Microsoft gets a free pass for insecurity
“I don’t want a back door. I want a front door.” — Director of the National Security Agency (NSA), only days ago
Summary: All versions of Microsoft Windows are found to have been insecure since 1997, but the bug responsible for this is not named as candidate for back door access, let alone named (with logo and marketing) like far less severe bugs in Free/libre software such as OpenSSL
WHILE many journalists still refuse to call out Windows (see this new piece from Dan Goodin, who writes about crackers hoarding Windows hosts by the millions — in botnets — while mentioning the word “Windows” only once, very deep inside the article), some have no choice by to acknowledge that not every single computer runs Windows and therefore we should call out Windows when it’s clearly to blame.
“This wouldn’t be the first time it happens; recall how Google had to alert Microsoft for 3 months about a serious flaw while Microsoft did absolutely nothing (as if the intention was to keep Windows insecure, albeit secretly, very much like Apple).”Although there is no “branding” yet (as Microsoft buddies from a a Microsoft-linked firm like to do to Free/libre software bugs), there is a very serious bug in all versions of Windows (even the one still in development) that Microsoft’s allies at the NSA must be very happy about, especially as the bug is 18 years old (meaning that Windows has allowed remote access since 1997, or around the time Microsoft was seeking to appease the US government after it had shamelessly broken many laws).
The bug was found not by Microsoft but by this team (press release), which probably has no access to Windows source code. This wouldn’t be the first time it happens; recall how Google had to alert Microsoft for 3 months about a serious flaw while Microsoft did absolutely nothing (as if the intention was to keep Windows insecure, albeit secretly, very much like Apple).
ISPs should now restrict or ban Windows use, as it poses a huge risk (botnets and DDOS, never mind risk to all data stored on machines running Windows). Here is some early coverage of this [1, 2], some correctly emphasising that it’s a 18-year-old vulnerability [1, 2].
Let’s see if this starts a big debate about the insecurity of proprietary software (as other bugs with “branding” did to Free software, by means of gross generalisation). This “New Security Flaw Spans All Versions Of Windows” (similar wording in this headline). 18 years, eh? It even predates 9/11. It’s older than some readers of this Web site.
Watch this disgraceful piece titled “Will Microsoft’s Security Measures in Windows 10 Tarnish Open-Source Development?”
Yes, it’s more propaganda; The disingenuous openwashing of Windows continues, as we’ll show in our next post. █
“Our products just aren’t engineered for security.”
–Brian Valentine, Microsoft executive
Send this to a friend
Image courtesy of Red Hat
Summary: Old news is ‘new’ again, as Microsoft-friendly media decides to keep knocking hard on the reputation of Free software, using words rather than substance
A YEAR ago there was a curious (first of its kind for Free/Open Source software) “branding” of a 2-year-old FOSS bug by a Microsoft-linked firm that did not even find the bug. An engineer from Google had found it and sought to responsibly disclose it so as to patch it properly before the Microsoft-linked opportunists blew off the lid and called it “Heartbleed”, set up a Web site to ‘celebrate’ the bug, and even made a professionally-prepared logo for it. This whole “Heartbleed” nonsense — however serious it may have been for a day — was blown out of all proportions in the media and tarnished the name of Free software because it was so ‘successfully’ marketed, even to non-technical people. It was a branding ‘success’ which many firms would later attempt to emulate, though never with the same degree of ‘success’ (where success means bamboozling the public, especially non-technical decision-making people).
“Microsoft must be laughing quite hard seeing all that media manipulation.”“Dear journalists,” I said earlier today in social media (Diapora), “bugs don’t have birthdays. Stop finding excuses to bring “Heartbleed” BS (MS name for old bug) to headlines.” I spoke to one author about it and challenged him for floating these “Heartbleed” logos and brands yet again. To us it seems quite evident that Microsoft keeps attacking Free software and GNU/Linux like no time before; it’s just more subtle and hidden in more sophisticated ways. The person who heads the incognito firm that’s known only for the “Heartbleed” brand (they control the brand) came from Microsoft (he was head of security there) and also from the FBI, whose stance on encryption is widely known by now; they actively seek to break security of software, so knowing about the 2-year-old OpenSSL bug would make sense. Some reputable media reports said that the NSA had known about this bug for about a year before it was known to the public and the NSA cooperates with the FBI on breaking software security, sharing personal (illegally intercepted) data, etc.
Anyway, the same publication (as above) also floated the “Heartbleed” nonsense in another article today. Would they do just about anything to keep it in headlines? Even a year later? They are now citing some firm called Venafi (never heard of it before), which basically relies on misleading misuse of statistics. It’s FUD from a company that tries to make money from perceived dangers and accentuates these dangers in an effort to acquire clients. What kind of ‘journalism’ is this? incidentally, Black Duck is now joining the list of such parasitic companies, with new hires and multiple press releases, so clearly it’s a growth area and the Microsoft link is easy to see. It is FUD season again this spring as more publications now float this whole nonsense. This is hardly journalism, it’s just throwback.
Thankfully enough, Red Hat demonstrates what “branding” of FOSS bugs practically means, even using the image above. There is no correlation between the naming of bugs and their severity, but press coverage sure loves a good brand. This is an important (albeit belated) response from Red Hat to “branding” of a FOSS bug by Microsoft-linked firms like the one behind “Heartbleed”.
“It’s been almost a year since the OpenSSL Heartbleed vulnerability,” says Red Hat, “a flaw which started a trend of the branded vulnerability, changing the way security vulnerabilities affecting open-source software are being reported and perceived. Vulnerabilities are found and fixed all the time, and just because a vulnerability gets a name and a fancy logo doesn’t mean it is of real risk to users.”
Well, Microsoft folks sure squeezed everything they could from this bug, seeking to discredit not just OpenSSL but the whole development process of Free software (due to just one small bug, or a few lines of code). And Microsoft still pretends that it is warming up to Open Source? Who are these frauds kidding?
There’s a lot of companies which continue to use platforms with back doors, such as Windows, but the Wintel-oriented media would rather we just obsess over this one bug from one year ago (which was patched as soon as it became publicly-known).
We are rather disappointed to see a decent journalist like Sean Michael Kerner, along with colleagues at eWEEK, swallowing the bait and serving to promote the misleading claims to advertise this company that controls the “Heartbleed” brand, among other opportunists (like fish swimming around a shark for some leftovers). Microsoft must be laughing quite hard seeing all that media manipulation. █
Send this to a friend
Summary: Black Duck ups the ante on Free software-hostile messages, embeds FUD in the media almost instantaneously
THERE IS an attack on Free software going on, but it’s shrewdly disguised as ‘concern’ for Free software. We are led to believe that not proprietary software with back doors is the problem but Free software that may have bugs, especially bugs that users don’t bother to patch despite having the ability (or freedom) to do so. It’s free.
The other day we wrote about Black Duck entering the security FUD market, targeting Free software, as one ought to expect (it had already done the compliance FUD, neglecting to mention EULA-related issues in proprietary software). To repeat some facts for the uninitiated, Black Duck was started as an anti-GPL company, by its very own admission. Very shortly after hiring a parasite, whose company exploits security fears, Black Duck’s scope of FUD expands further and there’s an effort in the media to advertise this.
“Taft, who often promotes Microsoft PR, doesn’t mind covering something that seemingly relates to Free software if it makes Free software look bad.”Darryl K. Taft, a booster of Microsoft, already helps this anti-GPL company (Black Duck) by doing this Microsoft-esque advertising at this very moment. Taft, who often promotes Microsoft PR, doesn’t mind covering something that seemingly relates to Free software if it makes Free software look bad. No wonder Black Duck came from Microsoft. Other Microsoft boosting sites like TechFlash promoted this nonsense and spread it to media with broader reach. Watch how they wrongly describe Black Duck: “Burlington-based open-source software firm Black Duck software is making big bets on helping to make open-source software more secure for companies”
Black Duck is most definitely not “open-source software firm”, it is an anti-Open Source software firm whose products are proprietary, with software patents that relate to them. This is the kind of openwashing that has become so common when it comes to proxies of Microsoft (Microsoft works together with Black Duck, it’s not just that Black Duck came from Microsoft).
Black Duck, as we noted the other day, had hired a key person from Veracode, whose output is mostly FUD even today. Right now it promotes itself in CBS and other networks by saying some nonsense about a nonsense buzzword (“Internet of Things”) that means nothing in particular. To quote the CBS tabloid: “In a new report released by enterprise security firm Veracode, researchers discovered during testing of common, household IoT devices that security is not up to scratch — paving the way for exploits, data theft, robbery and potentially even stalking.”
That is just some embedded marketing for a FUD firm, one whose co-founder is now inside Black Duck.
Truth be told, Black Duck is trying to diversify or re-brand itself ‘pro-security’ as it did ‘pro-compliance’, but actually, what it really is about should be FUD. It uses fear, spreads existing fear to sell, creates more fear to sell, and overall it makes Free software look bad.
IDG is another large network that helped Black Duck advertise itself the other day. The headline is misleading because it says “Black Duck’s mission: To seek out insecure open source code in the enterprise”.
No, Black Duck’s mission is to sell its proprietary software by telling the press, enterprises etc. that Free software is not secure and needs some ‘medicine’ (Black Duck’s proprietary snake oil).
Here are the press releases from Black Duck [1, 2]. Clearly enough there is a media manipulation campaign going on and some journalists — other than Microsoft boosters disguised as ‘journalists’ — have already fallen for it. █
Send this to a friend
Summary: Two sources of fear uncertainty and doubt (FUD) against Free/Open Source software (FOSS) find themselves fused together
THE firm known as Black Duck recently admitted its roots in GPL FUD, not just in Microsoft (the founder's employer for many years). Black Duck recently took advantage of perceptions of FOSS security issues (using bugs with “branding”) to market its proprietary software products. A press release now informs us that VeraCode’s co-founder is joining Black Duck. We wrote about Veracode at Techrights several times before. Black Duck and Veracode have much in common, with examples such as security FUD that has “branding” to act as a stigma against Free software, as we recently (earlier this year) saw (both Black Duck and Veracode have been doing this in recent months). We are sure they’ll have a lot of experiences to share and many strategies to sell based on fear, or even create this fear by appearing in the media with famous brands such as “GHOST”, “Shellshock”, and “Heartbleed”. █
Send this to a friend
Summary: Black Duck “was founded [on] the idea … to keep GPL-licensed code out of corporate codebases entirely,” according to a new report
TECHRIGHTS has spent nearly a decade battling Black Duck. This schizophrenic-looking firm (trying to come across as pro-FOSS), Black Duck, is the very prominent (and well-funded) entity which has been a source of endless GPL FUD, claiming that the GPL is declining, that it is dangerous, and that it oughtn’t be embraced by businesses.
This new article from Jon Gold of the FOSS-hostile NetworkWorld happens to provide us with wonderful evidence of the roots and the original goals/raison d’être of “Black Duck” (black agent would be a more suitable name). The article is titled “Open-source’s former ‘police’ now helping businesses adopt” (the latter is pure marketing and acceptance of Black Duck’s claims at face value).
Black Duck, founded by a marketing guy from Microsoft (see the image above for highlights from LinkedIn), is mostly a marketing company. It was never ‘police’ and it was never an authority; it was a parasite pretending to be about FOSS while harvesting software patents, badmouthing Free software, and even ripping off companies like Palamida, which had done work — very time-consuming work — collecting usage figures regarding GPLv3.
Gold’s article is useful to us because of the very revealing part which says: “Executive Vice President and CTO Bill Ledingham said that when the company was founded the idea was to keep GPL-licensed code out of corporate codebases entirely.”
So Black Duck, which was founded by a guy from Microsoft, was acting more like a mole, nothing else. It was fighting copyleft adoption. No need for speculations or hypotheses anymore.
In a similar vein, Microsoft’s support for Cyanogen (do not be misled by retractions after getting caught) serves to show another mole-like strategy. This new article by Miguel Helft (to appear next month in Forbes magazine) reminds us of the real goal of Cyanogen. To quote the headline: “Meet Cyanogen, The Startup That Wants To Steal Android From Google”
This sounds exactly like what Microsoft itself has been trying to do to Android (often via or with help from proxies like Facebook, Nokia, or Amazon). Do not think for a moment that Microsoft never tried to derail and topple Free software from the inside. There is a long history to that effect and we covered many examples over the years. █
Send this to a friend
Giving names to bugs to make them sound scary
Summary: Even the company that bombarded the media with its “GHOST” nonsense admits that this bug, which was fixed two years ago, does not pose much of a threat
TWO days ago we wrote about the self-promotional FUD campaign from Qualys, noting that it had been blown out of proportion, as intended all along by Qualys (which even gave it the name “GHOST” and paid for expensive press releases in corporate news). A Red Hat employee reveals that even Qualys itself realised that its pet PR/marketing charade, “GHOST”, is not much of a risk.
He said that “the people at Qualys that worked hard to hype GHOST into a doomsday bug had to admit that most software calling the gethostbyname function couldn’t be forced to exploit the bug. As they say themselves (from “the Qualys Security Advisory team”):
“Here is a list of potential targets that we investigated (they all call gethostbyname, one way or another), but to the best of our knowledge, the buffer overflow cannot be triggered in any of them:
apache, cups, dovecot, gnupg, isc-dhcp, lighttpd, mariadb/mysql, nfs-utils, nginx, nodejs, openldap, openssh, postfix, proftpd, pure-ftpd, rsyslog, samba, sendmail, sysklogd, syslog-ng, tcp_wrappers, vsftpd, xinetd.”
“To put things in perspective see this [discussion],” he added. It’s LWN refuting Dan Goodin, the anti-GNU/Linux ‘security’ rhetoric person from Condé Nast (we took note of his coverage the other day).
“But as always,” added the guy from Red Hat, “the truth isn’t that clickbaiting…
“It was a bug. It has been fixed. But it wasn’t that simple to exploit. Patches are available and as it seems no one got hurt.” █
Send this to a friend
Ghostwriting a Qualys horror story for maximal FUD (fear, uncertainty, and doubt)
Summary: Responding to the media blitz which paints GNU/Linux as insecure despite the fact that bugs were evidently found and fixed
THERE IS something to be said about the “top” news regarding GNU/Linux. It’s not really news. The so-called “GHOST” publicity stunt needn’t be repeated by FOSS sites. It is about a bug which was patched two years ago, but some sites overlook this important fact and stick lots of spooky logos, playing right into the hands of Qualys, an insecurity firm (making money from lack of security or perception of insecurity).
We have watches the ‘news’ unfolding over the past day and a half and now is a good time to explain what we deal with. The so-called “GHOST” (all capital letters!) bug is old. Qualys is going two years ago into bugfixes, giving a name to the bugfixes, then making plenty of noise (all over the news right now). Qualys does not look like a proxy of Microsoft or other GNU/Linux foes, but it is self-serving. Insecurity firms like Qualys probably learned that giving a name to a bug in GNU (SJVN mistakenly calls it “Linux”, but so do many others) would give more publicity and people will pay attention to brands and logos rather than to substance. Just before Christmas an insecurity firm tried to do that with "Grinch" and it turned out to be a farce. SJVN says that this old “vulnerability enables hackers to remotely take control of systems without even knowing any system IDs or passwords.”
Well, it was patched back in 2013. Use of names for marketing is what makes it “news”; the opportunists even prepared a PRESS RELEASE and pushed it into ‘big’ sites like CNN. It has marketing written all over it, just like “Heartbleed” that had strong Microsoft connections behind the disclosure. It is sad that Linux sites fall for this. Phoronix copies the press release as though it’s reliable rather than self-promotional. Michael Larabel writes: “The latest high-profile security vulnerability affecting Linux systems us within Glibc, the GNU C Library.”
It is not “latest”, it is 2 years old. Larabel says that “Qualys found that the bug had actually been patched with a minor bug fix released on May 21, 2013 between the releases of glibc-2.17 and glibc-2.18.”
OK, so it’s not news. FOSS Force cites SJVN to amplify the scare and other FOSS sites are playing along as though this is top news. It oughtn’t be. It is already widely patched (maybe requiring a reboot), so let’s patch and move on (unless it was already patched upstream/downstream years ago). IDG has already published at least three articles about it [1, 2], including one from Swapnil Bhartiya, who is not too alarmist to his credit. He noted that “there was a patch released back on May 21, 2013, between the releases of glibc-2.17 and glibc-2.18. However it was not considered to be a security risk and thus major Linux distributions that offer long term support and get security updates remained vulnerable, including Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7 and Ubuntu 12.04.”
It affects very specific versions, mostly long-term support releases that already have reliable patches available. It should be clear that some headlines such as this or that clarify the limited scope of impact (not bad reporting) unlike the alarmist trolls.
What Techrights generally found was that early coverage came from so-called ‘security’ sites or blogs of insecurity firms that try to sell their services (e.g. [1, 2, 3]). These set the tone for many.
The response to this bug is proportional to the perceived danger (e.g. due to media hype), not the severity of the bug. Some security news sites [1, 2] focus on names and logos while facts remain only a side issue. This so-called “ghost” nonsense (some lines of code basically) was fixed 2 years ago and as the blog post “long term support considered harmful” explains it: “In theory, somebody at glibc should have noticed that fixing a buffer flow in a function that parses network data has security implications. That doesn’t always happen, however, for many reasons. Sometimes the assessment isn’t made; sometimes the assessment fails to consider all possible exploit strategies. Security bugs are “silently” fixed frequently enough (without evil intentions) that we should consider them a fact of life and deal with them accordingly.”
Some of the worst kind of coverage we found came from The Register with its flamebait headlines (scary headlines for maximum effect) and the troll Brian Fagioli. They are only some among many who are using the name to come up with puns and FUD. Jim Finkle is back to his GNU/Linux-hostile ‘reporting’, bringing this to the corporate media (there is some in the UK also) and LWN quickly cited the GNU/Linux-hostile Dan Goodin. He called “Highly critical” a bug that was patched two years ago.
Debunking some of the latest security FUD we had Fedora Magazine which stated “don’t be [worried], on supported Fedora versions.”
For unsupported version there is a lot more than this one bug that one needs to worry about.
Apple fans were quick to take advantage of the news, despite the fact that Apple is leaving systems vulnerable for many months, knowingly (like Microsoft does, until Google steps in).
See, with proprietary systems one knows for a fact that there is no security. With GNU/Linux is an open question and it depends on what measures one takes to keep it secure. For Apple and Microsoft security is not at all the goal; back doors and unpatched flaws are not really as “interesting” and important for them to patch as helping spying agencies. Google is not at fault here, Google just saw that Apple and Microsoft had no plans to plug serious holes — a patch evidently wasn’t going to be made ready before the public finds out about it, owing to Google. Apple chooses to blame Google; same as Microsoft. They should only blame themselves both for the bugs and for negligence after the bugs were highlighted to them. There is no room here for properly comparing GNU/Linux (Free/libre) to OS X or Windows (proprietary) because evidence clearly shows that the latter are not interested in security and not pursuing security when it is trivially possible.
What we find curious amid the latest FUD campaign is that Apple back/bug doors are not as widely publicised as a GNU bug that was patched 2 years ago and mostly affects LTS systems (which already have patches available). “Nothing I can think of,” said a reader of ours about this media hype, “but the LTS model followed by RHEL and Ubuntu have different goals and purposes than the short, fast development cycle like OpenBSD.”
Nobody is forced to use an LTS release and those who choose it must be aware of the potential risk.
Regarding the other FUD that flooded the press in recent weeks, targeting for the most part Google and Android, our reader XFaCE wrote the following:
I assume you want to write about that new Android vulnerability. Basically I can see the narrative being pushed through three points
- Microsoft supported Windows XP/7/etc. for years, why doesn’t Google support old Android versions
- Google told Microsoft about a very old bug in their software, so they are hypocritical
- Heartbleed bug was fixed way back for 4.1.1
For the last point, it’s a bullshit comparison because
a) 4.1.1 was one point release where upgrading to 4.1.2 fixed the issue (it was already fixed back when 4.1.2 was released)
b) The fix was one file, as evident by XDA members patched it themselves on phones manufacturers refused to upgrade to 4.1.2 SOURCE: http://forum.xda-developers.com/showthread.php?t=2712916
c) As shown by the link, a lot of manufacturers DIDN’T update certain 4.1.1 devices to 4.1.2, hence proving Google’s point. The fix there was SIMPLE, but the OEMs didn’t bother to do it
With Webview, not only is webview involved, but so is the webkit rendering engine, so the fix for all those previously releases is much more complicated
As for the second point, Google did catch it, with KitKat, and furthermore made KitKat supported on more low-end devices so theoretically older 512mb or less devices could be updated
For example, HTC said (when Jelly Bean 4.1 came out) that they would not update any device with 512 mb of RAM (SOURCE: http://www.cnet.com/news/htc-one-v-and-desire-c-will-never-get-jelly-bean/ ), so naturally when KitKat came out, they updated those devices because the OS officially was designed for such low ram devices
“Later this year, the entry-level smartphone the HTC Desire 500, should also be seeing the KitKat update. However, the One X, One X+, One S, and One V will be left in the dust and will be receiving no more official updates from HTC.”
So the OEMs are at fault for not upgrading the devices, not Google, which leads to point 1 – Google doesn’t control the Android OEMs like Microsoft does OEM pay Microsoft for the support whereby Microsoft controls all updates, Google doesn’t get paid or have the agreemeent in that way
OEMs like HTC could easily fix this by porting Kitkat to those devices, but they won’t cause they want you to buy a new HTC phone or whatever phone brand
Techrights did not cover that (except in daily links) because it should be self-evident that free-of-charge Android upgrades make it inhernetly different from proprietary software and keeping up to data typically ensures security. A lot of the analogies (Android and Windows) were inherently flawed and the FUD rather shallow. █
Send this to a friend
Summary: The set of copyleft licences at above 80% in SourceForge, but inclusion of repositories like CodePlex or GitHub tilts the overall picture
OVER the past 9 years several firms such as Black Duck came out of Microsoft, liaising with Microsoft and Microsoft proxies such as CodePlex to convincingly sell the illusion (or a self-fulfilling prophecy) that GPL is dying. We have covered this for nearly 7 years and not much has changed. Professional FUD triumphs. Redmonk, which Black Duck and Microsoft had both paid, recently promoted this nonsense using invalid (biased) data. Another company which is in the licence FUD business (monetising fear of perceived issues), a firm called Protecode, continues adding to these perceived issues by releasing a report about GitHub and SourceForge. Protecode, to its credit, shows that the GPL is still dominant. As Phoronix put it the other day:
Protecode’s numbers show the percentage of copyleft licenses on SourceForge to be above 80% while for GitHub the percentage was below 30%. Their results also indicate that the MIT license is the most popular on GitHub followed by the GPL. On SourceForge, however, the most common license for projects was the GPL.
GitHub is a relatively new site that is based on software from Linus Torvalds and his colleagues. There is nothing wrong with GitHub; I have two accounts there; one for work, one for personal projects. Where it fails to present a balanced view may actually be the lack of scaling based on project size, impact, etc. From what I am able to gather, GitHub is littered with lots of tiny projects, some without code, mostly Web-based code, plus branches, forks, etc. A lot of the very big projects are not hosted on GitHub and some are not at all hosted on third-party servers. They can be managed locally in businesses using git (as we do in the company my wife and I work for).
“Incidentally, based on LinkedIn, Stephen Walli seems to have left Microsoft (again).”What’s worth noting is that Microsoft now approaches GitHub in the sense that it is willing to abandon Microsoft hosting for GitHub. That’s quite a thing given that the maker of git it also the maker of Linux and GitHub is predominantly Free software- and GNU/Linux-based.
Incidentally, based on LinkedIn, Stephen Walli seems to have left Microsoft (again). He was a key person in CodePlex and quite a mole inside the Free software community for a long time (we have written about him for 7 years). That departure might explain why we have seen no pro-Microsoft propaganda from him as of late and it may even be part of a broader exodus, including this news that may show CodePlex dying:
Microsoft hosts CodePlex as an open-source project hosting service where generally the Microsoft OSS projects call home, but it seems some of their own employees aren’t too happy with it and see a brighter future with GitHub.
Do any of our readers know more about the demise of CodePlex? Can it be put in numbers? █
Send this to a friend
« Previous entries Next Page » Next Page »