become a PLUS member!

As a Plus member, you’ll receive the full newsletter, including all our great content about Windows, Microsoft, Office, 365, PCs, MS-DEFCON Alert notifications, useful and safe freeware, and Susan Bradley’s sought-after patch advice. Plus membership also allows continuous access to the complete archive of nearly two decades of Windows Secrets and AskWoody Newsletters.

Naturally, Plus members have all the benefits of free membership, including access to the popular AskWoody forums.

The cost? We’re supported by donations — choose any amount for a one-year membership. Every little bit helps.

 Join AskWoody PLUS Today!

The AskWoody Newsletters are published by AskWoody Tech LLC, Fresno, CA USA.

Your subscription:

Microsoft and Windows are registered trademarks of Microsoft Corporation. AskWoody,, Windows Secrets Newsletter,, WinFind, Windows Gizmos, Security Baseline, Perimeter Scan, Wacky Web Week, the Windows Secrets Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of AskWoody Tech LLC. All other marks are the trademarks or service marks of their respective owners.

Copyright ©2022 AskWoody Tech LLC. All rights reserved.