05.03.20
Posted in Microsoft, Security, Windows at 10:57 pm by Dr. Roy Schestowitz
When your hospital runs software with NSA back doors that crackers are aware of, familiar with, and ready to exploit using the NSA’s leaked software tools
Summary: Gag orders prevent hospital staff from talking about Microsoft Windows bringing hospitals to a standstill following attacks on Windows itself (a trivial task for even inexperienced crackers looking for some cryptocurrency while people’s lives are at stake)
THE reluctance to use GNU/Linux (or BSD/UNIX) at hospitals is noteworthy. It’s simply irrational to put on such absolutely critical systems a proprietary operating system which, as is already widely known, has contained back doors for decades. It’s beyond reckless and people who sign off the paperwork ought to be held accountable.
“It’s beyond reckless and people who sign off the paperwork ought to be held accountable.”An introduction to this topic was published some old morning (last year). We recently learned about hospitals that had been victims of ransomware. The details are not pretty. To say the least…
Our goal here isn’t to name the hospitals and definitely not to name sources. Instead, in order to protect our sources, we are going to specify details as vaguely as possible (times, names, locations).
“I can’t talk about it in public,” one source told us, “of course [...] and I don’t know all of the details but it’s much more brutal than the happy stories you see in the news where the criminals are paid off and things are back to normal in three days.”
“Instead, in order to protect our sources, we are going to specify details as vaguely as possible (times, names, locations).”We have been presented some evidence to show what happened. We cannot reproduce it here as that might harm the privacy of sources and patients alike. What the evidence shows is direct disruption to hospitals’ operations. In the departments concerned it may be a question of life and death.
“The network and electronic medical records systems have been down for more than a week,” one person told us. “Some kind of malware jumped out of an email and quickly took over the network. In particular, the [redacted] system was “destroyed” and and doctors have to walk themselves to see any CT imaging. Even that’s pretty useless because they have no way to access patient records. The emergency room has been shut down, all patients are sent to other clinics. I wonder if they have the capacity.”
They probably don’t.
“As readers can probably understand, publishing the evidence online isn’t practical as it would lead to reprisal.”“It was all Windows, of course,” the person added. “Even the [redacted] system was running on Microsoft because the IT people were complete Microsoft flunkies.”
As one might expect.
“Hospital staff is terrified and won’t say much,” we learned. “They are under threat of job loss if anything gets out. That, I suppose, includes me.”
Patients should never be rendered hostages with ransom money. But this is a Microsoft gift that keeps ‘giving’.
In the next part we’ll present further discussion. As readers can probably understand, publishing the evidence online isn’t practical as it would lead to reprisal. It’s a tricky issue to cover, but it is doable. We have supporting material for everything. █
Permalink
Send this to a friend
Posted in Microsoft, Security, Windows at 10:40 pm by Dr. Roy Schestowitz
The company co-founded by Bill Gates would be held accountable for manslaughter had it not been so politically connected (while media omits the role of Microsoft’s shoddy products)
2013: Bill Gates “Uploaded a Virus he Had Written and Caused the Entire Network to Crash.”
Summary: The media may not be making it apparent (deliberate obfuscation), but many people die every day just because a lot of hospitals still use Microsoft Windows with NSA back doors
TODAY we publish something a little different, partitioned and redacted so as to best protect our sources. It would be nice to just put it all ‘out there’, revealing all the gory (sometimes literally) details, but that would be counterproductive if it might hurt our sources.
“I work among people who do research, looking to discover causes of disease and possible cures/aversions.”This series has been very long in the making, nearly a whole year in fact, and the pandemic makes it ever more relevant. We’ve decided we can no longer keep it to ourselves and the time is right to responsibly publish what we know. We’re going to stick to the facts, based on the supportive evidence we have, and we’ll leave it for readers to draw conclusions.
At work our main client is the NHS (when I say “our” I mean my wife and I). I work among people who do research, looking to discover causes of disease and possible cures/aversions. I’ve been hearing quite a few hospital stories lately. About Microsoft… well, the role in manslaughter by technical sabotage is apparent to me. We can leave aside the question of who should be held accountable, be it the person who signs of the procurement papers or Microsoft itself.
“One pattern we’ve seen all along is that technical staff at hospitals is well aware of these problems. Some are afraid to speak about it with managers and managers themselves aren’t particularly receptive or helpful. They’d rather cover up scandals than deal with them openly.”I invite readers who have relevant information to share it with Techrights. We promise to handle it responsibly. I am keeping notes and indexes of all that’s sent to me on a locked-down machine that doesn’t contain proprietary software other than Wi-Fi firmware. One day, one way or another, the truth on this will come out. When the time is right. We just need the evidence at hand; shall someone choose to challenge claims made here, we can back those up with evidence, either privately or publicly (depending on sensitivity).
One pattern we’ve seen all along is that technical staff at hospitals is well aware of these problems. Some are afraid to speak about it with managers and managers themselves aren’t particularly receptive or helpful. They’d rather cover up scandals than deal with them openly. I am familiar with the experience of clueless managers at work (no technical knowledge at all) and what sources describe to us is far from outlandish. What they describe is a very common problem. You’re not alone, technical people who work at hospitals! You may feel alone in the context of the work, but many people in other workplaces experience the same thing.
Means of contacting us have not changed and we can handle encryption just fine. Without further ado, let’s get this thing started. █
Permalink
Send this to a friend
Posted in Site News at 9:12 pm by Dr. Roy Schestowitz
Yesterday’s remark from Tim Schwab, who closely studied these matters
Summary: Now that many if not most news sites are in the business of selling something (not information but agenda) our work here is needed more than ever; we’re turning 13.5 this week
THIS WEEK we turn 13.5 years. I was 24 when the site started, working towards finishing my Ph.D. thesis at the time.
Shane and I met in Digg.com — a site many consider to be the first real “social network”. The idea of Boycott Novell was his and he wanted me, a SUSE user at the time, to join him. I soon did. Believe it or not, back then in 2006 the site’s theme was more or less identical to what it is today (we’ve tweaked it a little since) and mostly the scope expanded. From writing short posts without pictures we soon evolved — seeing a sharp growth in traffic — to long form, complete with pictures and lots of additional stuff. By 2008 we already needed to leave shared hosting and have our own virtual machine. Nowadays we have a dedicated physical server, albeit shared with Tux Machines.
“Last month we modernised the site at the back end by adopting containers.”Over the weekend, despite not publishing much (new articles), we still delivered an average of over 2GB of traffic per hour. We actually saw an increase this past year and since the pandemic began we’ve seen no noticeable difference. We carry on going.
Last month we modernised the site at the back end by adopting containers. That also meant some upgrades and we now have a more stable system which should have fewer and shorter downtimes. Last week we spent a number of hours updating the Wiki, bringing more of it up to date (to the extent feasible). Many EPO insiders (and outsiders alike, to a lesser degree) use the wiki as an index of news about their workplace. We totally support EPO staff in the face of Campinos/Battistelli tyranny. Oddly enough, we’ve been focused on this issue since the summer of 2014, which means almost half the lifetime of this site. Last year, after working on workflow improvements, we returned to covering Free software and software freedom perils on a more frequent basis. It was long overdue, considering the age of the entryism, including the abduction of GitHub in 2018.
“In terms of stability, we’re doing alright and our morale is high.”Today, or overnight, I am toiling or hacking on some code, trying to make things more efficient; anything that can be automated, e.g. IRC logging (and generation of HTML logs), is being increasingly automated. That leaves us more time for writing. A decade ago we managed to produce about 10 daily posts, on average, but with a full-time job (to pay the bills) I cannot do that anymore. Looking over at Phoronix, Michael too seems to be struggling somewhat. Aside from the fact there’s not as much stuff to cover (the pandemic means fewer announcements are made), his wife recently lost her job, months ago they had their first baby, and the economy in general went down the toilet. This sort of ‘downturn’ is guaranteed to kill a large number of Web sites, as every recession does. The same is true for businesses of all sorts. We still don’t know when — if ever — we can go back to the gym. Life may never feel the same after this pandemic. “Consumer confidence” as they call it hit rock bottom; people feel reluctant to spend money and more importantly they don’t feel safe enough going outside, except for essential tasks like food-buying. People don’t want to get ill, either, knowing that hospital wards are already full and may be too contaminated to be worth the risk (going to the hospital for non-critical issues may be more dangerous than staying home because of risk of contracting something else). As it stands, cancer diagnosis rates have gone down, quite likely due to reduced capacity to screen and detect. So there’s an inadvertent and indirect death toll, too. Historians may assess that one day.
In terms of stability, we’re doing alright and our morale is high. Many people out there are starting to lose their sanity (various factors contribute to this) and boredom leads people to nutty conspiracy theories that the online “conspiracy industry” can reaffirm. Back in February we wrote about the role of envy (when empires decline or altogether fall it’s easy to become jealous of those who pick up the pieces, inheriting what was built).
Please be very well aware that the Web is becoming polluted with unbacked conspiracy theories; we’re almost embarrassed to see some of the people who link to Techrights, distorting what we actually said. We gave some examples before. We’re more strict than ever about fact-checking and some articles take weeks to write because of the research they require. We’re hardly being bashed online anymore and that’s a positive sign. We intend to keep it that way. █
Permalink
Send this to a friend
Posted in Free/Libre Software, GNU/Linux, Microsoft at 3:05 pm by Dr. Roy Schestowitz
Guest post by figosdev
Summary: Any project of GNU going into GitHub is making it seem or feel acceptable for GNU projects to be ‘outsourced’ to Microsoft; so what does it mean to have some of GNU inside the proprietary software jail of Microsoft? The first part deals with GNU projects that have GitHub dependencies.
Microsoft’s takeover of free software is fascinating, but where can the line be drawn? I treat this as both a hypothetical question and a practical one, because I’ve spent years boycotting Microsoft and ever since they purchased GitHub, I’ve noticed that’s become next to impossible. “A source repo on every desk…”
Originally I thought perhaps we could boycott projects that are based on GitHub, since hey — there’s some cool stuff there but it’s just some applications, right? Then I noticed full programming languages and libraries. Oh… Node.js, that sucks. CPython, oh well, there are other implementations. Perl, hmm…
Then I noticed several GNU/Linux distros volunteer to be captured by Microsoft. I mean I’m not going to be using those — oh, it’s a lot. I’ve already gone to the trouble of figuring out that out of 275 active distros on DistroWatch, if you really want to boycott GitHub you’re down to at most, 33. No, not 33 percent — 33 distros, including Tiny Core! Not including Trisquel. Trisquel is captive to an anti-GPL monopoly via its stupid, stupid “init” system. (Cuckoo OS, more like).
But we can always build our own distro, Eh? So let’s take apart Tiny Core, I figured — It’s incredibly modular, it should be a piece of cake to remove the parts controlled by Microsoft, right?
“Microsoft has Gtk yoked by something glib2 needs.”The kernel isn’t libre, I know. I’ve wanted a linux-libre kernel (or at least a Debian blob-free kernel) for TC for ages. Maybe the blobs are in tcz packages. But I think if TC had a blob-free kernel it would be advertised as such.
I once hoped Alex Oliva would consider making a libre kernel for TC, but that’s getting ahead of ourselves a bit. I’ve never been interested in maintaining a kernel, I only got into remixing distros because I wasn’t paying attention.
I created scripts a year or two ago to remix Tiny Core and create tcz packages. They’re basically squashfs files, which TC “installs” by mounting them. Ok, that’s no big deal. Oh, development of squashfs-tools has moved to GitHub. Lovely. But the kernel portion is still developed where it should be. I take this as meaning that the Linux kernel can mount tcz, it just can’t produce them. Ok, I guess we can use files that are mkfs’d to ext3 instead. That’s a GitHub-free solution, we can worry about compressing them later.
What we really need to do is figure out what to remove, and that’s going to take some research. I’ve already started figuring out which TC packages can be dropped.
Those red boxes are packages for things based on GitHub, but the gold boxes are packages that need things like libffi which is based on GitHub. Just so you know, libffi is pulled in by glib2. The GUI apps (Gtk at least) need libffi, so that’s at least one serious “Gotcha” already. Microsoft has Gtk yoked by something glib2 needs.
I don’t always trust Debian dependencies, but they’re certainly illustrative — here’s the page for glib2: https://packages.debian.org/buster/libglib2.0-0 it needs libffi6. Oh, fun — it also needs zlib1g. This is needed for loading png graphics, so anywhere you find a png, you need GitHub. No, this isn’t because of glib2. Zlib1g is also developed on GitHub, and is needed along with libpng for loading or saving png graphics.
In the past, Microsoft has killed off lots of its acquisitions to hurt competitors, so the scenario I’m assuming is one where it decides to start killing (or taking over) free software projects it doesn’t care about.
“There ought to be an exodus.”When Oracle tried this with OpenOffice, the developers simply left and forked it. That’s exactly what they should do, but in this instance, developers have loads of warning. And they’re just sitting on Microsoft’s repos like it’s no big deal, letting their projects become further and further entrenched. I’m well aware of the fact that not everybody who develops on GitHub actually cares about software freedom. That’s another reason not to develop there.
So imagine Microsoft forcing several such forks at the same time. Build systems for distros everywhere would be thrown into disarray. It’s not that the scenario will necessarily be worst-case, but I expect Microsoft intends to get their money’s worth. There ought to be an exodus.
If we are trying to escape, at least we can figure out where free software has its foot caught in a proverbial bear trap.
Libffi? Not good. Zlib1g and png graphics? Whoa, someone fix that. Lately I’m saving screencaps with JPEG in protest, which is certainly not ideal. The GIF patent has expired, but it only does 8-bit colour. I guess there’s still X PixMap, right? We can do 24-bit graphics with xpm.xz (XZ-utils are not GitHub-based. I think they originated with a couple of Slackware developers.)
I’ve made my way from Tiny Core to Trisquel looking for GitHub vulnerable projects, and finally from Trisquel directly to the GNU project itself. It isn’t good, folks.
This is Part 1, implying that there will be a Part 2 if not a Part 3, but I’ve only looked through a fraction of the GNU projects and here’s what I’ve already found:
The GNU project uses Perl — a lot!
“The GNU project uses Perl — a lot!”I don’t compile a lot of programs, personally. I’ve spent hours editing and recompiling one C++ program, I’ve edited and compiled one minor C program, mostly I work with scripting languages (though I do use source-to-source compilers a lot).
If there are obvious mistakes or less obvious misconceptions I’m presenting when I talk about some of the details, I hope you’ll mention it in the comments. I’m sure there will be a few differences of opinion as well.
But let’s start with Automake. Automake is used for a large number of GNU packages — it depends on Perl. Perl is on GitHub. That’s not good, hackers — that’s not good.
Many GNU sources have a file called “missing” which I believe is Automake-related. This file often informs the user that they will need Perl (and links to perl.org so they can get it) and it links to flex on GitHub. There’s another one. Of course some of the GNU sources are so old they still link to the flex on SourceForge. Here’s a fun fact: GNU Savannah is a fork of SourceForge from when it was still free software.
Flex, lex, Yacc and Bison are all related — lex is a lexer, flex is an alternative, Bison is an alternative to Yacc and Bison often uses flex to get tokens. The problem is that flex is GitHub-based. This is not good. Plus, Automake also wants flex. So whatever sort of creek we are in, our paddle is slowly transforming into a tiny little stick.
A lot of GNU sources include texinfo files. Texinfo seems to need Perl as well.
VERA includes a Perl script, vc-dwim is a Perl script (missing wants flex anyway) WB B-tree Associative Arrays seems to include C Sharp code (so you’ll need Mono, which the FSF warned against and which is based on GitHub) XBoard uses png files, Xnee includes pnee which uses Gtk and png.
As mentioned, Gtk brings in glib2 which brings in libffi, which is based on GitHub — while Gtk2 and Gtk3 are not based on GitHub, if you’re looking for Gtk1, GitHub is where it appears to be.
Some of these old GNU programs appear to use Gtk1, so whether each one is GitHub-based because of libffi or GitHub-based because of Gtk1, is a detail I’ve mostly ignored.
Units includes units_cur which is a Python script and texi2man which is a Perl script.
“Texinfo seems to need Perl as well.”The thing about Python is that CPython is the most often-used implementation, including in the GNU project, and CPython is based on Microsoft GitHub. PyPy is a great drop-in replacement, though it doesn’t work on everything.
You can’t always tell when you find yourself in front of a Python script, whether it needs CPython (thus GitHub) or not. So Python is worth watching for, but only proves to be a GitHub hostage sometimes.
Taylor UUCP uses Perl, Tex for the impatient uses png files in docs, Texinfo uses Perl, Hurd includes gitlog-to-changelog which calls Perl, GNU Readline includes texi2html and texti2dvi, which use Perl.
GNU Shepherd has png files in /doc and perl and flex in missing. Gnu Telecom has a png file. Sather has a Perl script called ps2gif. Spread Sheet Widget uses Gtk, SQLtutor has pngs in the docs. Swbis appears to need Python and python-devel.
Queue is dumped in favour of GNU Parallel, which uses Perl. Ring redirects to GNU Jami, which uses Python.
PythonWebkit obviously needs Python; pyconfigure may get away with PyPy as a replacement. PSPP uses Perl and png files with a GUI in Gtk. Proxyknife has Perl code in the docs and in configure.
Doxyfile is one to watch for in the sources. I believe this is created by Doxygen, which is used to created documentation from source code. Doxygen is based on GitHub.
PowerGuru has a png and lots of Python code, oleo has png in docs and uses plotutils, which support png. Ocrad has a png in /archive. Occhiolino uses Python. MetaHTML uses perl.h.
Mac Changer hasn’t updated in years, but like GNU Radio is a GNU project that’s based on GitHub — really not good. I can’t figure out why GNU Radio hasn’t tried to move though. That still gets worked on, unlike Mac Changer.
GNU LibreJS, a tool I cheered on for ages waiting for it to be created, uses Jasmine, a Javascript library which is based on GitHub: http://git.savannah.gnu.org/cgit/librejs.git/tree/build.sh
In fact build.sh downloads it directly from Microsoft, which I think shows a bit too much trust given that this plugin goes directly into GNU IceCat:
JASMINE_URL=”https://GitHub.com/jasmine/jasmine/releases/download/v$JASMINE_VER/jasmine-standalone-$JASMINE_VER.zip”
curl -L -o “$JASMINE_LIB.zip” “$JASMINE_URL” && unzip -d test/ $JASMINE_LIB.zip lib/**
We’ve all done something like this, but this is exactly where it shouldn’t be done.
Make also seems to need Perl, it may or may not need Python.
“The FSF already warns people against non-free repos such as GitHub. While self-hosting is certainly better, many people won’t and my advice to them is at least choose a non-profit organisation for hosting their code.”This only covers a portion of the GNU project, but let’s tally up what needs to happen for the GNU Project to not rely so heavily on the good will of its most dedicated foe:
1. Fork or make an official GNU mirror of Perl. If Perl goes, GNU is just about done.
2. The same applies for zlib1g as well. This library was invented and/or promoted specifically to avoid GIF-related patent traps! Now it’s controlled by the world’s second-biggest patent troll (the other sponsors the FSF. Great.)
3. Figure out libffi. I can’t tell you more, I only know it helps things like Python use things like ctypes (“foreign functions”).
4. Start using PyPy more, when possible. CPython is a trap. Note that PyPy has some major limitations. I’m very fond of it, any limitation it has I’m hoping for the best.
5. Write something justifying support of Mono in WB B-tree Associative Arrays. I would suggest removing that part of the code, but that seems unlikely.
6. That LibreJS code could be fixed today. At least mirror Jasmine in the LibreJS tree.
7. The FSF already warns people against non-free repos such as GitHub. While self-hosting is certainly better, many people won’t and my advice to them is at least choose a non-profit organisation for hosting their code.
Gitea is also developed on GitHub, so it’s a bit odd that they’re touting it as an alternative. If it’s an alternative, why not move Gitea off GitHub then? (at least move it to GitLab).
I never did trust Google Code, of course. For-Profit code repos technically have the same problem that GitHub has: they can be bought just like GitHub. Non-profits have to be infiltrated like the FSF or FSFE instead, which is harder.
“What’s lacking now is leadership, and though I think it would take more than putting Stallman in charge again (which is the right thing to do as the efforts to remove him were dishonest and corrupt, plus it would probably help) there doesn’t seem to be anybody who is doing a better job.”A decentralised, peer-to-peer means of hosting would be ideal, though currently the main project I know of related to hosting code that way is through feneas.org, which I already associate with the typical trend of Codes-of-Censorship (along with a “FOSS” manifesto which combined with their Code of Conduct is ultimately going to lead to a hardline, de facto “be nice to the Open Shills” policy. It’s not like there aren’t precedents.
Don’t get me wrong, so far the software looks good. But you can say the same for the GNU Project.
The importance of leaving GitHub is really not stressed enough by what’s left of the Free Software Foundation.
What’s lacking now is leadership, and though I think it would take more than putting Stallman in charge again (which is the right thing to do as the efforts to remove him were dishonest and corrupt, plus it would probably help) there doesn’t seem to be anybody who is doing a better job.
Unless “better” means “bigger events funded by Microsoft and Google”. No thanks, the Linux Foundation was doing that already, and it didn’t help at all.
Long live rms, and happy hacking. █
Licence: Creative Commons CC0 1.0 (public domain)
Not including the code snippet, which is from http://git.savannah.gnu.org/cgit/librejs.git/tree/build.sh
And if this article uses a parody of the GitHub logo based on the GNU head, I almost certainly used this one from Wikipedia.
Permalink
Send this to a friend
Content is available under CC-BY-SA