EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

02.09.17

OpenSUSE’s (or SUSE’s) Refusal to Publicly Acknowledge It Got Cracked Shows Face-Saving Arrogance Just Like Novell’s

Posted in Deception, Novell, OpenSUSE, Security, Servers, SLES/SLED at 6:16 am by Dr. Roy Schestowitz

SUSE (or MicroFocus) won’t even tell customers when its systems are in fact compromised

Novell cuffs

Summary: The same old and very notorious behaviour we found in Novell persists at SUSE under MicroFocus leadership; security neglected and keeping up appearances more important than honesty

TECHRIGHTS wrote many thousands of articles about Novell. We know Novell extremely well and we have documented its terrible behaviour for over half a decade, well before we began focusing on the EPO for example. As we shall show later, in a separate post, Microsoft’s and Novell’s “IP Peace of Mind” is making a comeback (as of last night), but right now we wish to focus on the crack I first wrote about on Monday (it has since then generated some press coverage, e.g. [1-3] below).

“Remember that no evidence has been presented by SUSE and moreover the gross negligence here is a bad sign in general.”A lot of people still miss the key point. IDG even went ahead with a rather misleading headline, as did Softpedia; rather than state the actual news (that OpenSUSE got cracked) the title says or overstates the ‘damage control’ from SUSE, diverting attention to what was not affected rather than what was affected (a politician’s trick). We used to see lots of that kind of spin back in the Novell days and the 2 articles below, having sought comment from SUSE, give SUSE the benefit of the doubt here. Remember that no evidence has been presented by SUSE and moreover the gross negligence here is a bad sign in general. That’s just “faith-based” security. My article about it was so short that it was mostly a screenshot, yet we understand that further coverage is on its way. So let’s elaborate a little. “They were using an outdated version of WordPress and got zapped,” one person wrote to me after I had published my findings. “It was just the front-end, no code was touched.” But says who? SUSE? Can we believe them?

“Nobody has yet covered that issue as properly as we hoped (poor security practices at SUSE) and the fact that they COMPLETELY FAILED or refused to publicly acknowledge what had happened is a serious aspect of it.”Whatever caused the defacement, it shows that they lost control of their platform. They did get cracked. Softpedia reported that “openSUSE devs immediately restored the news.opensuse.org website from a recent backup” (so the back end too appears to have been compromised).

Nobody has yet covered that issue as properly as we hoped (poor security practices at SUSE) and the fact that they COMPLETELY FAILED or refused to publicly acknowledge what had happened is a serious aspect of it. We waited patiently to see if an announcement would be made by then, even a reassurance that users should not worry. But nothing came out! To this date (half a week later). They attempted to cover it up, which is BAD BAD BAD. For a so-called “Enterprise-Grade” thing which SUSE tries to market itself as (selling SLE*) this is a serious breach of trust. Who would trust SUSE now?

“If someone injected a back door inside SLED and SLES, SUSE would probably say not a thing, only belatedly removing it and then lying about the whole thing, just like Microsoft does.”3 news sites and my own site wrote about it, but not a single word has been uttered by SUSE. They know they got cracked and they are not telling anyone, except when journalists ask them for comment (and press them with evidence).

OpenSUSE has a history of security issues in its sites (see “openSUSE Forum Hacked; 79500 Users Data Compromised” from 2014). Where are the reporters who are willing to ask SUSE some tough questions? Don’t let this slide. If someone injected a back door inside SLED and SLES, SUSE would probably say not a thing, only belatedly removing it and then lying about the whole thing, just like Microsoft does.

In the news:

  1. Kurdish Hacker Posts Anti-ISIS Message on openSUSE’s Website, Data Remains Safe

    Softpedia was informed by Dr. Roy Schestowitz that the openSUSE News (news.opensuse.org) website got defaced by Kurdish hacker MuhmadEmad on the day of February 6, 2017.

    It would appear that the server where the news.opensuse.org website is hosted is isolated from the rest of openSUSE’s infrastructure, which means that the hacker did not have access to any contributor data, such as email and passwords, nor to the ISO images of the openSUSE Linux operating system.

    We already talked with openSUSE Chairman Richard Brown, who confirms for Softpedia that the offered openSUSE downloads remain safe and consistent, and users should not worry about anything. The vigilant openSUSE devs immediately restored the news.opensuse.org website from a recent backup, so everything is operating normally at this time.

  2. OpenSUSE site hacked; quickly restored

    The openSUSE team acted quickly to restore the site. When I talked to Richard Brown, openSUSE chairman, he said that “the server that hosts ‘news.opensuse.org’ is isolated from the majority of openSUSE infrastructure by design, so there was no breach of any other part of openSUSEs infrastructure, especially our build, test and download systems. Our offered downloads remain safe and consistent and there was no breach of any openSUSE contributor data.”

    The team is still investigating the reason for the breach so I don’t have much information. The site ran a WordPress install and it seems that WordPress was compromised.

    This site is not managed by the SUSE or openSUSE team. It is handled by the IT team of MicroFocus. However, Brown said that SUSE management certainly doesn’t want any such incident to happen again and they are considering moving the site to the infrastructure managed by SUSE and openSUSE team.

  3. Best Distros, openSUSE Whoops, Debian 9 One Step Closer

    In the latest Linux news, the news.opensuse.org got hacked and displayed “KurDish HaCk3rS WaS Here” for a while Monday and while the site has been restored, no comment on the hack has been issued. Elsewhere, Debian 9.0 has entered its final freeze in the last steps in preparations for release. FOSS Force has named their winner for top distro of 2016 and Swapnil Bhartiya shared his picks for the best for 2017. Blogger DarkDuck said MX-16 Xfce is “very close to the ideal” and Alwan Rosyidi found Solus OS is giving Elementary OS a run for its money. Phoronix.com’s Michael Larabel explained why he uses Fedora and Jeremy Garcia announced the winners of the 2016 LinuxQuestions.org Members Choice Awards.

    [...]

    openSUSE’s news portal was compromised Monday by a hacker or group of hackers called MuhmadEmad, via the message left in its place. A Kurdish flag with the message “HaCkeD by MuhmadEmad – KurDish HaCk3rS WaS Here” was displayed for hours before it was taken down and the site’s content restored. Roy Schestowitz has a screen capture and said that openSUSE has not yet publicly acknowledged the hack. Swapnil Bhartiya spoke to Richard Brown, openSUSE chairman, who said that site was isolated from most SUSE infrastructure, especially the distribution code. There was no breach of any contributor data either. The site in question is run by MicroFocus, but all are investigating to make sure it’s an isolated incident.

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

What Else is New


  1. Lack of Patent Quality Means Lack of Patent Validity and Lack of Legal Certainty

    35 U.S.C. § 101 at the U.S. Patent and Trademark Office (USPTO) -- like the European Patent Convention (EPC) on the Grant of European Patents -- stresses patent quality and scope; will patent offices get things right before it's too late or too expensive to undo?



  2. Data Engine Technologies (DET) Just One Among Many Microsoft-Connected Patent Trolls That Pick on Microsoft's Biggest Competitors

    Lawyers' articles/blog posts continue to obscure the fact that Data Engine Technologies is merely a satellite or unit (one among many) of patent trolling giant Acacia Research Corp., connected to Microsoft and sporting a long history of lawsuits against GNU/Linux



  3. Alice/Mayo and Hatch-Influenced US Patent Office

    The U.S. Patent and Trademark Office (USPTO) seems to be serving those who pay the most to define the scope or limits of patenting; this means that even nature and life are being 'privatised' (or turned into someone's "intellectual" property)



  4. Funded by the Public to Prey on the Public: The Absurdity of Patent Sales and 'Enforcement' by Government

    Government or US Government-funded entities are looking to tax private companies using patents that were actually funded by the public; in practice this helps private firms or insiders (individuals) personally gain from something that the public subsidised and should thus be in the public domain



  5. Lockpath Patents Demonstrate That the US Patent Office -- Unlike US Courts -- Keeps Ignoring 35 U.S.C. § 101/Alice

    35 U.S.C. § 101 isn’t being entirely followed by examiners of the U.S. Patent and Trademark Office (USPTO); in fact, evidence suggests that mathematics are still becoming monopolies of private firms — something which should never happen



  6. The Eastern District of Texas and Its Patent Trolls Affinity Not a Solved Issue

    The American patent system continues to distribute monopolies on algorithms and some of these cause litigation to reach courts that are notorious for intolerance of 35 U.S.C. § 101, resulting in unnecessary payments to lawyers and patent trolls



  7. More 'Blockchain' Nonsense in Pursuit of Bogus, Nonsensical Software Patents

    The U.S. Patent and Trademark Office (USPTO) is still granting abstract software patents because words like "blockchain" get mentioned in the applications; companies that do this hope to shield themselves from disruptive technology and possibly facilitate future patent blackmail



  8. A Warning About MPEG-G, the Latest Software Patents Trap That Threatens Innovation Everywhere

    Combining patents on software and on life, MPEG-G assembles a malicious pool with malignant ramifications for bioinformatics



  9. MIT and the Prior Art Archive Perpetuate Existing Problems

    Large companies with many tens of thousands of patents (each) would have us believe that broadening access/reach of prior art (e.g. to patent examiners) would solve the issues; This may very well work for these large companies, but it overlooks the broader picture



  10. Links 20/10/2018: Mesa 18.2.3 Released, FreeBSD 12.0 Beta 1

    Links for the day



  11. Unified Patents Demolishes Some More Notorious Patent Trolls and Offers Bounties to Take Down More of Them

    Even though the new management of the US patent office treats patent trolls as a non-issue, groups that represent technology firms work hard to improve things (except for the litigation zealots)



  12. The Identity Crisis of the European Patent Office, Wrongly Believing It Exists to Serve Lawyers and Patent Trolls Outside Europe

    The European Patent Office doesn’t even feel like it’s European anymore; it’s just an international patent office that happens to be based (primarily) in Munich; insiders and outsiders alike need to ask themselves what these ‘European’ officials (employing firms outside Europe) have turned the Office into



  13. Links 19/10/2018: OpenBSD 6.4 and OpenSSH 7.9 Released

    Links for the day



  14. Ingve Björn Stjerna Has Just Warned That If Team UPC and the European Patent Office Rigged the Proceedings of the German Constitutional Court, Consequences Would be Significant

    The EPO is back to mentioning the Unified Patent Court and it keeps making it abundantly clear that it is only working for the litigation 'industry' rather than for science and technology (or "innovation" as they like to euphemise it)



  15. Links 18/10/2018: New Ubuntu and Postgres

    Links for the day



  16. It's Almost 2019 and Team UPC is Still Pretending Unitary Patent (UPC) Exists, Merely Waiting for Britain to Join

    Refusing to accept that the Unified Patent Court Agreement (UPCA) has reached its death or is at a dead end, UPC proponents — i.e. lawyers looking to profit from frivolous litigation — resort to outright lies and gymnastics in logic/intellectual gymnastics



  17. IAM and IP Kat Are Still Megaphones of Battistelli and His Agenda

    IAM reaffirms its commitment to corrupt Battistelli and IP Kat maintains its stance, which is basically not caring at all about EPO corruption (to the point of actively deleting blog comments that mention such corruption, i.e. 'sanitising' facts)



  18. The EPO Under António Campinos Relaxes the Rules on Software Patenting and the Litigation 'Industry' Loves That

    EPO management, which is nontechnical, found new terms by which to refer to software patents -- terms that even the marketing departments can endorse (having propped them up); they just call it all AI, augmented intelligence and so on



  19. Links 17/10/2018: Elementary OS 5.0 “Juno” Released, MongoDB’s Server Side Public Licence

    Links for the day



  20. Improving US Patent Quality Through Reassessments of Patents and Courts' Transparency

    Transparency in US courts and more public participation in the patent process (examination, litigation etc.) would help demonstrate that many patents are being granted — and sometimes asserted — that are totally bunk, bogus, fake



  21. Ask OIN How It Intends to Deal With Microsoft Proxies Such as Patent Trolls

    OIN continues to miss the key point (or intentionally avoid speaking about it); Microsoft is still selling 'protection' from the very same patent trolls that it is funding, arming, and sometimes even instructing (who to pass patents to and sue)



  22. Links 1610/2018: Linux 4.19 RC8, Xfce Screensaver 0.1.0 Released

    Links for the day



  23. Judge-Bashing Tactics, Undermining PTAB, and Iancu's Warpath for the Litigation and Insurance 'Industries'

    Many inter partes reviews (IPRs) at the Patent Trial and Appeal Board (PTAB) of the U.S. Patent and Trademark Office (USPTO) leverage 35 U.S.C. § 101 against software patents; instead of putting an end to such patents Director Iancu decides to just serve the 'industry' he came from (a meta-industry where his firm had worked for Donald Trump)



  24. 'Cloud', 'AI' and Other Buzzwords as Excuses for Granting Fake Patents on Software

    With resurgence of rather meaningless terms like so-called 'clouds' (servers/hosting) and 'AI' (typically anything in code which does something clever, including management of patents) the debate is being shifted away from 35 U.S.C. § 101 (Section 101); but courts would still see past such façade



  25. Corporate Media's Failure to Cover Patents Properly and Our New Hosting Woes

    A status update about EPO affairs and our Web host's plan to shut down (as a whole) very soon, leaving us orphaned or having to pay heavy bills



  26. Links 15/10/2018: Testing Ubuntu 18.10 Release Candidates, KaOS 2018.10 Released

    Links for the day



  27. USPTO FEES Act/SUCCESS Act Gives More Powers to Director Iancu, Supplying Patents for Litigation 'Business' and Embargo (ITC)

    Corruption of the US patent system contributes to various issues which rely on the extrajudicial nature of some elements in this system; companies can literally have their products confiscated or imports blocked, based on wrongly-granted patents



  28. Court of Appeals for the Federal Circuit Decides That USPTO Wrongly Granted Patents to Roche

    Patent quality issues at the U.S. Patent and Trademark Office (USPTO) — motivated by money rather than common sense — continue to be highlighted by courts; the USPTO needs to raise the bar to improve the legal certainty associated with US patents



  29. Even Judge Gilstrap From Texas is Starting to Accept That Software Patents Are Invalid

    Amid new lawsuits from Texas (e.g. against Citrix) we’re pleased to see that even “reprehensible” Rodney Gilstrap (that’s what US politicians call him) is learning to accept SCOTUS on 35 U.S.C. § 101



  30. Federal Circuit Doubles Down on User Interface Patents, Helps Microsoft-Connected Patent Trolls Curtail the Prime Competitor of Microsoft Office

    Patent trolls that are connected to Microsoft continue to sue Microsoft rivals using old patents; this time, for a change, even the Federal Circuit lets them get away with it


CoPilotCo

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

CoPilotCo

Recent Posts