04.08.15

Gemini version available ♊︎

Security FUD Against Free Software Resurfaces, Using Promotional Branding From a Microsoft-Linked Firm, So Red Hat Finally Responds

Posted in Free/Libre Software, FUD, Microsoft, Red Hat, Security at 5:52 pm by Dr. Roy Schestowitz

Bugs
Image courtesy of Red Hat

Summary: Old news is ‘new’ again, as Microsoft-friendly media decides to keep knocking hard on the reputation of Free software, using words rather than substance

A YEAR ago there was a curious (first of its kind for Free/Open Source software) “branding” of a 2-year-old FOSS bug by a Microsoft-linked firm that did not even find the bug. An engineer from Google had found it and sought to responsibly disclose it so as to patch it properly before the Microsoft-linked opportunists blew off the lid and called it “Heartbleed”, set up a Web site to ‘celebrate’ the bug, and even made a professionally-prepared logo for it. This whole “Heartbleed” nonsense — however serious it may have been for a day — was blown out of all proportions in the media and tarnished the name of Free software because it was so ‘successfully’ marketed, even to non-technical people. It was a branding ‘success’ which many firms would later attempt to emulate, though never with the same degree of ‘success’ (where success means bamboozling the public, especially non-technical decision-making people).

“Microsoft must be laughing quite hard seeing all that media manipulation.”“Dear journalists,” I said earlier today in social media (Diapora), “bugs don’t have birthdays. Stop finding excuses to bring “Heartbleed” BS (MS name for old bug) to headlines.” I spoke to one author about it and challenged him for floating these “Heartbleed” logos and brands yet again. To us it seems quite evident that Microsoft keeps attacking Free software and GNU/Linux like no time before; it’s just more subtle and hidden in more sophisticated ways. The person who heads the incognito firm that’s known only for the “Heartbleed” brand (they control the brand) came from Microsoft (he was head of security there) and also from the FBI, whose stance on encryption is widely known by now; they actively seek to break security of software, so knowing about the 2-year-old OpenSSL bug would make sense. Some reputable media reports said that the NSA had known about this bug for about a year before it was known to the public and the NSA cooperates with the FBI on breaking software security, sharing personal (illegally intercepted) data, etc.

Anyway, the same publication (as above) also floated the “Heartbleed” nonsense in another article today. Would they do just about anything to keep it in headlines? Even a year later? They are now citing some firm called Venafi (never heard of it before), which basically relies on misleading misuse of statistics. It’s FUD from a company that tries to make money from perceived dangers and accentuates these dangers in an effort to acquire clients. What kind of ‘journalism’ is this? incidentally, Black Duck is now joining the list of such parasitic companies, with new hires and multiple press releases, so clearly it’s a growth area and the Microsoft link is easy to see. It is FUD season again this spring as more publications now float this whole nonsense. This is hardly journalism, it’s just throwback.

Thankfully enough, Red Hat demonstrates what “branding” of FOSS bugs practically means, even using the image above. There is no correlation between the naming of bugs and their severity, but press coverage sure loves a good brand. This is an important (albeit belated) response from Red Hat to “branding” of a FOSS bug by Microsoft-linked firms like the one behind “Heartbleed”.

“It’s been almost a year since the OpenSSL Heartbleed vulnerability,” says Red Hat, “a flaw which started a trend of the branded vulnerability, changing the way security vulnerabilities affecting open-source software are being reported and perceived. Vulnerabilities are found and fixed all the time, and just because a vulnerability gets a name and a fancy logo doesn’t mean it is of real risk to users.”

Well, Microsoft folks sure squeezed everything they could from this bug, seeking to discredit not just OpenSSL but the whole development process of Free software (due to just one small bug, or a few lines of code). And Microsoft still pretends that it is warming up to Open Source? Who are these frauds kidding?

There’s a lot of companies which continue to use platforms with back doors, such as Windows, but the Wintel-oriented media would rather we just obsess over this one bug from one year ago (which was patched as soon as it became publicly-known).

We are rather disappointed to see a decent journalist like Sean Michael Kerner, along with colleagues at eWEEK, swallowing the bait and serving to promote the misleading claims to advertise this company that controls the “Heartbleed” brand, among other opportunists (like fish swimming around a shark for some leftovers). Microsoft must be laughing quite hard seeing all that media manipulation.

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email

Decor ᶃ Gemini Space

Below is a Web proxy. We recommend getting a Gemini client/browser.

Black/white/grey bullet button This post is also available in Gemini over at this address (requires a Gemini client/browser to open).

Decor ✐ Cross-references

Black/white/grey bullet button Pages that cross-reference this one, if any exist, are listed below or will be listed below over time.

