Microsoft | Paul's Down-Home Page

I’m an early adopter. This is both a blessing and a curse.

Thanks to John Peltonen, I installed some X-10 home automation gear back in the early 90s and have long wanted a more automated home, so when Amazon started shipping the Echo I bought one and threw together an ad hoc home automation system. My “robot girlfriend” Alexa can control various devices, including the kitchen and master bedroom, floor and desk lamps, my security system, and my thermostats (a Nest downstairs and an el cheapo Honeywell upstairs). I have a mix of LIFX bulbs (wouldn’t buy them again), WeMo switches, TP-Link smart plugs, and Lutron Caseta dimmers/switches, plus a GoControl garage door controller. It all works pretty well.

The Alexa devices have pretty quickly blended into my normal home workflow. I use the one in my bedroom like a clock radio, and to control the temperature when I’m in bed; the one in my office gets frequent use for adding items to my grocery list when I remember them, and the kitchen unit is an all-around music player, news source, multi-function timer, grocery-list keeper, and audiobook reader. Overall I’m well pleased with the Alexa devices and ecosystem.

But.

Alexa as an assistant is far behind both Microsoft’s Cortana and Apple’s Siri. (For another time: my thoughts on what each smart-assistant platform is good and bad at, e.g. Siri is dumb and has poor voice recognition, for example, but has a few idiot-savant skills that are useful and both benefits, and is limited by, Apple’s strong emphasis on on-device processing). It’s safe to say that Alexa is mostly a portal to Amazon’s services, which is fine; as a heavy consumer of Amazon services I’m OK with that.

However, I got spoiled by the quality of Cortana’s assistant functionality on Windows Phone and have continued using it on Windows 10, so when I saw that Microsoft and Harmon Kardon were partnering to make the Invoke, a Cortana-powered competitor to the Amazon Echo, I was intrigued. For Black Friday, Microsoft was selling the Invoke for $99, and I had a $50 Microsoft Store credit, so I figured for $50 it was worth taking a flyer. The Invoke got here yesterday and I spent a few hours setting it up and playing with it. Here are my initial short-term impressions.

The device build quality and packaging are excellent. I prefer the physical design and finish of the Invoke to the Echo. They are similar in size.
The Invoke has a power brick instead of a wall wart. That is inappropriate for kitchen use.
The out-of-box-experience and initial setup for the Invoke are very smooth, better than the initial experience for an Alexa device. All I had to do was power on the device and tap “set up my speaker” in the Cortana app. Whereas the Echo/Dot require you to manually switch wifi networks, the Invoke just magically figures out how to set itself up. (The Invoke immediately had to download an over-the-air update but this was painless and fairly fast.)
The sound quality of the Invoke is much better than that of the original Echo. The new Echo 2 supposedly sounds better. The Invoke produces rich, clear highs, solid midrange, and decent bass for such a small unit and it seems louder than the Echo at max volume.
The Dot and Echo have an LED ring around the top that lights up to indicate when the device is listening. The Invoke has a small touch-sensitive screen on the top. The ring is easier to see from a distance (and can be used to indicate when there are notifications, etc) but the touch-sensitive screen is an easy way to interact with the device. I’ll call this one a draw.
Cortana functionality seems to be on par with the iOS Cortana app, and somewhat behind the Win10 app’s functionality.
Cortana has very few skills compared to Alexa’s skills library. On both platforms, many of the skills are either stupid (I don’t need a skill to play the Notre Dame fight song, thanks) or not useful to me (I’m not a Capital One customer so their skill doesn’t do me any good).
1. Cortana doesn’t have skills to control TP-Link smart plus, LIFX light bulbs, or WeMo switches– all of which I use heavily.
2. It is completely non-obvious how to add or manage skills. Some skills are built into the device, like Spotify and Skype. Some require you to install an app or to authorize an external service. The process is much more consistent for Alexa devices.
3. Obviously the Invoke doesn’t have any Amazon skills. I use those heavily too. Being able to reorder cat food, or check on the whereabouts of a package, or listen to an Audible audiobook is very handy.
4. You enable smart home skills through the Cortana notebook. This isn’t obvious. None of the skills I have seem to recognize individual devices, e.g. the Wink skill just ties Cortana to the Wink hub, and there’s no way I can find to tell Cortana to find new devices through the hub.
Within the first 30 minutes, I ran into a bug– the device would say it couldn’t understand me, no matter what I said. I’ve seen other people mention this online so it’s a legit bug.
I couldn’t get the Wink skill to control my garage door. This might just be because I didn’t know what to say to it; the same skill works fine with my Caseta dimmers and switches though.
You can only set one kitchen timer at a time. Multiple concurrent timers is a key Alexa feature for me because I lack the skill to coordinate cooking multiple dishes without timers.

One feature I really like and can see myself using a lot is the integrated Skype calling. A simple “Hey Cortana, call person” is all it takes. I’m not 100% sure where Cortana is getting contact data from. If I say “call Delta Airlines,” it calls the local Delta Cargo office instead of the number in my contacts. If I say “call Walmart,” the device looks up the nearest Walmart and calls it, which makes sense because I don’t have Walmart in my contacts list. If I name a person in my contacts list, it calls them. Alexa has a very similar feature, along with the ability to send voice or text messages directly to other Alexa devices, but I never got in the habit of using them. (It doesn’t look like Invoke calls show up in my Skype history; I’m not sure if that’s a feature or a bug).

(Fun side note: if you call either device by the other name, it tells you about the upcoming Microsoft-Amazon partnership.)

For now, the Invoke is definitely a second-class citizen here at the fortress of solitude– with limited smart home integration, I can’t do a 1:1 replacement of any of my Alexa devices yet. But it sounds great, and Microsoft has a long history of rapidly improving their 1.0 releases, so I am optimistic that it will get better rapidly. I’ll keep it.

Happy New Year! To start the year off right, let’s talk about security. More to the point, let’s talk about Office 365 security.

One of the ways I often talk about Office 365 to customers is this: any time you move to a hosted service, you’re placing a bet that your hosting provider can do something better or cheaper than you do. Maybe they’ll deliver better uptime than you can afford to provide, or they’ll offer global reach, or some feature or function that you don’t currently have. As with any other bet, you have to carefully evaluate the odds and your counterparty (the person offering the bet). One of the big arguments in favor of Office 365 has been its security: Microsoft has invested a huge amount of money in physical and logical security for Office 365. Tie this in with the huge investment (several billion dollars and counting) brought about by Trustworthy Computing and you can see why Microsoft is eager to tout the security of their products: they have made huge strides over the last ten years. (Sadly, many other vendors are still as bad as they were back in 2005… let that thought sink in for a few minutes.)

In December, Microsoft released a patch, MS13-104, which every organization using Office 365 should immediately deploy. Microsoft rated this bulletin as “important” using their severity scale. While I understand that the “critical” severity is usually reserved for flaws that could allow remote code execution, I think this is just as bad because it allows an attacker to silently steal every document you have in a SharePoint Online document library.

Wow.

Keep this tab open, then open a new tab and use it to start figuring out how to patch your clients ASAP if you’re using SharePoint Online. Then you can come back.

I won’t repeat the excellent analysis performed by Adallom Security, the folks who reported the flaw to Microsoft in May 2013. That’s right: they reported in May 2013, and the patch was issued in December 2013. That’s a minimum of 7 months of days-of-risk, which is bad enough without considering how long this flaw was being exploited before Adallom found it. However, I do want to make a couple of additional points.

First, they wrote their post before the recent spate of disclosures surrounding the NSA’s Targeted Access Operations (TAO) team and their catalog of exploits. There is of course no evidence that NSA developed or was using this particular exploit, but this is exactly the kind of silent, virtually undetectable attack that is the specialty of nation-states. The fact that Adallom’s customer is a large, high-profile enterprise is potentially bad news for Office 365 sales efforts, given that those customers are already a little leery of cloud services because of a perceived lack of security controls.

Second, this exploit apparently doesn’t work against Exchange Online or Lync Online, but that hasn’t been proven conclusively. Don’t hold off patching Office 2013 just because you aren’t using SharePoint Online.

Third, it seems to me that this kind of flaw is the natural consequence of breaking new ground. Seamlessly tying together on-premises and cloud services through a complex desktop suite is something that no other software company has even attempted: the major Office 365 competitors, such as Box.net and Google, don’t offer traditional desktop productivity apps, preferring instead to run inside the browser, where the design patterns and potential vulnerabilities of authentication are much better understood. So I don’t think of this as sloppiness necessarily on Microsoft’s part: sometimes in complex systems, people make mistakes. 210+ days-of-risk makes me a little nervous though.

My overall takeaway: if you have truly sensitive data that you want to protect, putting it in the cloud is not necessarily any more risky than keeping it on-premises. That may seem counterintuitive, but an entity that is determined to get your data has many potential avenues of attack, and my experience tells me that the vast majority of sites have a number of local vulnerabilities (such as poor patching practices, poor intrusion detection, or inattention to basic security practices) that put them at higher risk than a relatively esoteric, hard-to-exploit flaw like this one. if you don’t believe me, just look at the number of sites hit by Cryptolocker and various banking-related Trojans. Put another way, you don’t need to worry about defending yourself against NSA if you can’t even manage to defend yourself against script kiddies.

Now go forth and patch!