EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

02.09.17

OpenSUSE’s (or SUSE’s) Refusal to Publicly Acknowledge It Got Cracked Shows Face-Saving Arrogance Just Like Novell’s

Posted in Deception, Novell, OpenSUSE, Security, Servers, SLES/SLED at 6:16 am by Dr. Roy Schestowitz

SUSE (or MicroFocus) won’t even tell customers when its systems are in fact compromised

Novell cuffs

Summary: The same old and very notorious behaviour we found in Novell persists at SUSE under MicroFocus leadership; security neglected and keeping up appearances more important than honesty

TECHRIGHTS wrote many thousands of articles about Novell. We know Novell extremely well and we have documented its terrible behaviour for over half a decade, well before we began focusing on the EPO for example. As we shall show later, in a separate post, Microsoft’s and Novell’s “IP Peace of Mind” is making a comeback (as of last night), but right now we wish to focus on the crack I first wrote about on Monday (it has since then generated some press coverage, e.g. [1-3] below).

“Remember that no evidence has been presented by SUSE and moreover the gross negligence here is a bad sign in general.”A lot of people still miss the key point. IDG even went ahead with a rather misleading headline, as did Softpedia; rather than state the actual news (that OpenSUSE got cracked) the title says or overstates the ‘damage control’ from SUSE, diverting attention to what was not affected rather than what was affected (a politician’s trick). We used to see lots of that kind of spin back in the Novell days and the 2 articles below, having sought comment from SUSE, give SUSE the benefit of the doubt here. Remember that no evidence has been presented by SUSE and moreover the gross negligence here is a bad sign in general. That’s just “faith-based” security. My article about it was so short that it was mostly a screenshot, yet we understand that further coverage is on its way. So let’s elaborate a little. “They were using an outdated version of WordPress and got zapped,” one person wrote to me after I had published my findings. “It was just the front-end, no code was touched.” But says who? SUSE? Can we believe them?

“Nobody has yet covered that issue as properly as we hoped (poor security practices at SUSE) and the fact that they COMPLETELY FAILED or refused to publicly acknowledge what had happened is a serious aspect of it.”Whatever caused the defacement, it shows that they lost control of their platform. They did get cracked. Softpedia reported that “openSUSE devs immediately restored the news.opensuse.org website from a recent backup” (so the back end too appears to have been compromised).

Nobody has yet covered that issue as properly as we hoped (poor security practices at SUSE) and the fact that they COMPLETELY FAILED or refused to publicly acknowledge what had happened is a serious aspect of it. We waited patiently to see if an announcement would be made by then, even a reassurance that users should not worry. But nothing came out! To this date (half a week later). They attempted to cover it up, which is BAD BAD BAD. For a so-called “Enterprise-Grade” thing which SUSE tries to market itself as (selling SLE*) this is a serious breach of trust. Who would trust SUSE now?

“If someone injected a back door inside SLED and SLES, SUSE would probably say not a thing, only belatedly removing it and then lying about the whole thing, just like Microsoft does.”3 news sites and my own site wrote about it, but not a single word has been uttered by SUSE. They know they got cracked and they are not telling anyone, except when journalists ask them for comment (and press them with evidence).

OpenSUSE has a history of security issues in its sites (see “openSUSE Forum Hacked; 79500 Users Data Compromised” from 2014). Where are the reporters who are willing to ask SUSE some tough questions? Don’t let this slide. If someone injected a back door inside SLED and SLES, SUSE would probably say not a thing, only belatedly removing it and then lying about the whole thing, just like Microsoft does.

In the news:

  1. Kurdish Hacker Posts Anti-ISIS Message on openSUSE’s Website, Data Remains Safe

    Softpedia was informed by Dr. Roy Schestowitz that the openSUSE News (news.opensuse.org) website got defaced by Kurdish hacker MuhmadEmad on the day of February 6, 2017.

    It would appear that the server where the news.opensuse.org website is hosted is isolated from the rest of openSUSE’s infrastructure, which means that the hacker did not have access to any contributor data, such as email and passwords, nor to the ISO images of the openSUSE Linux operating system.

    We already talked with openSUSE Chairman Richard Brown, who confirms for Softpedia that the offered openSUSE downloads remain safe and consistent, and users should not worry about anything. The vigilant openSUSE devs immediately restored the news.opensuse.org website from a recent backup, so everything is operating normally at this time.

  2. OpenSUSE site hacked; quickly restored

    The openSUSE team acted quickly to restore the site. When I talked to Richard Brown, openSUSE chairman, he said that “the server that hosts ‘news.opensuse.org’ is isolated from the majority of openSUSE infrastructure by design, so there was no breach of any other part of openSUSEs infrastructure, especially our build, test and download systems. Our offered downloads remain safe and consistent and there was no breach of any openSUSE contributor data.”

    The team is still investigating the reason for the breach so I don’t have much information. The site ran a WordPress install and it seems that WordPress was compromised.

    This site is not managed by the SUSE or openSUSE team. It is handled by the IT team of MicroFocus. However, Brown said that SUSE management certainly doesn’t want any such incident to happen again and they are considering moving the site to the infrastructure managed by SUSE and openSUSE team.

  3. Best Distros, openSUSE Whoops, Debian 9 One Step Closer

    In the latest Linux news, the news.opensuse.org got hacked and displayed “KurDish HaCk3rS WaS Here” for a while Monday and while the site has been restored, no comment on the hack has been issued. Elsewhere, Debian 9.0 has entered its final freeze in the last steps in preparations for release. FOSS Force has named their winner for top distro of 2016 and Swapnil Bhartiya shared his picks for the best for 2017. Blogger DarkDuck said MX-16 Xfce is “very close to the ideal” and Alwan Rosyidi found Solus OS is giving Elementary OS a run for its money. Phoronix.com’s Michael Larabel explained why he uses Fedora and Jeremy Garcia announced the winners of the 2016 LinuxQuestions.org Members Choice Awards.

    [...]

    openSUSE’s news portal was compromised Monday by a hacker or group of hackers called MuhmadEmad, via the message left in its place. A Kurdish flag with the message “HaCkeD by MuhmadEmad – KurDish HaCk3rS WaS Here” was displayed for hours before it was taken down and the site’s content restored. Roy Schestowitz has a screen capture and said that openSUSE has not yet publicly acknowledged the hack. Swapnil Bhartiya spoke to Richard Brown, openSUSE chairman, who said that site was isolated from most SUSE infrastructure, especially the distribution code. There was no breach of any contributor data either. The site in question is run by MicroFocus, but all are investigating to make sure it’s an isolated incident.

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

What Else is New


  1. From the Eastern District of Texas (US) to Australia Patent Quality Remains a Problem

    Patents on anything from thoughts to nature/life (in the US and in Australia, respectively) demonstrate the wildly wide range (or spectrum) of patents nowadays granted irrespective of their impact on innovation



  2. Alice/35 U.S.C. § 101 and PTAB Are Here to Stay and Even Their Critics (Patent Maximalists) Have Come to Accept That

    Taking stock of the latest PTAB news and rants; the latter has become scarce because efforts to undermine PTAB have all failed



  3. Patent Trolls Roundup: Conversant Wireless Licensing (Formerly Core Wireless) and Blackbird 'Technologies' Still Prey on Real Companies

    A quick recap of recent decisions and motions, which serve to show that patent trolls can be beaten, avoided, and sometimes even 'disarmed'



  4. Links 19/8/2018: Skrooge 2.15.0, Wine 3.14, End of Akademy 2018

    Links for the day



  5. David Ruschke, the PTAB's Chief, is Moving So the Patent Maximalists Push Their Anti-PTAB Agenda

    As the chief judge of the Patent Trial and Appeal Board (PTAB) moves elsewhere at the USPTO there are those who hope that a replacement will undo PTAB inter partes reviews (IPRs), which generally improve the quality of granted patents



  6. If David Chiles Turned the USPTO Into a 'Microsoft Shop' That Might Explain Three Days (or More) of Outages

    The U.S. Patent and Trademark Office (USPTO) is having profound technical issues; some already point their fingers at David Chiles, alleged to have been hired/promoted for the wrong reasons



  7. Links 17/8/2018: GNU/Linux From ASUS, Debian at 25, Lubuntu Plans

    Links for the day



  8. Links 16/8/2018: MAAS 2.4.1, Mesa 18.2 RC3

    Links for the day



  9. USPTO Craziness: Changing Rules to Punish PTAB Petitioners and Reward Microsoft for Corruption at ISO

    The US patent office proposes charging/imposing on applicants that are not customers of Microsoft a penalty; there’s also an overtly and blatantly malicious move whose purpose is to discourage petitions against wrongly-granted (by the USPTO) patents



  10. The Demise of US Software Patents Continues at the Federal Circuit

    Software patents are rotting away in the United States; it remains to be seen when the U.S. Patent and Trademark Office (USPTO) will truly/fully honour 35 U.S.C. § 101 and stop granting such patents



  11. Almost Two Months After the ILO Ruling Staff Representative Brumme is Finally Back on the Job at EPO

    Ion Brumme gets his position at the EPO back, owing to the Administrative Tribunal of the International Labour Organization (ILO-AT) ruling back in July; things, however, aren't rosy for the Office as a whole



  12. Links 15/8/2018: Akademy 2018 Wrapups and More Intel Defects

    Links for the day



  13. Antiquated Patenting Trick: Adding Words Like 'Apparatus' to Make Abstract Ideas Look/Sound Like They Pertain to or Contain a 'Device'

    35 U.S.C. § 101 (Section 101) still maintains that abstract ideas are not patent-eligible; so applicants and law firms go out of their way to make their ideas seem as though they're physical



  14. Open Invention Network (OIN) Member Companies Need to Become Unanimous in Opposition to Software Patents

    Opposition to abstract software patents, which even the SCOTUS and the Federal Circuit nowadays reject, would be strategically smart for OIN; but instead it issues a statement in support of a GPL compliance initiative



  15. President Battistelli 'Killed' the EPO; António Campinos Will 'Finish the Job'

    The EPO is shrinking, but this is being shrewdly disguised using terms like "efficiency" and a low-profile President who keeps himself in the dark



  16. Links 14/8/2018: Virtlyst 1.2.0, Blender 2.8 Planning Update, Zorin OS 12.4, FreeBSD 12.0 Alpha

    Links for the day



  17. Berkheimer Changed Nothing and Invalidation Rates of Abstract Software Patents Remain Very High

    Contrary to repetitive misinformation from firms that 'sell' services around patents, there is no turnaround or comeback for software patents; the latest numbers suggest a marginal difference at best — one that may be negligible considering the correlation between expected outcomes and actions (the nature of risk analysis)



  18. Lockton Insurance Brokers Exploiting Patent Trolls to Sell Insurance to the Gullible

    Demonstrating what some people have dubbed (and popularised) "disaster capitalism", Lockton now looks for opportunities to profit from patent trolls, in the form of "insurance" (the same thing Microsoft does)



  19. Patent Lawyers Writing Patent Law for Their Own Enrichment Rather Than for Innovation

    We have become detached from the original goals and come to the point where patent offices aren't necessarily run by people qualified for the job of advancing science and technology; they, unlike judges, only seem to care about how many patents get granted, irrespective of their quality/merit



  20. Links 13/8/2018: Linux 4.18 and GNU Linux-libre 4.18 Arrive

    Links for the day



  21. PTAB is Loathed by Patent Maximalists Because It Can Potentially Invalidate Thousands of Software Patents (More Than Courts Can Handle)

    The US patent system has become more resistant to software patents; courts, however, are still needed to invalidate such patents (a potentially expensive process) because the USPTO continues to grant these provided some fashionable buzzwords/hype waves are utilised (e.g. "facial recognition", "blockchain", "autonomous vehicles")



  22. Gene Quinn and 'Dallas Innovates' as Couriers of Agenda for Patent Trolls Like iPEL

    Failing to hide their real purpose and malicious agenda, sites whose real purpose is to promote a lot of patent litigation produce puff pieces, even for patently unethical trolls such as iPEL



  23. Software Patents, Secured by 'Smart' and 'Intelligent' Tricks, Help Microsoft and Others Bypass Alice/Section 101

    A look at the use of fashionable trends and buzzwords to acquire and pass around dubious software patents, then attempting to guard these from much-needed post-Alice scrutiny



  24. Keep Boston (and Massachusetts in General) From Becoming an Infestation Zone for Patent Litigation

    Boston, renowned for research and innovation, has become somewhat of a litigation hotbed; this jeopardises the state's attractiveness (except perhaps to lawyers)



  25. Links 12/8/2018: Academy of Motion Picture Arts and Sciences, Mesa 18.1.6 Release Notice, New Linux Imminent

    Links for the day



  26. Thomas Massie's “Restoring America’s Leadership in Innovation Act of 2018” (RALIA) Would Put the US Patent System in the Lions' (or Trolls') Mouth Again

    An anti-§ 101 and anti-PTAB bill from Rep. Thomas Massie (R-KY) strives to remove quality control; but by handing the system back to patent trolls he and his proponents simply strive to create more business of litigation, at the expense of innovation



  27. EPO-Style Problem-Solution: Tackling Backlog by Granting Lots of Low-Quality (Bogus) European Patents, Causing a Surge in Troll/Frivolous Litigation

    The EPO's lack of interest in genuine patent quality (measuring "quality" in terms of speed, not actual quality) may mean nothing but a litigation epidemic; many of these lawsuits would be abusive, baseless; those harmed the most would be small businesses that cannot afford a legal defense and would rather settle with those who exploit questionable patents, notably patent trolls



  28. Links 11/8/2018: PGP Clean Room 1.0, Ring-KDE 3.0.0, Julia 1.0

    Links for the day



  29. Propaganda Sites of Patent Trolls and Litigators Have Quit Trying to Appear Impartial or Having Integrity

    The lobbying groups of patent trolls (which receive money from such trolls) carry on meddling in policy and altering perception that drives policy; we present some new examples



  30. Months After Oil States the Patent Maximalists Still Try to Undermine Inter Partes Reviews (“IPRs”), Refusing to Accept Patent Quality

    The patent maximalists in the United States, seeing that the USPTO is moving away from patent maximalism, is desperate for a turnaround; prominent patent maximalists take it all out on PTAB


CoPilotCo

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

CoPilotCo

Recent Posts