Decor ▢ Respond and Discuss

Black/white/grey bullet button If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

DecorWhat Else is New


  1. Links 26/01/2023: LibreOffice 7.4.5 and Ubuntu Pro Offers

    Links for the day



  2. Links 26/01/2023: GNU poke 3.0 and PipeWire 0.3.65

    Links for the day



  3. IRC Proceedings: Wednesday, January 25, 2023

    IRC logs for Wednesday, January 25, 2023



  4. Companies Would Collapse Upon Abandoning Their Original Goals (That Attracted All the Productive Staff)

    Staff with technical skills won't stick around in companies that reject technical arguments and moreover move to proprietary software in a company that brands itself "Open Source"



  5. [Meme] Listen to Your Workers, Avert Disaster

    Companies that refuse to take input from staff are doomed to fail



  6. The ISO Delusion: When the Employer Doesn’t Understand the Company's Value Proposition (Building Systems) and Rejects Security

    Sirius ‘Open Source’ has failed to sell what it was actually good at; instead it hired unqualified people and outsourced almost everything



  7. Links 25/01/2023: NuTyX 23.01.1 and GNU Guile 3.0.9 Released

    Links for the day



  8. Links 25/01/2023: Stratis 3.5.0 and Many Political Links

    Links for the day



  9. New Record Low: Only One 'Linux' Article in ZDNet in More Than Two Weeks

    Only a few years ago ZDNet published about 3 “Linux” stories per day (mostly FUD pieces); now it’s a ghost town, painted in ‘alien green’; considering ZDNet’s agenda (and sponsors) maybe it’s better this way



  10. Links 25/01/2023: Pale Moon 32.0 and DXVK 2.1

    Links for the day



  11. IRC Proceedings: Tuesday, January 24, 2023

    IRC logs for Tuesday, January 24, 2023



  12. ISO Certification Hardly Tackles Any of the Real Issues

    The real-world threats faced by private companies or non-profit organisations aren't covered by the ISO certification mill; today we publish the last post on this topic before proceeding to some practical examples



  13. [Meme] Medical Data Sovereignty

    What happens when your medical records/data are accessible to a company based abroad after a mysterious NDA with the Gates Foundation? The International Organization for Standardization (ISO) does not mind.



  14. The ISO Delusion: Sirius Open Wash Ltd. and Medical Data/Projects at Risk/Peril

    Sirius ‘Open Source’ was good at gloating about “ISO” as in ISO certification (see our ISO wiki to understand what ISO truly is; ISO certification needs to be more widely condemned and exposed) while signing all sorts of dodgy deals and lying to clients (some, like the Gates Foundation, were never mentioned because of a mysterious NDA); security and privacy were systematically neglected and some qualified as criminal negligence (with fines/penalties likely an applicable liability if caught/reported)



  15. Links 24/01/2023: Wine 8.0 is Ready, FSF Bolsters Copyleft

    Links for the day



  16. Azure Has Layoffs Again, Microsoft Still Cutting

    Even supposed ‘growth’ areas at Microsoft are being culled (this growth is faked, it is a lie)



  17. Links 24/01/2023: Tails 5.9 and ArcoLinux v23.02

    Links for the day



  18. Links 24/01/2023: GStreamer 1.22 and Skrooge Gets New Site

    Links for the day



  19. IRC Proceedings: Monday, January 23, 2023

    IRC logs for Monday, January 23, 2023



  20. The Inside(r) Story of ISO 'Certification' Mills

    Based on my experiences inside Sirius ‘Open Source’ — as I was there for nearly 12 years — I finally tell what I’ve witnessed about ISO certification processes (see ISO wiki for prior experiences)



  21. [Meme] ISO Selling 'Reputation' to Small Businesses (for a Large Fee)

    As we’re hoping to demonstrate throughout the week, ISO certification is, in practice, worse than worthless (just a waste of small businesses’ resources, much like patents); call it the ‘ISO tax’, an artificial barrier to entry that boils down to money



  22. [Meme] ISO Certification for Paying for Certificates on Time

    ISO is a phony authority; it makes business by issuing mostly worthless paperwork that wastes people’s time and accomplishes nothing (except making ISO in rich Switzerland even richer)



  23. The ISO Train Wreck at Sirius 'Open Source'

    Before we proceed to showing how Sirius ‘Open Source’ blatantly ignored security and privacy we wish to show how ISO (see ISO wiki) basically ‘sold’ a certificate to Sirius — this is like a “diploma mill” but something that’s for businesses, not individuals



  24. Sirius Lying About ISO to Justify Giving the Technical Staff Some Classic 'Bullshit Jobs' While Censoring/Covering Up Incompetence

    Sirius ‘Open Source’ has long used “ISO” — and sometimes “GDPR” — as catch-all excuses for all sorts of nonsensical policies; does ISO realise the degree to which it is being misused by incompetent 'box tickers'?



  25. Links 23/01/2023: mozilla.org's 25th Anniversary and IceWM 3.3.1 Released

    Links for the day



  26. Report: The So-called 'Linux' Foundation is Reducing Focus on Linux

    The so-called ‘Linux’ Foundation is reducing its focus on Linux and is instead busy promoting Microsoft, Facebook, and other interests that GNU/Linux users strongly dislike



  27. Links 23/01/2023: Fwupd 1.8.10

    Links for the day



  28. IRC Proceedings: Sunday, January 22, 2023

    IRC logs for Sunday, January 22, 2023



  29. Links 23/01/2023: Many Pgpool-II Releases, risiOS 37 Reviewed

    Links for the day



  30. [Meme] Sirius is Not Open Source and Thugs Took Over the Company

    Despite its name, Sirius ‘Open Source’ actively replaces Open Source with proprietary software, even for its very own infrastructure (while almost all the “managers” use proprietary software)


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts