EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

02.09.17

OpenSUSE’s (or SUSE’s) Refusal to Publicly Acknowledge It Got Cracked Shows Face-Saving Arrogance Just Like Novell’s

Posted in Deception, Novell, OpenSUSE, Security, Servers, SLES/SLED at 6:16 am by Dr. Roy Schestowitz

SUSE (or MicroFocus) won’t even tell customers when its systems are in fact compromised

Novell cuffs

Summary: The same old and very notorious behaviour we found in Novell persists at SUSE under MicroFocus leadership; security neglected and keeping up appearances more important than honesty

TECHRIGHTS wrote many thousands of articles about Novell. We know Novell extremely well and we have documented its terrible behaviour for over half a decade, well before we began focusing on the EPO for example. As we shall show later, in a separate post, Microsoft’s and Novell’s “IP Peace of Mind” is making a comeback (as of last night), but right now we wish to focus on the crack I first wrote about on Monday (it has since then generated some press coverage, e.g. [1-3] below).

“Remember that no evidence has been presented by SUSE and moreover the gross negligence here is a bad sign in general.”A lot of people still miss the key point. IDG even went ahead with a rather misleading headline, as did Softpedia; rather than state the actual news (that OpenSUSE got cracked) the title says or overstates the ‘damage control’ from SUSE, diverting attention to what was not affected rather than what was affected (a politician’s trick). We used to see lots of that kind of spin back in the Novell days and the 2 articles below, having sought comment from SUSE, give SUSE the benefit of the doubt here. Remember that no evidence has been presented by SUSE and moreover the gross negligence here is a bad sign in general. That’s just “faith-based” security. My article about it was so short that it was mostly a screenshot, yet we understand that further coverage is on its way. So let’s elaborate a little. “They were using an outdated version of WordPress and got zapped,” one person wrote to me after I had published my findings. “It was just the front-end, no code was touched.” But says who? SUSE? Can we believe them?

“Nobody has yet covered that issue as properly as we hoped (poor security practices at SUSE) and the fact that they COMPLETELY FAILED or refused to publicly acknowledge what had happened is a serious aspect of it.”Whatever caused the defacement, it shows that they lost control of their platform. They did get cracked. Softpedia reported that “openSUSE devs immediately restored the news.opensuse.org website from a recent backup” (so the back end too appears to have been compromised).

Nobody has yet covered that issue as properly as we hoped (poor security practices at SUSE) and the fact that they COMPLETELY FAILED or refused to publicly acknowledge what had happened is a serious aspect of it. We waited patiently to see if an announcement would be made by then, even a reassurance that users should not worry. But nothing came out! To this date (half a week later). They attempted to cover it up, which is BAD BAD BAD. For a so-called “Enterprise-Grade” thing which SUSE tries to market itself as (selling SLE*) this is a serious breach of trust. Who would trust SUSE now?

“If someone injected a back door inside SLED and SLES, SUSE would probably say not a thing, only belatedly removing it and then lying about the whole thing, just like Microsoft does.”3 news sites and my own site wrote about it, but not a single word has been uttered by SUSE. They know they got cracked and they are not telling anyone, except when journalists ask them for comment (and press them with evidence).

OpenSUSE has a history of security issues in its sites (see “openSUSE Forum Hacked; 79500 Users Data Compromised” from 2014). Where are the reporters who are willing to ask SUSE some tough questions? Don’t let this slide. If someone injected a back door inside SLED and SLES, SUSE would probably say not a thing, only belatedly removing it and then lying about the whole thing, just like Microsoft does.

In the news:

  1. Kurdish Hacker Posts Anti-ISIS Message on openSUSE’s Website, Data Remains Safe

    Softpedia was informed by Dr. Roy Schestowitz that the openSUSE News (news.opensuse.org) website got defaced by Kurdish hacker MuhmadEmad on the day of February 6, 2017.

    It would appear that the server where the news.opensuse.org website is hosted is isolated from the rest of openSUSE’s infrastructure, which means that the hacker did not have access to any contributor data, such as email and passwords, nor to the ISO images of the openSUSE Linux operating system.

    We already talked with openSUSE Chairman Richard Brown, who confirms for Softpedia that the offered openSUSE downloads remain safe and consistent, and users should not worry about anything. The vigilant openSUSE devs immediately restored the news.opensuse.org website from a recent backup, so everything is operating normally at this time.

  2. OpenSUSE site hacked; quickly restored

    The openSUSE team acted quickly to restore the site. When I talked to Richard Brown, openSUSE chairman, he said that “the server that hosts ‘news.opensuse.org’ is isolated from the majority of openSUSE infrastructure by design, so there was no breach of any other part of openSUSEs infrastructure, especially our build, test and download systems. Our offered downloads remain safe and consistent and there was no breach of any openSUSE contributor data.”

    The team is still investigating the reason for the breach so I don’t have much information. The site ran a WordPress install and it seems that WordPress was compromised.

    This site is not managed by the SUSE or openSUSE team. It is handled by the IT team of MicroFocus. However, Brown said that SUSE management certainly doesn’t want any such incident to happen again and they are considering moving the site to the infrastructure managed by SUSE and openSUSE team.

  3. Best Distros, openSUSE Whoops, Debian 9 One Step Closer

    In the latest Linux news, the news.opensuse.org got hacked and displayed “KurDish HaCk3rS WaS Here” for a while Monday and while the site has been restored, no comment on the hack has been issued. Elsewhere, Debian 9.0 has entered its final freeze in the last steps in preparations for release. FOSS Force has named their winner for top distro of 2016 and Swapnil Bhartiya shared his picks for the best for 2017. Blogger DarkDuck said MX-16 Xfce is “very close to the ideal” and Alwan Rosyidi found Solus OS is giving Elementary OS a run for its money. Phoronix.com’s Michael Larabel explained why he uses Fedora and Jeremy Garcia announced the winners of the 2016 LinuxQuestions.org Members Choice Awards.

    [...]

    openSUSE’s news portal was compromised Monday by a hacker or group of hackers called MuhmadEmad, via the message left in its place. A Kurdish flag with the message “HaCkeD by MuhmadEmad – KurDish HaCk3rS WaS Here” was displayed for hours before it was taken down and the site’s content restored. Roy Schestowitz has a screen capture and said that openSUSE has not yet publicly acknowledged the hack. Swapnil Bhartiya spoke to Richard Brown, openSUSE chairman, who said that site was isolated from most SUSE infrastructure, especially the distribution code. There was no breach of any contributor data either. The site in question is run by MicroFocus, but all are investigating to make sure it’s an isolated incident.

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

What Else is New


  1. EPO Grants Fake European Patents -- Including Software Patents -- and European Courts Keep Rejecting These

    The demise of the legitimacy or perceived validity of European Patents is measurable and the system isn't the same anymore; the EPO makes no effort to change this for the better, either



  2. Nobody But Patent Trolls and Litigators Will Benefit From the Corruption of the European Patent Office

    IAM, EPO leadership, Iancu and the rest of these raiders are enabling corruption and facilitating or supporting a racket; that money they collect comes at the expense of future victims of their "clients" or "customers" (that's what they call applicants, to whom they grant dubious monopolies as a matter of urgency)



  3. WSL is a Misleading Acronym/Name Because There's No Linux in It, It's Just Windows

    When Microsoft says "Linux" (as in "Microsoft loves Linux") what it actually means is Windows and/or Azure



  4. Links 16/2/2019: Ubuntu 18.04.2 LTS, PyCharm 2019.1 EAP 4

    Links for the day



  5. Outline/Index of the Alexandre Benalla/Battistelli Scandal

    Our writings about the scandals implicating Benalla and the European Patent Office (EPO)



  6. Reading Techrights on a Mobile Device Running Android

    A new Android app for reading this site is being tested



  7. Links 14/2/2019: “I Love Free Software Day” and Mesa 19.0 RC4 Released

    Links for the day



  8. “EPO Lawlessness Again”

    Blackberry uses bogus European Patents (on software) for lawsuits; "all of them pure software patents. Patents on programs for computers as such," as Müller puts it



  9. Unitary Patent (UPC) is All About Imposing Patent Maximalists' Ideology of Greed and Self Interest on Courts in the Name of 'Unification' or 'Consistency' or 'Community'

    Pushers of the Unified Patent Court (UPC) are upset that they don’t always get their way when independent judges get to decide; as it turns out, many European Patents are just fake patents, more so under António Campinos



  10. Battistelli's Bodyguard, Part V: Mediapart Explains the 'Raid' Attempt, Reporters Without Borders Involved

    Mediapart, an investigative site that unearths a lot of incriminating things about Battistelli's former bodyguard Alexandre Benalla, was the target of a raid attempt some weeks ago



  11. Links 13/2/2019: Tails 3.12.1, MongoDB Being Dumped

    Links for the day



  12. Battistelli's Bodyguard, Part IV: Suspected Offenses of Forgery and Possible Falsification

    In a very underworld fashion, Benalla continues to break the law and create yet more scandals



  13. Battistelli's Bodyguard, Part III: Mars, France Close Protection (Benalla's Family), and Russian Oligarchy

    An article which examines the business background of Benalla, the outrageous salaries, the severance indemnity pay, and contract with a Russian oligarch close to Vladimir Putin



  14. Links 13/2/2019: Plasma 5.15.0 and a Look at Linux Mint Debian Edition Cindy

    Links for the day



  15. Battistelli's Bodyguard, Part II: Fishing Expedition for Sources in the Alexandre Benalla 'Underworld' Scandal

    An utter lack of respect for the privacy of the media and of its sources, in the name of protecting the privacy of those convicted of crimes, as seen in France just like the European Patent Office



  16. Innovating the Idea That Software Patents (Monopolies on Algorithms) Are Covering 'Artificial' 'Intelligence' (AI and ML as Loopholes)

    Patent law firms around the world love this new trick, which is framing software that makes decisions as "AI" (magically rendering it patent-eligible only in offices but not in courts, which the EPO hopes to replace/override anyway)



  17. Battistelli's Bodyguard, Part I: Destruction of Evidence by Alexandre Benalla

    The Alexandre Benalla scandal carries on, deepening even further than before and causing raids of the media; will the EPO be implicated and held accountable too?



  18. Links 12/2/2019: PyPy 7.0.0, HHVM 4.0.0 and CVE-2019-5736

    Links for the day



  19. USPTO Director Iancu Works for Anti-SCOTUS (Against Section 101) Lobbyists

    The United States Patent and Trademark Office Director Andrei Iancu is becoming to the patent system what Ajit Pai is to the FCC or to the broadband industry; there appears to be intentional vandalism and total disregard for the rule of law



  20. Gross Violations of the EPC at the European Patent Office as Principal Priority Turns Against Science and Technology

    What good is the law if violation of the European Patent Convention (EPC) is so routine at today’s European Patent Office (EPO), which exploits its immunity to operate outside the rule of law and pursue nothing but cash (selling patents/monopolies that are invalid in courts)?



  21. European Patent Office's Exploitation of the 'AI' Catchphrase/Buzzword to Grant Patents on Algorithms in Defiance of the Rules, the Law, and Common Sense

    In clear violation of the EPC (i.e. more of the same from the EPO) software patents are being actively promoted and law being bypassed or worked around



  22. Microsoft's Patent Trolls Are Still Suing Microsoft's Rivals to Help Sell Microsoft

    The ‘new’ Microsoft boils down to the patent equivalent of the copyright case of SCO (funded by Microsoft)



  23. The American Software Patents Lobby Has Died

    Voices of US law firms (i.e. patent maximalists) have become quieter and rarer; applications for US patents have decreased in number, patent litigation numbers have collapsed entirely, and patent maximalists have moved on



  24. Links 10/2/2019: Linux 5.0 RC6, Project Trident 18.12 Reviewed

    Links for the day



  25. Corrupt Battistelli Paid a Fortune (EPO Budget) for Outlaw/Rogue 'Bodyguards' From Firm Linked to Russian Oligarch Iskander Makhmudov

    Mediapart continues to shed more light on the shady firm behind Alexandre Benalla, whom Battistelli hired to break the law and secretly bring firearms to the EPO



  26. Which Microsoft?

    The inconsistencies between public statements of Microsoft and private discussions/actions



  27. António Campinos Will Never Hold Battistelli Accountable for His Crimes Because He Too Profits From These

    The EPO isn't just Europe's second-largest institution but also quite possibly Europe's largest criminal enterprise, whose ringleaders have enjoyed and exploited diplomatic immunity to escape prosecution



  28. 25,000 Blog Posts and Record Traffic

    At a pace of nearly 2,000 posts per year (since 2006) we continue to grow and can use readers' help



  29. Jim Zemlin's PAC Keeps Raising Money From Microsoft

    The Open Source Definition's author as well as various Free/Open Source software (FOSS) luminaries warn of an attack on FOSS ("efforts to undermine the integrity of open source”); it's not too hard to see who participates in it or enables such attacks



  30. Links 9/2/2019: Linux 4.4.174 and GTK+ No More (Now Just GTK)

    Links for the day


CoPilotCo

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

CoPilotCo

Recent Posts