10.21.15

Gemini version available ♊︎

Microsoft’s Insecure-by-Design (Sometimes With Back Doors) ‘Contributions’ to OpenSSH

Posted in BSD, Microsoft, Security, Windows at 7:15 am by Dr. Roy Schestowitz

Making a mockery out of the spirit of OpenBSD, having given money to OpenBSD

Manchester church
Vulnerability (need for money) found in the Church of BSD

Summary: Microsoft is seemingly disrupting the high standards of the OpenSSH project (and by extension OpenBSD and Free/libre software), as its focus on security is ludicrous at best

LAST week, in our daily links, over a dozen links were included about a new revelations of flaws in a hugely popular encryption method. A paper presented by award-winning academics demonstrated a serious weakness. OpenSSH was among the alleged targets, potentially allowing spies to infiltrate, intercept and decrypt communications/data relayed over SSH. The philosophy and principles (UNIX) of OpenSSH had kept it strong for a very long time.

“Knowing the role that social engineering plays in weakening encryption, the last thing one needs right now is PRISM pioneer (first company) and a back doors proponent like Microsoft inside the OpenSSH community.”Those who keep abreast of privacy news (including NSA leaks) will know that there is an aggressive effort to crack SSH. Some ciphers were recently phased out or deprecated as a result. Knowing the role that social engineering plays in weakening encryption, the last thing one needs right now is PRISM pioneer (first company) and a back doors proponent like Microsoft inside the OpenSSH community. As we pointed out earlier this year, OpenSSH is being subjected to E.E.E. (embrace, extend, extinguish) treatment from Microsoft [1, 2] because money talks. Microsoft has a lot of money (despite losses in the billions) and OpenBSD is underfunded, hence desperate for money.

Secure channels and Microsoft Windows are incompatible concepts. It cannot be done because Windows itself has back doors, allowing penetration at root (Administrator) level. Microsoft is now pushing its back-doored, insecure-by-design APIs into the SSH project and also puts people’s keys on boxes with such inherent insecurities. How terrible a recipe is that? Is OpenBSD willing to compromise its credibility and reputation just because Microsoft gave it a ‘generous’ payment (some would call it a bribe)?

According to this update from Microsoft, they now intend to:

Leverage Windows crypto api’s instead of OpenSSL/LibreSSL and run as Windows Service…

People in the comments (not deleted, at least not yet) rightly post complaints. One said: “I don’t think I like that your replacing an open source SSL with a closed source Windows crypto api.”

Another commenter said: “Do I see a trap here?! If the Windows port uses the closed source crypto api is the whole OpenSource OpenSSH-idea then still intact?”

“Microsoft takes something that’s not its own and then ‘bastardises’ it, making it an inferior ‘Windows thing’ which spreads only because of the network effect or illegal bundling.”iophk told us: “How much key code can they replace with dodgy homebrew and still be allowed to use the same name? Without the crypto, it is not the same software and merely a derivative.”

Well, that’s just how E.E.E. has historically worked. Microsoft takes something that’s not its own and then ‘bastardises’ it, making it an inferior ‘Windows thing’ which spreads only because of the network effect or illegal bundling.

iophk has also pointed out to us that Roger A. Grimes, who works for Microsoft and IDG (news publisher) at the same time (clearly a conflict of interests), presents a false dichotomy, “freedom or security” (right there in the headline). Computer security is never the goal at Microsoft; they want back doors for so-called ‘national security’ (i.e. state power with remote access to citizens’ PCs).

“The first rule of zero-days is no one talks about zero-days,” reads this new headline (remember that Microsoft wilfully enables NSA access through zero-days).

“If Microsoft cannot honour Free software and respect the APIs of OpenBSD, OpenSSH, OpenSSL etc. then maybe it’s time to tell Microsoft to take back its ‘bribe’ money and go away, leaving OpenSSH alone (and secure).”Microsoft’s E.E.E. tactics are becoming a big threat not just to GNU/Linux but also to BSD and Free software as a whole. Microsoft now tries to become a GNU/Linux host, despite its known record of scanning every single file (claiming to do so because of child pornography) and colluding with the government for warrantless access to data stored on servers.

The E.E.E. against GNU/Linux is perhaps best demonstrated by this new article about how Microsoft tries to take over Big Data (a lot of data, sometimes incredibly sensitive) on GNU/Linux servers. “Last month Microsoft did something extraordinary,” says the author, “something which demonstrates how completely the company has changed since its third CEO, Satya Nadella, took over.”

Satya Nadella just turned the company into more of a surveillance company, as Vista 10 serves to remind us. He continues to attack GNU/Linux in many ways (including patent extortion) while saying that Microsoft "loves Linux' (a lie as big as a lie can get).

If Microsoft cannot honour Free software and respect the APIs of OpenBSD, OpenSSH, OpenSSL etc. then maybe it’s time to tell Microsoft to take back its ‘bribe’ money and go away, leaving OpenSSH alone (and secure). Almost every distribution of GNU/Linux comes with OpenSSH. Microsoft is a wolf in sheep’s clothing and it has no room inside FOSS until it quits attacking FOSS and collaborating with abusive espionage agencies like GCHQ and the NSA.

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email

Decor ᶃ Gemini Space

Below is a Web proxy. We recommend getting a Gemini client/browser.

Black/white/grey bullet button This post is also available in Gemini over at this address (requires a Gemini client/browser to open).

Decor ✐ Cross-references

Black/white/grey bullet button Pages that cross-reference this one, if any exist, are listed below or will be listed below over time.

Decor ▢ Respond and Discuss

Black/white/grey bullet button If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

DecorWhat Else is New


  1. Microsoft Thought Police

    Reprinted with permission from Ryan



  2. Links 08/02/2023: GNOME Smoother Scrolling of Text Views

    Links for the day



  3. Links 08/02/2023: Transmission 4.0.0 Released and Mass Layoffs at Zoom

    Links for the day



  4. IRC Proceedings: Tuesday, February 07, 2023

    IRC logs for Tuesday, February 07, 2023



  5. When the Pension Vanishes

    Today we commenced a multi-part mini-series about pensions and what happens when they suddenly vanish and nobody is willing to explain where all the money went



  6. Sirius 'Open Source' Pensiongate: An Introduction

    The Sirius ‘Open Source’ series continues in the form of a mini-series about pensions; it’s part of an ongoing investigation of a deep mystery that impacts people who left the company quite a long time ago and some of the lessons herein are applicable to any worker with a pension (at times of financial uncertainties)



  7. Links 07/02/2023: Endless OS 5.0 and Voice.AI GPL Violations

    Links for the day



  8. No Doubt Microsoft Unleashed Another 'Tay', Spreading Bigotry Under the Guise of Hey Hi (AI)

    Reprinted with permission from Ryan



  9. Links 07/02/2023: Fedora 39 Development Plans Outlines

    Links for the day



  10. IRC Proceedings: Monday, February 06, 2023

    IRC logs for Monday, February 06, 2023



  11. Links 06/02/2023: Escuelas Linux 8.0 and Many Political Issues

    Links for the day



  12. Links 06/02/2023: Sparky 6.6 and IPFire 2.27 – Core Update 173

    Links for the day



  13. Taking Back Control or Seizing Autonomy Over the News Cycle (Informing People, Culling the Marketing)





  14. Reality Versus Fiction: EPO Insiders Versus EPO Web Site and UPC 'Churnalists'

    The "official" sources of the European Patent Office (EPO), as well as the sedated "media" that the EPO is bribing for further bias, cannot tell the truth about this very large institution; for proper examination of Europe's largest patent office one must pursue the interpretation by longtime veterans and insiders, who are increasingly upset and abused (they're being pressured to grant patents in violation of the charter of the EPO)



  15. Links 06/02/2023: Linux 6.2 RC7 and Fatal Earthquake

    Links for the day



  16. IRC Proceedings: Sunday, February 05, 2023

    IRC logs for Sunday, February 05, 2023



  17. Links 05/02/2023: Wayland in Bookworm and xvidtune 1.0.4

    Links for the day



  18. Links 05/02/2023: Pakistan Blocks Wikipedia, Musharraf Dies

    Links for the day



  19. IRC Proceedings: Saturday, February 04, 2023

    IRC logs for Saturday, February 04, 2023



  20. Links 04/02/2023: FOSDEM Happening and Ken Thompson in SoCal Linux Expo

    Links for the day



  21. 2023 is the Year Taxpayers' Money Goes to War and Energy Subsidies, Not Tech

    Now that a lot of powerful and omnipresent ‘tech’ (spying and policing) companies are rotting away we have golden opportunities to bring about positive change and maybe even recruit technical people for good causes



  22. Getting Back to Productive Computer Systems Would Benefit Public Health and Not Just Boost Productivity

    “Smartphoneshame” (shaming an unhealthy culture of obsession with “apps”) would potentially bring about a better, more sociable society with fewer mental health crises and higher productivity levels



  23. Links 04/02/2023: This Week in KDE and Many More Tech Layoffs

    Links for the day



  24. Dotcom Boom and Bust, Round 2

    The age of technology giants/monopolies devouring everything or military-funded (i.e. taxpayers-subsidised) surveillance/censorship tentacles, in effect privatised eyes of the state, may be ending; the United States can barely sustain that anymore and raising the debt ceiling won't solve that (buying time isn't the solution)



  25. Society Would Benefit From a Smartphoneshame Movement

    In a society plagued by blackmail, surveillance and frivolous lawsuits it is important to reconsider the notion of “smart” phone ownership; these devices give potentially authoritarian companies and governments far too much power over people (in the EU they want to introduce new legislation that would, in effect, ban Free software if it enables true privacy)



  26. IRC Proceedings: Friday, February 03, 2023

    IRC logs for Friday, February 03, 2023



  27. IRC Proceedings: Thursday, February 02, 2023

    IRC logs for Thursday, February 02, 2023



  28. Links 03/02/2023: Proton 7.0-6 Released, ScummVM 2.7 Testing

    Links for the day



  29. Links 03/02/2023: OpenSSH 9.2 and OBS Studio 29.0.1

    Links for the day



  30. Links 03/02/2023: GNU C Library 2.37

    Links for the day


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts