03.07.10

Security Disinformation

Posted in Free/Libre Software, FUD, Microsoft, Security at 8:57 am by Dr. Roy Schestowitz

Measuring electricity

Summary: Latest OpenSSL FUD and Microsoft’s Howard Schmidt’s role informing the public about cyber-security risks

OUR complaints about The Register have intensified recently [1, 2, 3, 4] because of poor articles like this one (see the comments).

The Register spreads FUD about OpenSSL (not the first such smear, after comparisons to "communism" too) and Bradley M. Kuhn from the SFLC has responded as follows:

Ok, Be Afraid if Someone’s Got a Voltmeter Hooked to Your CPU

Boy, do I hate it when a FLOSS project is given a hard time unfairly. I was this morning greeted with news from many places that OpenSSL, one of the most common FLOSS software libraries used for cryptography, was somehow “severely vulnerable”.

I had a hunch what was going on. I quickly downloaded a copy of the academic paper that was cited as the sole source for the story and read it. As I feared, OpenSSL was getting some bad press unfairly. One must really read this academic computer science article in the context it was written; most commenting about this paper probably did not.

First of all, I don’t claim to be an expert on cryptography, and I think my knowledge level to opine on this subject remains limited to a little blog post like this and nothing more. Between college and graduate school, I worked as a system administrator focusing on network security. While a computer science graduate student, I did take two cryptography courses, two theory of computation courses, and one class on complexity theory. So, when compared to the general population I probably am an expert, but compared to people who actually work in cryptography regularly, I’m clearly a novice. However, I suspect many who have hitherto opined about this academic article to declare this “severe vulnerability” have even less knowledge than I do on the subject.

There are much bigger problems to worry about, such as the latest news about Windows botnets [1, 2, 3]. The authors of the Windows exploit might not even face a jail sentence, based on this report.

Three Spanish men were arrested last month for allegedly building an international network of more than 12 million hacked PCs that were used for everything from identity theft to spamming. But according to Spanish authorities and security experts who helped unravel the crime ring, the accused may very well never see the inside of a jail cell even if they are ultimately found guilty, due to insufficient cyber crime legislation in Spain.

Regarding this new article about Scott Charney’s outrageous remarks [1, 2] (he worked for the US government before Microsoft hired him), Groklaw wrote 3 days ago: “First Microsoft fills the world with security issues and problems, then it wants the public to be taxed to fix them? I think Microsoft needs to fix its own software itself.” Microsoft’s own negligence [1, 2, 3] ought to have Microsoft bear the bill.

Howard Schmidt, the US Cyber Czar who came directly from Microsoft [1, 2, 3, 4], claims/pretends that there is no problem, even though many firms that include Google were intruded due to an Internet Explorer hole that Microsoft had knowingly ignored for 5 months [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12] (there are more security patches coming shortly). Even Google source code got grabbed. [via]

Operation Aurora continues to be a hot topic inside and outside of security circles. At this week’s RSA Conference in San Francisco many conversations are on the topic of the attacks that hit Google and dozens of other companies in January.

These reports indicate that proprietary source code got nicked from Google. Microsoft also nicks proprietary source code from companies/projects like Plurk [1, 2, 3, 4], which probably puts the Redmond-based company at the same side as the crackers.

“Cyberwar Hype Intended to Destroy the Open Internet,” says this report from Wired. [via]

The biggest threat to the open internet is not Chinese government hackers or greedy anti-net-neutrality ISPs, it’s Michael McConnell, the former director of national intelligence.

McConnell’s not dangerous because he knows anything about SQL injection hacks, but because he knows about social engineering. He’s the nice-seeming guy who’s willing and able to use fear-mongering to manipulate the federal bureaucracy for his own ends, while coming off like a straight shooter to those who are not in the know.

And on the other hand, on the same occasion we find that “US urges ‘action’ needed to fight net attacks,” according to the BBC.

Homeland Security secretary Janet Napolitano has admitted there is an urgent need to step up efforts to protect Americans from cyber attacks.

They seem to contradict themselves. Now they claim to be looking for ideas:

Homeland Security wants to pick your brains

[...]

The lucky winners will be invited to an event in Washington DC in late May or early June. They’ll get to partner with the department to lead in the planning of the National Cybersecurity Awareness Campaign, due to launch in October.

Over at CNET, Dennis O’Reilly has this new article about “five ways to keep your [Windows] PC free of viruses and Trojans”. Here is one of his suggestions.

If you can’t give up Windows, you may still be able to install Linux on an old PC or in a partition of your Windows PC. Then you can use that system (or partition) whenever you engage in any sensitive computer activities. You’ll find instructions for dual-booting Windows and the Ubuntu version of Linux on the Ubuntu Community Documentation site.

Thumbs up to Dennis.

“Usually Microsoft doesn’t develop products, we buy products. It’s not a bad product, but bits and pieces are missing.”

Arno Edelmann, Microsoft’s European business security product manager

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

A Single Comment

  1. your_friend said,

    March 7, 2010 at 12:39 pm

    Gravatar

    Everyone should email the DHS and tell them what the message should be, not how to carry it. They message should be to Stop Using Windows and move to free software.

    cyberchallenge@dhs.gov

    It is doubtful DHS will publish such a message but it would be good to let them know what the real consensus opinion is. If you read BN without TOR, you are already on their list of trouble makers. Go ahead and let them know what you really think.

What Else is New


  1. Links 27/11/2020: Jolla is 7, Diffoscope 162, MNT Reform Production

    Links for the day



  2. The Time Coronavirus Helped EPO Management Prevent Staff From Protesting and Going on Strike (March 26th)

    "In view of the spreading of the New Corona Virus, the planned General Assemblies have to be cancelled," the Staff Union of the European Patent Office (SUEPO) wrote in the wake of the crisis across Europe back in March (weeks ahead of a planned strike)



  3. Guarding Your Privacy With E2EE: Primer

    "As with all security, there is assumed risk no matter how careful you are. There are no security guarantees but that doesn't mean you shouldn't try."



  4. Links 27/11/2020: Systemd 247 and Cockpit 233

    Links for the day



  5. A Free Speech Deficit Harms Software Freedom

    Free software and Software Freedom cannot possibly succeed if we keep accepting or even just tolerating systematic censorship of opinionated people in our community; failing to speak out on this matter (for fear of supposedly offending someone, risking expulsion) is part of the problem — complicity by passivity



  6. Perception of Difficulty

    New poem by figosdev



  7. IRC Proceedings: Thursday, November 26, 2020

    IRC logs for Thursday, November 26, 2020



  8. Cartoon: After Gambling With Workers' Savings the EPO Can Do Real Estate

    New EPO cartoon from EPO insiders (the one on the right certainly looks a lot like António Campinos and the one on the left can be his EUIPO ‘import’ or Benoît Battistelli‘s INPI ‘import’)



  9. Free as in Freedom Should Not be Associated With Cost

    It's important to remind people that so-called 'free' services (Clown Computing, centralised spaces that 'farm' their so-called 'users') aren't really free; we need to advocate freedom or free-as-in-freedom alternatives



  10. [Meme] UPC's Pyrrhic Victory

    Contrary to what Team UPC says, what happened earlier today is hardly a breakthrough



  11. Many Thanks to Free Software, the Demise of Software Patents (in Europe and the US), and So Much More

    On a positive note we're heading into the end of November, one month before Boxing Day; we take stock of patent affairs that impact software developers



  12. Links 26/11/2020: PHP 8.0, Proxmox VE 6.3, UNIGINE 2.13

    Links for the day



  13. 29,000 Blog Posts and Recent Site Improvements

    Over 29,000 blog posts have been posted here, but more importantly we've made the site a lot more robust and resilient, accessible in more formats and protocols (while improving transparency, too)



  14. [Meme] Trump is Out. Now It's Time to Pressure the Biden Administration/Transition Team on Software Freedom Issues.

    The Biden transition is in motion and tentative appointments are underway, based on news reports (see our Daily Links); now is the time to put pressure, e.g. in the form of public backlash, to ensure it's not just another corporate presidency



  15. Boycott ZDNet Unless You Fancy Being Lied to

    ZDNet's Catalin Cimpanu continues to lead the way with misinformation and lies, basically doing whatever he was doing to land that job at ZDNet (after he had done the same elsewhere)



  16. The UPC and Unitary Patent Song

    On goes the UPC symphony, as the Unified Patent Court (UPC) is almost here, always coming "real soon!"



  17. Open Letter to the German Greens on UPC and Software Patents: Don’t Betray Your Voters and Your Promises, or You Will Regret it

    Dear Members of the German Greens in the Bundestag. By Benjamin HENRION.



  18. [Meme] One Step Away From Replacing Patent Examiners With 'Hey Hi' (AI)

    If it's not legal for 'Hey Hi' (AI) to get a patent, why should it be legal for patents to be granted by those who are invisible (and sometimes in de facto house arrest)?



  19. European Patent Office (EPO) Reduced to 'Justice Over the Telephone' and Decree by E-mail

    The EPO is trashing the EPC and everything that the Office was supposed to stand for, as it wrongly assumes demand for monopolies (typically from foreign corporations) comes before the rule of law and Europe's public interest



  20. Making Free Software Work for Users

    The latest reply to a non-developer concerned about software freedom; guest post by figosdev



  21. IRC Proceedings: Wednesday, November 25, 2020

    IRC logs for Wednesday, November 25, 2020



  22. Links 26/11/2020: AV Linux 2020.11.23 and Blender 2.91 Release

    Links for the day



  23. Links 25/11/2020: GamerOS and Biden Transition in Motion

    Links for the day



  24. An Orwellian December

    With December around the corner and states tightening the screws on the population (or employers on employees) at least we can look forward to spring



  25. The Non-Technical (or Lesser Technical) Software User That Wants Software Freedom

    Assuming that Free software should care about what users — not only developers — really want (and need) it’s important to understand how they view the current situation (with growing waves of corporate takeover and compromises, even expulsions)



  26. The European Patent Office Should be Run by Patent Examiners (Scientists), Not Politicians

    Europe would be better off (and patent quality much improved) had people with an actual grasp of science and reality were in charge of the EPO, not a money-chasing kakistocracy (which is what we have now)



  27. Member of the EPO's Boards of Appeal Explains Why VICOs (or ViCo/Video Conferences/Virtual 'Hearings') Are Not Suitable for Justice

    It's interesting to hear (or see/read) what people inside the EPO have to say about the "new normal" when they enjoy a certain level of anonymity (to avert retribution)



  28. Open Source Initiative (OSI) Co-founder Bruce Perens: Open Invention Network (OIN) is Protecting the Software Patent System From Reform and OSI Approves Faux 'Open' Licences (Openwashing)

    Richard Stallman was right about the OSI and the fake 'movement' that claims to have 'coined' the term "Open Source" (it wasn't a new term at all; it had been used in another context and the Free software community spoke of things like "Open Hardware" years earlier)



  29. IRC Proceedings: Tuesday, November 24, 2020

    IRC logs for Tuesday, November 24, 2020



  30. Making JavaScript Suck Less

    "Other than that, the first rule of JavaScript is: Do not use JavaScript. But this article is for people who break the first rule."


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts