EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

01.22.20

Linux Foundation (LF) Now Dominated by Lots of Microsoft People and LF Chiefs Join Microsoft in Smearing GPL/Copyleft

Posted in FUD, GNU/Linux, GPL, Law, Microsoft at 9:26 pm by Dr. Roy Schestowitz

Against the licence of Linux itself? They treat Free software like some ‘hippie’ thing, leaving the original developers institutionally homeless and without representation of any kind (except theoretic/symbolic).

A licence

Summary: We continue to see additional evidence which serves towards reinforcing our view that the so-called ‘Linux’ Foundation is actually hostile towards many things that are associated with Linux (unlike those looking to exploit/hijack Linux for proprietary ends)

THE freedom of all software is under attack. So-called ‘permissive’ licences are advocated by proprietary software giants, looking mostly to exploit and control projects. That much should not be surprising. It’s a widely known fact. Our debates with Microsoft managers have made it abundantly clear that Microsoft still isn’t tolerating the GPL and it has this ‘offshoot’ called Black Duck (there have been several more since it was acquired), whose management came from Microsoft and admitted that its original goal was to discourage GPL adoption. Black Duck is so toxic that Simon Phipps kicked these people out; he ejected them from OSI and rejected their money, whereas Jim Zemlin welcomed them. What does that say about him?

“Black Duck is so toxic that Simon Phipps kicked these people out; he ejected them from OSI and rejected their money, whereas Jim Zemlin welcomed them.”About a week ago we learned there was an article on the way that related to things we had published (not about Black Duck; FOSS Force really ought to write something about Black Duck’s history). Earlier this week it finally came out; it was Bruce Byfield’s thought-provoking piece about the Linux Foundation. Byfield notes that the “Linux Foundation has not only accepted Microsoft as a Platinium member, but awarded it two seats on the board of directors: one representing Microsoft directly, and the other representing the Microsoft-owned GitHub.”

That’s not indirectly, that is Microsoft directly. The new PR trick is for companies to pretend to be smaller than they are (Alphabet Google does this too, e.g. YouTube).

Notice how they get more seats over time. It’s all about money.

“So the chief technical person of the LF, which has Microsoft et al in key positions, publicly spreads GPL FUD, citing Microsoft proxies as his source.”Also, remember that the the Vice Chair (of the Board) worked for Microsoft and there are Microsoft developers in key positions, cushioned by Greg K-H, who himself worked indirectly for Microsoft (or on Microsoft projects) while on Novell/Microsoft payroll.

The interesting part — to me at least — is in the comments/discussion. For those who don’t know, Chris Aniszczyk is “currently a CTO at the Linux Foundation” (according to him). Notice what he wrote.

So the chief technical person of the LF, which has Microsoft et al in key positions, publicly spreads GPL FUD, citing Microsoft proxies as his source. LF staff is now joining Microsoft in attacking the GPL, even in public. Not just any staff but chief staff of the LF, echoing Microsoft-connected (WhiteSource/Black Duck) FUD against the GPL. It’s consistent with some stuff we saw in the past and commenters such as “Mike” respond:

> “Does the FSF or SFC have corporate member or developer seats or just individual seats only? It seems you are only hearing one side fo the story that’s inaccurate.”

That’s pretty ironic considering what the Linux Foundation did to its community representation. The Linux Foundation tells only the corporate side of the story. Like any corporation, trusting them with your well-being is a stupid thing to do.

“Mike” responds to Bruce Byfield as well:

The *relative* decline of GPL and copyleft is only natural when viewed in terms of volume of code being produced.

There is far more corporate funded code than ever before – and that code is almost universally stamped with ‘permissive’ licenses. Lots more open-washing today than ever.

There are plenty of new copyleft projects out there, but that doesn’t fit the corporate driven narrative.

