I’ve tried writing weeknotes a few time over the years and they have been pretty sporadic. So, let’s give it another go… this should probably be weeknote 28 (or something like that) but it seems last year I named them after the week number in the year… so let’s try that again.
Because I haven’t done this for a while, let’s add some bonus notes for last week too…
My long suspected but never tested theory was confirmed: most of the Authenticator apps that generate a second/multi-factor authentication (2FA/MFA) code for logging on to services are basically the same. So I consolidated Google Authenticator and LastPass Authenticator into Microsoft Authenticator. The corresponding thread on Twitter has some interesting responses.
My technical training was interrupted to complete the Microsoft Catalyst pre-sales training. It started off as what I may have described as a “buzzword-filled gamified virtual learning experience”. Then, I started to learn some consulting skills as Rudy Dillenseger brought Design-Led Thinking (aka Design Thinking) to life.
It was interesting to see Microsoft recommending the use of Klaxoon with Teams when facilitating remote workshops, which made me speculate about the future of Microsoft Whiteboard.
Was a week of virtual calls – even in the evenings. I had Zoom calls with British Cycling and for some financial advice but also a really pleasurable couple of hours on Signal chatting with an old mate I haven’t seen or spoken to in a while, who now lives overseas. It was definitely one of those moments when I appreciated a good friendship and it made me think “we should do this more often”.
Just when I thought I’d handed off some project management duties to a real PM, they bounced back at me like a boomerang…
My payslip and related documents are sent to me in PDF format. To provide some rudimentary protection from interception, they are password protected, though the password is easily obtained by anyone who knows what the system is.
Because these are important documents, I store a copy in my personal filing system, but I don’t want to have to enter the password each time I open a file. I know I can open each file individually and then resave without a password (Preview on the Mac should do this) but I wanted a way to do it in bulk, for 10s of files, without access to Adobe Acrobat Pro.
Those of us old enough to remember writing MS-DOS batch files will probably remember setting environment variables. Combined with a good old FOR loop, I got this:
FOR %G IN (*.pdf) DO qpdf --decrypt --password=mypassword "%G" --replace-input
Obviously, replace mypassword with something more appropriate. The --replace-input switch avoids the need to specify output filenames, and the use of the FOR command simply cycles through an entire folder and removes the encryption.
In the last few hours of 2019, my family planned our holiday. We thought we had it all sorted – fly to Barcelona, spend the weekend sight-seeing (including taking my football-mad son to Camp Nou) and then head up the coast for a few more days in the Costa Brava. Flights were booked, accomodation was sorted, trips were starting to get booked up.
We hadn’t counted on a global pandemic.
To be clear, I’m thankful that myself, my family and friends, and those around us are (so far) safe and well. By April, I didn’t much like the prospect of getting into a metal tube with 160+ strangers and flying for 3 hours in each direction. We’re also incredibly lucky to be able to access open countryside within a couple of hundred metres of our house, so daily exercise is still possible and enjoyable, with very few people around, most of the time.
I still took the week off work though. After cancelling my Easter break, it’s been a while since I took annual leave and even my Furlough period was not exactly relaxing, so I could do with a rest.
The weather has been glorious in the UK this week too, making me extra-glad we re-landscaped the garden last year and I’ve spent more than a few hours just chilling on our deck.
Unfortunately, we also got a taste of what it must be like to live in a tourist hotspot, as hundreds of visitors descended on our local river each day this weekend. It seems the Great Ouse at Olney has featured in a list of top places to swim in Britain, which was recently featured in The Times. It may sound NIMBYish, but please can they stay away until this crisis is over?
As for the holiday, hopefully, we’ll get the money refunded for the cancelled flights (if the airlines don’t fold first – I’m sure that if they refunded everyone they would be insolvent, which is my theory for why they are not increasing staff levels to process refunds more quickly); FC Barcelona contacted me weeks ago to extend my ticket and offer a refund if we can’t use it; and AirBnB had the money back in our account within days of us being forced to pull out due to cancelled flights.
(I did spend a few weeks effectively “playing chicken” with easyJet to see if they would cancel first, or if it would be us. An airline-cancelled flight can be refunded, but a consumer-cancelled flight would be lost, unless we managed to claim on travel insurance).
Even though I’ve had a week off, I’ve still been playing with tech. Some of my “projects” should soon have their own blog post (an Intel NUC for a new Zwift PC; migrating my wife’s personal email out of my Office 365 subscription to save me a licence; and taking a look at Veeam Backup for Office 365), whilst others get a brief mention below…
Please stop resetting user passwords every x days!
Regularly resetting passwords (unless a compromise is suspected) is an old way of thinking. Unfortunately, many organisations still make users change their password every few weeks. Mine came up for renewal this week and I struggled to come up with an acceptable, yet memorable passphrase. So, guess what? I wrote it down!
I use a password manager for most of my credentials but that doesn’t help with my Windows logon (before I’ve got to my browser). Biometric security like Windows Hello helps too (meaning I rarely use the password, but am even less likely to remember it when needed).
I’ve been watching with interest as my occasional cycling buddy (and now Azure MVP) James Randall (@AzureTrenches) has been teasing development on his new cycling performance platform side project. This week he opened it up for early access and I’ve started to road test it… it looks really promising and I’m super impressed that James created this. Check it out at For Cyclists By Cyclists.
So… its time to let this out into the wild I guess. Always nerve wracking. Feedback of any kind welcome!https://t.co/9FoBumpJwN
It’s early days yet but initial testing suggests that the microphone is excellent (although the supplied USB A-B cable is too short for practical use). I had also considered the Blue Yeti/Raspberry but it seems to have been discontinued.
As for the photo lighting, it should be just enough to illuminate my face as the north-facing window to my left often leaves me silhouetted on calls.
Smart lighting to match my Microsoft Teams presence
I haven’t watched the Microsoft Build conference presentations yet, but I heard that Scott Hanselman (@shanselman) featured Isaac Levin (@isaacrlevin)’s PresenceLight app to change the lighting according to his Windows Theme. The app can also be used to change Hue or LIFX lighting along with Teams presence status, so that’s in place now outside my home office.
One particularly useful feature is that I can be logged in to one tenant with the PresenceLight app and another in Microsoft Teams on the same PC – that means that I can control my status with my personal persona so I may be available to family but not to colleagues (or vice versa).
One of the most valuable personal development activities in my early career was a trip to the Microsoft TechEd conference in Amsterdam. I learned a lot – not just technically but about making the most of events to gather information, make new industry contacts, and generally top up my knowledge. Indeed, even as a relatively junior consultant, I found that dipping into multiple topics for an hour or so gave me a really good grounding to discover more (or just enough to know something about the topic) – far more so than an instructor-led training course.
Over the years, I attended further “TechEd”s in Amsterdam, Barcelona and Berlin. I fought off the “oh Mark’s on another jolly” comments by sharing information – incidentally, conference attendance is no “jolly” – there may be drinks and even parties but those are after long days of serious mental cramming, often on top of broken sleep in a cheap hotel miles from the conference centre.
Microsoft TechEd is no more. Over the years, as the budgets were cut, the standard of the conference dropped and in the UK we had a local event called Future Decoded. I attended several of these – and it was at Future Decoded that I discovered risual – where I’ve been working for almost four years now.
Now, Future Decoded has also fallen by the wayside and Microsoft has focused on taking it’s principal technical conference – Microsoft Ignite – on tour, delivering global content locally.
So, a few weeks ago, I found myself at the ExCeL conference centre in London’s Docklands, looking forward to a couple of days at “Microsoft Ignite | The Tour: London”.
Just like TechEd, and at Future Decoded (in the days before I had to use my time between keynotes on stand duty!), the event was broken up into tracks with sessions lasting around an hour. Because that was an hour of content (and Microsoft event talks are often scheduled as an hour, plus 15 minutes Q&A), it was pretty intense, and opportunities to ask questions were generally limited to trying to grab the speaker after their talk, or at the “Ask the Experts” stands in the main hall.
One difference to Microsoft conferences I’ve previously attended was the lack of “level 400” sessions: every session I saw was level 100-300 (mostly 200/300). That’s fine – that’s the level of content I would expect but there may be some who are looking for more detail. If it’s detail you’re after then Ignite doesn’t seem to be the place.
Also, I noticed that Day 2 had fewer delegates and lacked some of the “hype” from Day 1: whereas the Day 1 welcome talk was over-subscribed, the Day 2 equivalent was almost empty and light on content (not even giving airtime to the conference sponsors). Nevertheless, it was easy to get around the venue (apart from a couple of pinch points).
I managed to cover 11 topics over two days (plus a fair amount of networking). The track format of the event was intended to let a delegate follow a complete learning path but, as someone who’s a generalist (that’s what Architects have to be), I spread myself around to cover:
Dealing with a massive onset of data ingestion (Jeramiah Dooley/@jdooley_clt).
Enterprise network connectivity in a cloud-first world (Paul Collinge/@pcollingemsft).
Building a world without passwords.
Discovering Azure Tooling and Utilities (Simona Cotin/@simona_cotin).
Selecting the right data storage strategy for your cloud application (Jeramiah Dooley/@jdooley_clt).
Planning and implementing hybrid network connectivity (Thomas Maurer/@ThomasMaurer).
Transform device management with Windows Autopilot, Intune and OneDrive (Michael Niehaus/@mniehaus and Mizanur Rahman).
Maintaining your hybrid environment (Niel Peterson/@nepeters).
Windows Server 2019 Deep Dive (Jeff Woolsey/@wsv_guy).
Consolidating infrastructure with the Azure Kubernetes Service (Erik St Martin/@erikstmartin).
In the past, I’d have written a blog post for each topic. I was going to say that I simply don’t have the time to do that these days but by the time I’d finished writing this post, I thought maybe I could have split it up a bit more! Regardless, here are some snippets of information from my time at Microsoft Ignite | The Tour: London. There’s more information in the slide decks – which are available for download, along with the content for the many sessions I didn’t attend.
Ingesting data can be broken into:
Real-time analysis (see trends as they happen – and make changes to create a competitive differentiator).
Producing actions as patterns emerge.
Automating reactions in external services.
Making data consumable (in whatever form people need to use it).
Assess network security using application-level security, reducing IP ranges and ports and evaluating the service to see if some activities can be performed in Office 365, rather than at the network edge (e.g. DLP, AV scanning).
Azure ExpressRoute is a connection to the edge of the Microsoft global backbone (not to a datacentre). It offers 2 lines for resilience and two peering types at the gateway – private and public (Microsoft) peering.
and implementing hybrid network connectivity
Moving to the cloud allows for fast deployment but planning is just as important as it ever was. Meanwhile, startups can be cloud-only but most established organisations have some legacy and need to keep some workloads on-premises, with secure and reliable hybrid communication.
Extension of the internal protected network:
Should workloads in Azure only be accessible from the Internal network?
Are Azure-hosted workloads restricted from accessing the Internet?
Should Azure have a single entry and egress point?
Can the connection traverse the public Internet (compliance/regulation)?
Existing addresses on-premises; public IP addresses.
Namespaces and name resolution.
Where are the users (multiple on-premises sites); where are the workloads (multiple Azure regions); how will connectivity work (should each site have its own connectivity)?
Boot to OOBE, choose language, locale, keyboard and provide credentials.
The device is joined to Azure AD, enrolled to Intune and policies are applied.
User signs on and user-assigned items from Intune policy are applied.
Once the desktop loads, everything is present, including file links in OneDrive) – time depends on the software being pushed.
Self-deploying (e.g. kiosk, digital signage):
No credentials required; device authenticates with Azure AD using TPM 2.0.
User-driven with hybrid Azure AD join:
Requires Offline Domain Join Connector to create AD DS computer account.
Device connected to the corporate network (in order to access AD DS), registered with Autopilot, then as before.
Sign on to Azure AD and then to AD DS during deployment. If they use the same UPN then it makes things simple for users!
Autopilot for existing devices (Windows 7 to 10 upgrades):
Backup data in advance (e.g. with OneDrive)
Deploy generic Windows 10.
Run Autopilot user-driven mode (can’t harvest hardware hashes in Windows 7 so use a JSON config file in the image – the offline equivalent of a profile. Intune will ignore unknown device and Autopilot will use the file instead; after deployment of Windows 10, Intune will notice a PC in the group and apply the profile so it will work if the PC is reset in future).
Autopilot roadmap (1903) includes:
“White glove” pre-provisioning for end users: QR code to track, print welcome letter and shipping label!
Enrolment status page (ESP) improvements.
Cortana voiceover disabled on OOBE.
Self-updating Autopilot (update Autopilot without waiting to update Windows).
Common requirements in an IaaS environment include wanting to use a policy-based configuration with a single management and monitoring solution and auto-remediation.
Azure Automation allows configuration and inventory; monitoring and insights; and response and automation. The Azure Portal provides a single pane of glass for hybrid management (Windows or Linux; any cloud or on-premises).
For configuration and state management, use Azure Automation State Configuration (built on PowerShell Desired State Configuration).
Inventory can be managed with Log Analytics extensions for Windows or Linux. An Azure Monitoring Agent is available for on-premises or other clouds. Inventory is not instant though – can take 3-10 minutes for Log Analytics to ingest the data. Changes can be visualised (for state tracking purposes) in the Azure Portal.
Azure Monitor and Log Analytics can be used for data-driven insights, unified monitoring and workflow integration.
Responding to alerts can be achieved with Azure Automation Runbooks, which store scripts in Azure and run them in Azure. Scripts can use PowerShell or Python so support both Windows and Linux). A webhook can be triggered with and HTTP POST request. A Hybrid runbook worker can be used to run on-premises or in another cloud.
It’s possible to use the Azure VM agent to run a command on a VM from Azure portal without logging in!
Windows Server 2019
Windows Server strategy starts with Azure. Windows Server 2019 is focused on:
Storage Migration Service to migrate unstructured data into Azure IaaS or another on-premises location (from 2003+ to 2016/19).
Inventory (interrogate storage, network security, SMB shares and data).
Transfer (pairings of source and destination), including ACLs, users and groups. Details are logged in a CSV file.
Cutover (make the new server look like the old one – same name and IP address). Validate before cutover – ensure everything will be OK. Read-only process (except change of name and IP at the end for the old server).
Azure File Sync: centralise file storage in Azure and transform existing file servers into hot caches of data.
Azure Network Adapter to connect servers directly to Azure networks (see above).
Hyper-converged infrastructure (HCI):
The server market is still growing and is increasingly SSD-based.
Traditional rack looked like SAN, storage fabric, hypervisors, appliances (e.g. load balancer) and top of rack Ethernet switches.
Now we use standard x86 servers with local drives and software-defined everything. Manage with Admin Center in Windows Server (see below).
Windows Server now has support for persistent memory: DIMM-based; still there after a power-cycle.
Security: shielded VMs for Linux (VM as a black box, even for an administrator); integrated Windows Defender ATP; Exploit Guard; System Guard Runtime.
Application innovation: semi-annual updates are designed for containers. Windows Server 2019 is the latest LTSC channel so it has the 1709/1803 additions:
Enable developers and IT Pros to create cloud-native apps and modernise traditional apps using containers and micro services.
Linux containers on Windows host.
Service Fabric and Kubernetes for container orchestration.
Windows subsystem for Linux.
Optimised images for server core and nano server.
Windows Admin Center is core to the future of Windows Server management and, because it’s based on remote management, servers can be core or full installations – even containers (logs and console). Download from http://aka.ms/WACDownload
50MB download, no need for a server. Runs in a browser and is included in Windows/Windows Server licence
Runs on a layer of PowerShell. Use the >_ icon to see the raw PowerShell used by Admin Center (copy and paste to use elsewhere).
More cloud integration
Update cadence is:
Insider builds every 2 weeks.
Semi-annual channel every 6 months (specifically for containers):
Azure Container Instances (ACI): containers on demand (Linux or Windows) with no need to provision VMs or clusters; per-second billing; integration with other Azure services; a public IP; persistent storage.
Azure App Service for Linux: a fully-managed PaaS for containers including workflows and advanced features for web applications.
So, there you have it. An extremely long blog post with some highlights from my attendance at Microsoft Ignite | The Tour: London. It’s taken a while to write up so I hope the notes are useful to someone else!
Fantastic couple of days at #MSIgniteTheTour (although quieter/smaller than I expected). Thanks to all the speakers – it’s been great to dip into such a wide variety of topics. Now, back to the day job (and normal tweeting levels!) pic.twitter.com/NtTDXOG22h
I recently heard a Consultant from another Microsoft partner talking about storing “IL3” information in Azure. That rang alarm bells with me, because Impact Levels (ILs) haven’t been a “thing” for UK Government data since April 2014. For the record, here’s the official guidance on the UK Government data security classifications and this video explains why the system was changed:
Meanwhile, this one is a good example of what it means in practice:
So, what does that mean for storing data in Azure, Dynamics 365 and Office 365? Basically, information classified OFFICIAL can be stored in the Microsoft Cloud – for more information, refer to the Microsoft Trust Center. And, because OFFICIAL-SENSITIVE is not another classification (it’s merely highlighting information where additional care may be needed), that’s fine too.
I’ve worked with many UK Government organisations (local/regional, and central) and most are looking to the cloud as a means to reduce costs and improve services. The fact that more than 90% of public data is classified OFFICIAL (indeed, that’s the default for anything in Government) is no reason to avoid using the cloud.
There’s not much to say about work this week – I’ve mostly been writing documentation. I did spend a good chunk of Monday booking hotels and travel, only to find 12 days of consulting drop out of my diary again on Friday (cue hotel cancellations, etc.) but I guess that’s just life!
Family life: grime, rap and teens!
Outside work, it’s been good to be close to home and get involved in family life again.
I had the amusement of my 11 year-old and his friends rapping to their grime music on my car on the way to/from football training this week (we’re at the age where it’s “Dad, can we have my music on please?”) but there’s only so much Big Shaq I can take so I played some Eminem on the way back. It was quite endearing to hear my son say “I didn’t know you knew about Eminem!” after I dropped his mates off. I should make the most of these moments as the adulation is dropping off now he approaches his teens!
Talking of teens, my eldest turned 13 this week, which was a big day in the Wilson household:
I’m not sure how this little fella grew into this strong chap (or where the time in between has gone) but we introduced him to the Harry Enfield “Kevin the teenager” videos a few months ago. I thought they were funny when I was younger but couldn’t believe how accurate they are now I’m a parent. Our boys clearly understood the message too and looked a bit sheepish!
I did play with some tech this week – and I managed to create my very own chatbot without writing any code:
It’s also interesting reading some of the queries that the bot has been asked, which have led to me extending its knowledge base a few times now. A question and answer chatbot is probably more suited to a set of tightly bounded questions on a topic (the things people can ask about me is pretty broad) but it’s a nice demo…
I also upgraded my work PC to the latest Windows 10 and Office builds (1709 and 1710 respectively), which gave me the ability to use a digital pen as a presentation clicker, which is nice, in a geek-novelty kind of way:
I have an Amazon Prime membership, which includes access to Amazon Prime Instant Video – including several TV shows that would otherwise only be available in the US. One I enjoy is Mr Robot – which although completely weird at times is also strangely addictive – and this week’s episode was particularly good (scoring 9.9 on IMDB). Whilst I was waiting for the next episode to come around, I found that I’d missed a whole season of Halt and Catch Fire too (I binge-watched the first three after they were recommended to me by Howard van Rooijen/@HowardvRooijen). Series 4 is the final one and that’s what presently keeping me from my sleep… but it’s really good!
I don’t have Netflix, but Silicon Cowboys has been recommended to me by Derek Goodridge (@workerthread). Just like the first series of Halt and Catch Fire, it’s the story of the original IBM PC clone manufacturers – Compaq – but in documentary format, rather than as a drama series.
People have been telling me for ages that “the latest iPhone has a great camera” and, in daylight, I’m really impressed by the clarity and also the bokeh effect. It’s still a mobile phone camera with a tiny sensor though and that means it’s still really poor at night. If a full-frame DSLR struggles at times, an iPhone will be challenged I guess – but I’m still finding that I’m inspired to use the camera more.
7 Days 7 Photos
Last week, I mentioned the 7 days, 7 photos challenge. I’ve completed mine now and they are supposed to be without explanation but, now I have a set of 7 photos, I thought I would explain what and why I used these ones. I get the feeling that some people are just posting 7 pictures, one a day, but these really do relate to what I was doing each day – and I tried to nominate people for the challenge each day based on their relevance to the subject…
I spotted this pub as I walked to Farringdon station. I wondered if “the clerk and well” was the origin of the name for “Clerkenwell” and it turns out that it is. Anyway, I liked the view of the traditional London pub (I was on my way home from another one!) and challenged my brother, who’s a publican…
I liked the form in this photograph of my son’s CX bike on the roof of my car. It didn’t look so clean when we got back from cyclocross training though! I challenged my friend Andy, whose 40th birthday was the reason for my ride from London to Paris a few years ago…
Not technically a single photo – lets’ call it a triptych, I used the Diptic app (as recommended by Ben Seymour/@bseymour) to create this collage. I felt it was a little too personal to nominate my friend Kieran, whose medals are in the lower left image, so I nominated my friend James, who was leading the Scouts in our local remembrance day parade.
I found some failed backups on my Synology NAS this week. For some reason, Hyper Backup complained it didn’t have enough storage (I’m pretty sure it wasn’t Azure that ran out of space!) so I ran several backups, each one adding another folder until I had all of my new photos in the backup set. I felt the need to challenge a friend who works in IT – so I challenged my friend Stuart.
My son was cake-baking, for Children in Need, I think – or maybe it was my other son, baking his birthday cake. I can’t really remember. I challenged a friend who runs a local cafe and regularly bakes muffins…
Self-explanatory. My son’s own creation for his birthday. I challenged my wife for this one.
The last image is following an evening helping out at Scouts. Images of attempts to purify water through distillation were not that great, so I took a picture of the Scout Badge, and nominated my friend Phil, who’s another one of the local Scout leaders.
(All seven of these pictures were taken on an iPhone 8 Plus using the native camera app, then edited in Snapseed and uploaded to Flickr)
I added second-factor authentication to my WordPress blog this week. I couldn’t find anything that uses the Microsoft Authenticator, but this 2FA WordPress plugin from miniOrange uses Google Authenticator and was very easy to set up.
Being at home all week meant I went to see my GP about my twisted ankle (from the falling-into-the-sea incident). One referral later and I was able to see a physio… who’s already working wonders on helping to repair my damaged ligaments. And he says I can ride my bike too… so I’ll be back on Zwift even if cyclocross racing is out for the rest of the season.
On the subject of Zwift, they announced a price rise this week. I understand that these things happen but it’s gone up 50% in the US (and slightly more than that here in the UK). All that really does is drive me to use Zwift in the winter and to cancel my membership in the summer. A more reasonable monthly fee might make me more inclined to sign up for 12 months at a time and create a recurring revenue for Zwift. Very strange business model, IMHO.
I particularly liked the last line of this article:
“Five minutes after the race
That was sooo fun! When can I do it again?!”
I may not have been riding cyclocross this weekend, but my son was, and Sunday was the popular Central Cyclocross League race at RAF Halton. With mud, sand, gravel and steep banks, long woodland sections and more, it looked epic. Maybe I’ll get to ride next year!
I did get to play with one of the RAF’s cranes (attached to a flatbed truck) though – amazing how much control there is – and had a go on the road safety rig too.
And of course, what else to eat at a cyclocross event but Belgian fries, mayo and waffles!
Finally, my friends at Kids Racing (@kidsracing) have some new kit in. Check out the video they filmed at the MK Bowl a couple of weeks back – and if you have kids in need of new cycling kit, maybe head over to HUP CC.
That’s it for this week. Next week I have a bit more variation in my work (including another Microsoft event – Azure Ready in the UK) and I’m hoping to actually get some blog posts written… see you on the other side!
“More than 63% of all network intrusions are due to compromised user credentials” [Microsoft]
The effects of cybercrime are tremendous, impacting a company’s financial standing, reputation and ultimately its ability to provide security of employment to its staff. Nevertheless, organisations can protect themselves. Mitigating the risks of cyber-attack can be achieved by applying people, process and technology to reduce the possibility of attack.
Fellow risual architect Tim Siddle (@tim_siddle) and I have published a white paper that looks at how Microsoft technology can be used to secure the modern productive enterprise. The tools we describe are part of Office 365, Enterprise Mobility + Security, or enterprise editions of Windows 10. Together they can replace many point solutions and provide a holistic view, drawing on Microsoft’s massive intelligent security graph.
One of my customers contacted me recently to ask about a challenge they had seen with Windows 10. After blocking untrusted fonts in Windows 10, they noticed that parts of the Office 365 portal were missing icons.
The issue is that Office 365 uses a font to display icons/glyphs (to improve the experience when scaling to adapt to different screen sizes). It appears some browsers are unable to display the embedded fonts when they are untrusted – including Internet Explorer according to one blog post that my colleague Gavin Morrison (@GavinMorrison) found – apparently Edge has no such issues (though I can think of many more issues that it does have…) – Chrome also seemed to work for me.
“Using Internet Explorer to look at websites that use embedded fonts. In this situation, the feature blocks the embedded font, causing the website to use a default font. However, not all fonts have all of the characters, so the website might render differently.”
So, that appears to be the issue. What’s the fix?
It seems there are two workarounds – one includes excluding processes from the font blocking (but it’s no good excluding a browser – as the most likely attack vector for a malicious font would be via a website!) and the other includes installing the problematic font to %windir%\Fonts.
One of the locations that Thomas highlights is https://outlook.office365.com/owa/prem/16.0.772.13/resources/styles/fonts/office365icons.ttf but that results in an HTTP Error 404 now (not found). So I opened the Office 365 portal in my browser and started the Debugger. Then, I found the following line of code that gave me a clue:
I used that base location (up to and including the version number) with the tail end of the URI that Thomas had provided and was pleased to find that https://r1.res.office365.com/owa/prem/16.1630.11.2221454/resources/styles/fonts/office365icons.ttf got me to an installable TrueType font file for the Office 365 fonts on Windows.
I expect the location to change again as the version number is updated but the method of tracking down the file should be repeatable.
Testing my theory
Testing on one of my PCs with HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\MitigationOptions set to 0x1000000000000 resulted in Internet Explorer loading the Office 365 portal without icons and Event ID 260 recorded in the Microsoft-Windows-Win32k/Operational log:
C:\Program Files (x86)\Internet Explorer\iexplore.exe attempted loading a font that is restricted by font loading policy. FontType: Memory FontPath:
After installing the Office 365 icons font (office365icons.ttf) and refreshing the page, I was able to view the icons:
Uninstalling the font locally and refreshing once more took me back to missing icons.
I then tidied up by setting the MitigationOptions registry key to 0x2000000000000 and restarting the PC, before removing the registry entry completely.
Last week, I spent an evening at my local BCS branch meeting, where Scott Bullock (Cloud Trust Officer at Forcepoint Cloud) was presenting Forcepoint’s 2017 Security Predictions.
For those who aren’t familiar with Forcepoint, they were formed from a combination of Websense, Ratheon Cyber Products and Stonesoft. Most of us have heard of Websense (and maybe Ratheon) but it seems Forcepoint have a suite of email, web and data protection products. They cite metrics like 27 globally distributed data centres, 5 billion web transactions a day, and 400 million emails processed per day. Those numbers may be a fraction of those processed by Microsoft (it would be interesting to compare with Symantec) but they are still significant.
What follows are my notes from Scott’s talk. My observations are in the square parentheses .
A look back at 2016
Before looking at the 2017 predictions, Scott took a look at last year’s score card:
US Elections will drive significant themed attacks – A+
Mobile wallets and new payment technologies introduce increased fraud risks – C
New GTLD domains provide new opportunities for attackers – B
These are mostly spelling errors on recognised sites – for example rnarkwilson.name instead of markwilson.name. With the number of GTLDs in existence now, it’s harder than ever for companies to register all of the domains associated with their brands/trademarks.
Cyber insurers will require more evidence for coverage – B+
It’s no longer good enough to forget about implementing security measures and rely on insurance.
DLP adoption will dramatically increase – B
Data loss prevention is coming back into favour [I’m not sure it ever went away…]
Forgotten technology will increase risks to organisations – B
[Technical debt is never good]
IoT will help but also hurt more – B
Worm took over DVR and DoS…
Social views of privacy will evolve – great impact to defenders – B
The digital battlefield is the new cold (or hot?) war
Enhanced NATO policy on collective defence (article 5 – if one nation is attacked, then will work together) could lead to military responses to cyber attack
The potential and consequences of misattribution could lead to destabilization of the policy.
Essentially, cyber warfare could have physical impacts. [Worrying]
Millennials in the machine
The digital generation know how to mix business and pleasure – millennials bring an understanding of the digital realm into the workplace.
Millennials are used to over-sharing information. [So they are also used to the consequences.]
The potential for accidental data leakage has risen (e.g. take a picture of a whiteboard at work and it’s automatically uploaded to iCloud)
[I’m calling BS on this one – if indeed there is any difference in the ways that each generation uses tech – which I doubt – then it’s more likely that there is a bigger issue with Generation X and Baby Boomers not being as cyber-savvy as millennials.]
Compliance and Data protection convergence
EU GDPR is around the corner and will come into place in May 2018
Businesses will redefine their organisational processes to accommodate new controls
The onset of new data protection controls will incur costs for businesses and that impact will be most felt by large enterprises that have not yet begun to prepare:
Companies need to appoint a Data Protection Officer
Fines can be 4% of global annual turnover…
Will apply on top of DPA (enforced by Data Protection Office)
Rise of the corporate-incentivised insider threat
Corporate abuse of PII will increase; business goals will drive poor decisions resulting in bad behavior
Corporate-incentivized insider abuse of customer PII – is it just too tempting?
Regulations will further restrict corporate and personal access to digital information
Technology convergence and security consolidation 4.0
Mergers and acquisitions change the security vendor space
Cybersecurity corporations are buying up smaller vendors
Vendors that are not consumed or do not receive venture capital funding will exit the market
Products will stagnate/orphans as a result of mergers and acquisitions
Adjustments in employee base will benefit the cyber security skills shortage
[Whilst I can see the convergence taking place in the security sector, I have to take this prediction with a massive pinch of salt, bearing in mind its source!]
The cloud as an expanding attack vector
Cloud infrastructure provides an ever-expanding attack vector with possibilities for hacking the hypervisor
[I’d suggest this is more of an issue for so-called “private clouds” as the major players – Amazon, Microsoft, Google cannot afford a breach and are investing heavily in security – Microsoft spends over $1bn annually on security-related R&D and acquisitions]
Organisations will combine on premises and cloud infrastructure – a hybrid approach
[Yes, but this is for much broader reasons than security]
DOS of cloud providers will increase so ask what anti-DDoS protection they have and check that you have the right to audit…
[Isn’t that just due diligence?]
Voice-first platforms and command sharing
Voice-first AI and command sharing bring a new level of convergence
Voice activated AI will radically change our interactions with technology
AI will be able to distinguish between individuals and their patterns of behaviour
For example it will know when you’re at home, tech in house, when to burgle you!
AI will influence our normal or default settings
The number of voice-activated apps will rise significantly in 2017 – and so will attacks
[I already mute Alexa in my home office when I’m working – do you really want your conversations being overheard and used for analysis?]
AI and the rise of autonomous machine hacking
The rise of the criminal machines
Automated hacking machines vs. AI cyber defence machines
Widespread weaponisation of autonomous hacking machines will occur in 2017
State actors could use such systems to overwhelm rival national cyber defences
A collection of short posts that don’t justify their own blog post!
Fixing super-sized Windows desktop icons
Mostly, I don’t get on with track pads – there’s just something about them that I find awkward and before I know it the cursor is shooting off somewhere that I don’t want it to be, icons are being resized, or something equally annoying.
I recently found myself in a situation where an errant trackpad response to my hot hands hovering over it whilst typing had left me with super-sized desktop icons but I couldn’t work out how/why. Luckily this Lifehacker article helped me put things right – a simple Ctrl + mouse scroll got my icons back to the size they should be…
LastPass Multifactor Authentication
For many years, I’ve used LastPass as my Password Manager. I don’t normally reuse passwords and have gradually been increasing the complexity of my passwords but these days I don’t know the password for the majority of the sites I visit – LastPass fills it in for me. The one weakness in all of this though is my master password for LastPass. It’s a long and secure passphrase but what if it was compromised? Well, now I have multifactor authentication enabled for LastPass too. It’s really simple to set up (just a couple of minutes) and options include Google Authenticator as well as LastPass’ own Authenticator app.
MTP not working on Windows 10 anniversary update (1607)
My son has an Elephone P9000 smartphone, running Android Marshmallow. He was struggling to get it working with our family PC to import his pictures until I found this forum post that explains the process. It seems that, on the Windows 10 Anniversary Update (1607), the Media Transfer Protocol (MTP) driver needs to be manually installed:
Go to C:\Windows\INF
Type “wpdmtp.inf” in search bar provided to the right of the address bar in Windows.
Once you found it, just right click on it and select install. It will take a very few seconds.