Licence popularity-wise, Microsoft proxies (WhiteSource/Black Duck) are mostly measuring things based on Microsoft GitHub (it is a proprietary trap for corporate exploitation). We’ve complained about this for half a decade or longer. But even other Microsoft-sponsored ‘analysts’ do the same thing, treating anything that Microsoft does not control as though it does not exist and ought not be counted. Should it be surprising that copyleft-leaning projects (e.g. GNU) aren’t interested in the proprietary trap which is GitHub? That’s like measuring collective societal wealth based only on who shops at Hugo Boss stores/outlets. The picture one sees is distorted by the narrowness of the target audience/client base.

“Licence popularity-wise, Microsoft proxies (WhiteSource/Black Duck) are mostly measuring things based on Microsoft GitHub (it is a proprietary trap for corporate exploitation).”Mike’s replies make sense. And Chris then responds to Chris, more or less nailing it, arguing that the LF “treats desktop Linux users, as well as users of open source software on Linux and other operating systems, as orphans…”

We’ve said something similar several times in the past.

Here’s the full comment:

To me the point is that the Linux Foundation is doing nothing whatsoever to advance desktop Linux, and treats desktop Linux users, as well as users of open source software on Linux and other operating systems, as orphans, even though they were the first boosters of Linux development. At LF, if it’s not software being developed for commercial and enterprise users, or if it’s designed to be used on a desktop or laptop instead of in a data center or industrial device, it doesn’t exist.

Bruce Byfield did note: “A more cynical interpretation is that, from its very start, the Linux Foundation has been a slow coup, gradually usurping an authority to which it has no right. Ask me on alternate days which one I believe.”

“This may not be a deliberate thing, but unwittingly the LF let entryism be ‘welcomed’ or ‘tolerated’ in the Board, not foreseeing the negative effects on the ‘pragmatic’ and PR front.”Byfield also mentioned how he had lost his job at Linux.com. Less than a year ago the same thing happened all over again (the LF fired all staff and editors without as much as a prior notice). The site has not been the same since. It’s an embarrassment and it is pretty dormant.

What Byfield says about the “slow coup” makes sense. This may not be a deliberate thing, but unwittingly the LF let entryism be ‘welcomed’ or ‘tolerated’ in the Board, not foreseeing the negative effects on the ‘pragmatic’ and PR front. What good is an institution which does not guard its mission statement and spirit and only counts money, even from its biggest opponents?

12.31.19

With Byfield at the Wheel FOSSForce is a Force Against Richard Stallman (and What GNU Stands for)

Posted in Free/Libre Software, FSF, FUD, GNU/Linux at 7:49 am by Dr. Roy Schestowitz

A site of butterflies doesn’t need worms which will never mature and develop into butterflies

FOSSForce butterflies
B.B. will never become a butterfly because he spent a decade and a half attacking pro-FOSS people

Summary: It’s a bit perplexing; FOSSForce spent a number of years passionately combating for FOSS, but nowadays it’s mostly run by a person with anti-FOSS history

THE site FOSSForce has historically been a very good one. I get along rather well with its founder, I did an interview there (with the former editor of Linux.com, who unfortunately died about a year later). The site’s tone changed less than a year ago after a long period of complete silence. In 2019 it became active again. No articles at all in 2018 and 23 articles this year, about 19 of them composed by the same person, the Stallman-bashing Bruce Byfield, who in yesterday’s article wrote about Stallman that he “has had an injured tendon in his leg since 1998.”

What does that have to do with verbal and intellectual advocacy of GNU? He’s not an athlete.

“I will fondly remember the FOSSForce of Christine, Phil, Robin and Ken.”We’ve repeatedly seen many condemnations (e.g. in social control media) of his articles about Stallman, at times name-calling in response to apparent mischaracterisations. Over a decade ago Byfield misattributed rude quotes to me (making me look bad based on things I never even said!) and often sparred with us, defending Mono, Microsoft, Novell, OOXML and so on (overlapping the Jono Bacon modus operandi). He also sparred with Groklaw. For a while he wrote “GNU/Linux”, but he no longer does. Byfield nowadays writes many “hit pieces” on Stallman and he did at least one on us (for Linux.com a very long time ago).

I will fondly remember the FOSSForce of Christine, Phil, Robin and Ken. But Bruce? No thanks.

12.19.19

The Register Has Been Mostly Microsoft Propaganda Disguised as ‘News’ After That Microsoft Partnership (Money)

Posted in Deception, FUD, GNU/Linux, Microsoft at 6:13 am by Dr. Roy Schestowitz

Perception management operations ‘on the cheap’ (mere ‘slush funds’ to Microsoft)

I can see Microsoft critics. We don't need to refute our critics if we can just bribe them.

Summary: The Register (or El Reg) is becoming more of a Microsoft megaphone again; it all makes sense if one goes back a decade and a half to their Microsoft partnership (preceded by a lot of harsh criticisms of Microsoft)

THE VARIOUS “Linux” podcasts have more lately spoken quite a bit about “WSL”; it seems like a coordinated charm offensive, facilitatef partly by Microsoft and partly by Canonical. Similarly, in recent days we saw Red Hat pushing .NET quite a few times and some Python podcasts had Microsoft as guests. It’s very clear Microsoft tries to dominate the discussion in order to push Windows, Visual Studio, GitHub, Azure and so on.

“It’s very clear Microsoft tries to dominate the discussion in order to push Windows, Visual Studio, GitHub, Azure and so on.”“The Register on “Microsoft Linux”,” one reader wrote to us last night, is a trend worth taking stock of. “We would be familiar with the typical Microsoft strategy,” he explained. “In this case, “partner” with a Linux company, generate some mindshare goodwill, then make sure the Linux subsystem isn’t any use and will only run on Windows.”

He cited yesterday’s article about “multipass” — a project Canonical released on… Microsoft GitHub. And guess whose agenda the article promotes….

As our reader put it (somewhat rudely): “What the fuck was Canonical thinking in ‘partnering’ with the borg?”

“No, we haven’t missed the irony of Microsoft lovers with virtually no history in GNU/Linux development taking the ‘lead’ on this.”He also took note of Canonical’s decision to give Microsoft money for WSL’s propaganda outlet. We alluded to this before.

“This is what Lenin refereed to supporters of Soviet-ism in the west “useful idiots”,” our reader asserted, pointing to some of the culprits (we’ll try to keep this impersonal and therefore redact some bits).

No, we haven’t missed the irony of Microsoft lovers with virtually no history in GNU/Linux development taking the ‘lead’ on this. Nor have we overlooked their disdain for GNU/Linux and tacit support for Microsoft's patent blackmail against GNU/Linux. This is what WSL is. These are the people who take the lead! The managers…

Back to our reader: “Censorship at The Register” has meanwhile been claimed as well. They apparently censor a lot of comments that don’t suit the narrative Microsoft wants. “Do an article on what advertising revenue (bribery) The Register gets from Microsoft, same with ZDNet and the rest,” the reader said.

“They apparently censor a lot of comments that don’t suit the narrative Microsoft wants.”We actually wrote a lot about that in the past. Heck, we have a whole wiki page with articles about ZDNet — a site I repeatedly encourage people to boycott (nowadays it’s managed by a Microsoft fan, not even a closeted one, who writes clickbait as headlines and we know for whose agenda).

Our reader is certainty aware. It’s difficult not to notice.

“I have a new slogan for The Register,” he said. “The Register, whatever you do, don’t mention ‘MICROSOFT’. I’m afraid the Reg has gone bad for a long time. The only time you read about Linux is in relation to the MICROSOFT Linux sub-system, or Linux in relation to malware, but when it’s on Windows then it’s referred to as “banking” malware, else they keep pushing ‘cloud’ solutions.”

A lot of their “Linux” or “FOSS” coverage (more so nowadays) comes from Microsoft Tim, just like Microsoft Peter (the pedophile) at Ars Technica up until his arrest. Their whole “Open Source” section was nothing except Microsoft lies and marketing. Literally all of it was just that when he was arrested. Need we mention that Ars Technica UK was — by admission/confession made to me by its editor — funded by Microsoft? Guess what dominated that site until it perished…

But let’s go back to The Register. Microsoft Tim’s case merits a post of his own. It’s like Microsoft took journalistic authority over “Linux” and “FOSS”. It calls the shots and sets the tone/narrative at The Register. Another person who once had this role, Ashley Vance, is nowadays doing propaganda pieces for Microsoft at even larger publishers (like some mythical Arctic vault — basically fake news that helped distract from ICE controversies).

The reader suggested doing this search or that search. Find a negative article below…

Microsoft puff pieces

Microsoft Windows puff pieces

Need we remind readers that back in the old days The Register was renowned for Microsoft criticism?

Then Microsoft struck a partnership with The Register (yes, money involved).

“I’ve also noticed it’s hard to find announcements of Bill Gates bribes (payments for particular publishes) — which they openly disclose initially — because they’re once paid they’re googlebombing the relevant search phrases with puff pieces (paid-for lies).”We would need to unearth that old article about the El Reg-Microsoft partnership. “Probably found in the 2003 or 2004 series,” an associate of ours recalls, “but just as an announcement… not necessarily a main article.”

These things are hard to find after all these years. I’ve also noticed it’s hard to find announcements of Bill Gates bribes (payments for particular publishes) — which they openly disclose initially — because they’re once paid they’re googlebombing the relevant search phrases with puff pieces (paid-for lies). It’s a real problem and it goes beyond advertising money. In the past we also showed examples of Bill Gates paying publishers critical of him and of Microsoft; soon afterwards they deleted all those past articles. It seemed rather clear what they were paid for.

12.08.19

You Know WSL is Bad for GNU/Linux Because Anti-Linux People, Microsoft and Its Propagandists, Want People to Use That

Posted in FUD, GNU/Linux, Microsoft at 6:06 am by Dr. Roy Schestowitz

The latest POPAganda from Microsoft

Hi, Microsoft. Yes, Bogdan Popa here. Yes, I will say WSL is the 'new Linux'.
Another day, another pattern of FUD and deception from longtime Microsoft boosters

Summary: Microsoft and its boosters (and media partners) haven’t grown tired of spreading falsehoods to stigmatise and take control of GNU/Linux by creating their own versions and traps for it

THE ATTACK on GNU/Linux is very easy to see. Anyone who’s remotely familiar with “embrace”-”extend” (the third E has variants) can see it and smell it from a mile.

To smoothen the gears of this latest EEE scheme Microsoft relies on a bunch of ‘fake news’ and lies (such as Microsoft “loving” everything). They also spread the lie that Microsoft is suddenly loved by all, the ‘new Microsoft’…

The lies are spread by a handful of people (who of them was arrested earlier this year for sexually assault children) and they’re writing from the same ‘script’ (probably same sraff; there are private communications with Microsoft’s PR operatives inside and outside Microsoft’s headquarters).

“To smoothen the gears of this latest EEE scheme Microsoft relies on a bunch of ‘fake news’ and lies (such as Microsoft “loving” everything).”WSL is not GNU/Linux but an assault on the platform, the classic EEE pattern. Just see the views of the program managers. They think it’s perfectly fine for Microsoft to blackmail and assault GNU/Linux with software patents. These are not Linux-loving (heh. Love?) people and they’re not friends. They pick an existing thing, first GNU only and soon Linux too, then “extend” it with Windows-only “goodies”. This is already happening. There’s an “extend”.

Now comes SJVN with misleading clickbait (“Canonical makes Ubuntu for Windows SubSystem for Linux a priority”). Don’t be alarmed. It’s untrue. That’s a falsehood, promoted if not by SJVN himself then someone above him (they change his headlines and articles, sometimes censoring what he originally wrote). It’s hard to tell for sure who’s responsible for this, maybe the editor of ZDNet, who is very close to Microsoft (he even does a podcast with Microsoft agents). When I posted the link in Disapora I received one immediate response saying, “no surprise that zdnets title is clickbaitish. they are sinking real resources into this, which is lousy, but title implies they are putting this ahead of other things. thats a stretch.”

“They also spread the lie that Microsoft is suddenly loved by all, the ‘new Microsoft’…”“Making Ubuntu better on the Windows desktop is unfree,” wrote another person, “and a serious step backward.”

They’re actually making it sound like Canonical now prioritises WSL over standalone GNU/Linux.

This is a good example of what’s often called ‘fake news’. What’s the ‘meat’ of it all? Well, they hired someone (to join a company with several hundreds of employees). There’s one single job advertisement for one single person (less than 0.5% of the technical staff) and as far as we know, the original person who worked on this for Canonical left the company (we don’t want to name him or the person they’ve hired). In fact, maybe the vacancy is due to someone quiting or some sort of “goodwill gesture” to Microsoft. Whatever it is, that didn’t stop the Microsoft boosters from raving with ‘fake news’. Microsoft propagandists are having a ‘day field’ over it and each time they promote WSL — as Softpedia’s Microsoft mole Bogdan Popa has just done (he’s still attacking and smearing GNU/Linux routinely) — they reaffirm the fact it’s an anti-GNU/Linux move. Popa’s article does not deserve traffic as it’s trollish and basically a bunch of lies. So the link is omitted; but the headline says “Canonical loves Windows 10″ (in case someone is desperate enough to read fabricated ‘news’).

It’s similar to the “Microsoft loves Linux” lie and the substlety here sort of tries to imply that “Linux loves Windows or Microsoft” (“Canonical loves Windows 10″). Is this reciprocal? Ask people who actually develop and/or use GNU/Linux.

Jim Zemlin said a year ago, “Open Source Loves Microsoft”…

Just ignore the fact that Zemlin himself prefers proprietary software and speaks neither for Open Source nor for Linux. He speaks for Microsoft more than he speaks for either of these. So does his wife (top Microsoft partner).

“Microsoft has a master plan for open source and it’s not good. Open Source is about Freedom, not control. Don’t you all think it’s a little suspicious what Microsoft paid for GitHub?”

Eren Niazi, Creator of Open Source Storage

12.07.19

From Moderate Advice to FUD and Misinformation: The Case of a VPN Vulnerability (CVE-2019-14899)

Posted in FUD, GNU/Linux, Security at 1:16 pm by Dr. Roy Schestowitz

Sometimes it morphes to “Linux” and a false description of what’s happening

VPN fake news

Summary: What should have been a trivial bugfix in a variety of operating systems and bits of software — both proprietary and Free software — somehow became anti-Linux FUD, clickbait and worse

EARLIER in the week I saw a report about CVE-2019-14899. There was nothing exciting about it. I mentioned it briefly and then moved on. But the following day and especially two days later (after the announcement [1]) the press was absolutely flooding with reports, especially from insecurity companies and anti-Linux sites [2-22]. At times even deliberate lies were spread [23] (there are no attacks). See below a roughly chronological list/timeline. The initial report was calm and rational.

“The only shocking thing isn’t the bug but the level of media attention it has received.”When one carefully examines what’s at stake, the patching status (it’s not a zero-day hole), the severity and risk level etc. one begins to wonder what motivated all this attention. Much more severe issues are being discovered each week if not month.

We first mentioned this 2 or 3 days ago, without even filing it as a high-priority Daily Links pick. The only shocking thing isn’t the bug but the level of media attention it has received. This is not the first time such a thing happens. When similar issues affect Windows the media just describes these as “computer issues” or “PC”.

Related/contextual items from the news:

  1. VPN hijacking on Linux (and beyond) systems
    Hi all,
    
    I am reporting a vulnerability that exists on most Linux distros, and
    other  *nix operating systems which allows a network adjacent attacker
    to determine if another user is connected to a VPN, the virtual IP
    address they have been assigned by the VPN server, and whether or not
    there is an active connection to a given website. Additionally, we are
    able to determine the exact seq and ack numbers by counting encrypted
    packets and/or examining their size. This allows us to inject data into
    the TCP stream and hijack connections.
    
    Most of the Linux distributions we tested were vulnerable, especially
    Linux distributions that use a version of systemd pulled after November
    28th of last year which turned reverse path filtering off. However, we
    recently discovered that the attack also works against IPv6, so turning
    reverse path filtering on isn't a reasonable solution, but this was how
    we discovered that the attack worked on Linux.
    
    Adding a prerouting rule to drop packets destined for the client's
    virtual IP address is effective on some systems, but I have only tested
    this on my machines (Manjaro 5.3.12-1, Ubuntu 19.10 5.3.0-23). This
    rule was proposed by Jason Donenfeld, and an analagous rule on the
    output chain was proposed by Ruoyu "Fish" Wang of ASU. We have some
    concerns that inferences can still be made using slightly different
    methods, but this suggestion does prevent this particular attack.
    
    There are other potential solutions being considered by the kernel
    maintainers, but I can't speak to their current status. I will provide
    updates as I receive them.
    
    I have attached the original disclosure I provided to 
    distros@vs.openwall.org and security@kernel.org below, with at least
    one critical correction: I orignally listed CentOS as being vulnerable
    to the attack, but this was incorrect, at least regarding IPv4. We
    didn't know the attack worked against IPv6 at the time we tested
    CentOS, and I haven't been able to test it yet.
    
    
    William J. Tolley
    Beau Kujath
    Jedidiah R. Crandall
    
    Breakpointing Bad &
    University of New Mexico
    
    
    *************************************************
    
    
    **General Disclosure:
    
    We have discovered a vulnerability in Linux, FreeBSD, OpenBSD, MacOS,
    iOS, and Android which allows a malicious access point, or an adjacent
    user,  to determine if a connected user is using a VPN, make positive
    inferences about the websites they are visiting, and determine the
    correct sequence and acknowledgement numbers in use, allowing the bad
    actor to inject data into the TCP stream. This provides everything that
    is needed for an attacker to hijack active connections inside the VPN
    tunnel.
    
    This vulnerability works against OpenVPN, WireGuard, and IKEv2/IPSec,
    but has not been thoroughly tested against tor, but we believe it is
    not vulnerable since it operates in a SOCKS layer and includes
    authentication and encryption that happens in userspace. It should be
    noted, however, that the VPN technology used does not seem to matter
    and we are able to make all of our inferences even though the responses
    from the victim are encrypted, using the size of the packets and number
    of packets sent (in the case of challenge ACKs, for example) to
    determine what kind of packets are being sent through the encrypted VPN
    tunnel.
    
    We have already reported a related vulnerability to Android earlier
    this year related to the issue, which resulted in the assignment of
    CVE-2019-9461, however, the CVE strictly applies to the fact that the
    Android devices would respond to unsolicited packets sent to the user’s
    virtual IP address over the wireless interface, but this does not
    address the fundamental issue of the attack and did not result in a
    change of the reverse path settings of Android as of the most recent
    security update.
    
    This attack did not work against any Linux distribution we tested until
    the release of Ubuntu 19.10, and we noticed that the rp_filter settings
    were set to “loose” mode. We see that the default settings in
    sysctl.d/50-default.conf in the systemd repository were changed from
    “strict” to “loose” mode on November 28, 2018, so distributions using a
    version of systemd without modified configurations after this date are
    now vulnerable. Most Linux distributions we tested which use other init
    systems leave the value as 0, the default for the Linux kernel.
    
    We have described the procedure for reproducing the vulnerability with
    Linux and included a section illustrating the differences in
    architecture.
    
    
    
    There are 3 steps to this attack:
    
    1. Determining  the  VPN  client’s virtual IP address
    2. Using the virtual IP address to make inferences about active
    connections
    3. Using the encrypted replies to unsolicited packets to determine the
    sequence and acknowledgment numbers of the active connection to hijack
    the TCP session
    
    
    
    There are 4 components to the reproduction:
    
    1. The Victim Device (connected to AP, 192.168.12.x, 10.8.0.8)
    2. AP (controlled by attacker, 192.168.12.1)
    3. VPN Server (not controlled by attacker, 10.8.0.1)
    4. A Web Server (not controlled by the attacker, public IP in a real-
    world scenario)
    
    The victim device connects to the access point, which for most of our
    testing was a laptop running create_ap. The victim device then
    establishes a connection with their VPN provider.
    
    The access point can then determine the virtual IP of the victim by
    sending SYN-ACK packets to the victim device across the entire virtual
    IP space (the default for OpenVPN is 10.8.0.0/24). When a SYN-ACK is
    sent to the correct virtual IP on the victim device, the device
    responds with a RST; when the SYN-ACK is sent to the incorrect virtual
    IP, nothing is received by the attacker.
    
    To quickly demonstrate this difference, we use the nping commands on
    the AP device running create_ap. The source IP is the gateway of our
    AP, the destination IP is the virtual IP assigned to the tun interface
    by the VPN client, ap0 is the interface create_ap created on the
    attacker device, and the destination MAC is the victim’s wireless MAC
    address.
    
    For example:
    
    The correct address generates a RST from the victim:
    
    nping --tcp --flags SA --source-ip 192.168.12.1 --dest-ip 10.8.0.8 --
    rate 3 -c 3 -e ap0 --dest-mac 08:00:27:9c:53:12
    
    The incorrect address does not elicit a response from the victim:
    
    nping --tcp --flags SA --source-ip 192.168.12.1 --dest-ip 10.8.0.9 --
    rate 3 -c 3 -e ap0 --dest-mac 08:00:27:9c:53:12
    
    Similarly, to test if there is an active connection for any given
    website, such as 64.106.46.56, for example, we send SYN or SYN-ACKs
    from 64.106.46.56 on port 80 (or 443) to the virtual IP of the victim
    across the entire ephemeral port space of the victim. The correct four-
    tuple will elicit no more than 2 challenge ACKs per second from the
    victim, whereas the victim will respond to the incorrect four-tuple
    with a RST for each packet sent to it.
    
    To quickly test this, we suggest creating a netcat connection on the
    victim device, such as this:
    
    Netcat 64.106.46.56 80 -p 40404
    
    The correct four-tuple generates challenge ACKs
    
    nping --tcp --flags SA --source-ip 64.106.46.56 -g 80 --dest-ip
    10.8.0.8 -p 40404 --rate 10 -c 10 -e ap0 --dest-mac 08:00:27:9c:53:12
    
    The incorrect four-tuple generates a single RST for each packet sent:
    
    nping --tcp --flags SA --source-ip 64.106.46.56 -g 80 --dest-ip
    10.8.0.8 -p 40405 --rate 10 -c 10 -e ap0 --dest-mac 08:00:27:9c:53:12
    
    Finally, once the attacker determined that the user has an active TCP
    connection to an external server,  we will attempt to infer the exact
    next sequence number and in-window acknowledgment number needed to
    inject forged packets into the connection. To find the appropriate
    sequence and ACK numbers, we will trigger responses from the client in
    the encrypted connection found in part 2. The attacker will continually
    spoof reset packets into the inferred connection until it sniffs
    challenge ACKs. The attacker can reliably determine if the packets
    flowing from the client to the VPN server are challenge ACKs by looking
    at the size and timing of the encrypted responses in relation to the
    attacker's spoofed packets. The victim’s device will trigger a TCP
    challenge ACK on each reset it receives that has an in-window sequence
    number for an existing connection. For example, if the client is using
    OpenVPN to exchange encrypted packets with the VPN server, then the
    client will always respond with an SSL packet of length 79 when a
    challenge ACK is triggered.
    
    The attacker must spoof resets to different blocks across the entire
    sequence number space until one triggers an encrypted challenge ACK.
    The size of the spoof block plays a significant role in how long the
    sequence inference takes, but should be conservative as to not skip
    over the receive window of the client. In practice, when the attacker
    thinks it sniffs an encrypted challenge-ACK, it can verify this is true
    by spoofing X packets with the same sequence number. If there were X
    encrypted responses with size 79 triggered, then the attacker knows for
    certain it is triggering challenge ACKs (at most 2 packets of size 79
    per second).
    
    After the attacker has inferred the in-window sequence number for the
    client's connection, they can quickly determine the exact sequence
    number and in-window ACK needed to inject. First, they spoof empty
    push-ACKs with the in-window sequence while guessing in-window ACK
    numbers. Once the spoofed packets trigger another challenge-ACK, an in-
    window ACK number is found. Finally, the attacker continually spoofs
    empty TCP data packets with the in-window ACK and sequence numbers as
    it decrements the sequence number after each send. The victim will
    respond with another challenge ACK once the attacker spoofs the exact
    sequence number minus one. The attacker can now inject arbitrary
    payloads into the ongoing encrypted connection using the inferred ACK
    and next sequence number.
    
    This can be tested by observing the behavior from this sequence of
    commands, continuing with the same four-tuple:
    
    Using the four-tuple from the previous steps, we send RSTs in the
    sequence number range in blocks of 50,000 until we trigger a challenge
    ACK.
    
    nping --tcp --flags R --source-ip 64.106.46.56 -g 80 --dest-ip 10.8.0.8
    -p 40404 --rate 10 -c 10 -e ap0 --dest-mac 08:00:27:9c:53:12 --seq [SEQ
    RANGE]
    
    If the packet lands in-window, the victim will respond with at most 2
    challenge ACKs per second. These packets are still encrypted and
    originate from the virtual interface, unlike with Android, but we can
    still determine the contents of these packets by their size. The
    encrypted challenge ACK packets are larger than the encrypted RST
    packets. You can run tcpdump on the victim machine to accelerate the
    testing of his process by viewing the actual sequence and
    acknowledgement numbers.
    
    After we have found an in-window sequence number, we locate an in-
    window acknowledgement by spoofing empty PSH-ACKs with the in-window
    sequence number and guessing the acknowledgement number by dividing the
    acknowledgement number space into eight blocks. In most instances,
    seven of these blocks will trigger challenge ACKs, but one of them will
    not, which allows us to quickly determine which block falls within the
    acknowledgement window. We are interested in the block that  does not
    respond with a challenge ACK. This behavior can be observed by using an
    in-window sequence number and an acknowledgement number in the block
    containing the correct acknowledgement number.
    
    nping --tcp --flags PA --source-ip 64.106.46.56 -g 80 --dest-ip
    10.8.0.8 -p 40404 --rate 10 -c 10 -e ap0 --dest-mac 08:00:27:9c:53:12
    -seq 12345678 --ack [ACK RANGE]
    
    Finally, using the in-window sequence and acknowledgement numbers, we
    spoof empty PSH-ACKs using the same in-windows acknowledgement number
    and decrementing the sequence number until we trigger another challenge
    ACK. This sequence number is one fewer than the next expected sequence
    number. We can then arbitrarily inject data into the active TCP
    connection.
    
    Continuing with our toy example:
    
    nping --tcp --flags PA --source-ip 64.106.46.56 -g 80 --dest-ip
    10.8.0.8 -p 40404 --rate 10 -c 10 -e ap0 --dest-mac 08:00:27:9c:53:12
    -seq [EXACT] --ack [IN-WINDOW] --data-string “hello,world.”
    
    
    
    **Operating Systems Affected:
    
    Here is a list of the operating systems we have tested which are
    vulnerable to this attack:
    
    Ubuntu 19.10 (systemd)
    Fedora (systemd)
    Debian 10.2 (systemd)
    Arch 2019.05 (systemd)
    Manjaro 18.1.1 (systemd)
    
    Devuan (sysV init)
    MX Linux 19 (Mepis+antiX)
    Void Linux (runit)
    
    Slackware 14.2 (rc.d) 
    Deepin (rc.d)
    FreeBSD (rc.d) 
    OpenBSD (rc.d) 
    
    This list isn’t exhaustive, and we are continuing to test other
    distributions, but made usere to cover a variety of init systems to
    show this is not limited to systemd.
    
    
    
    **Operating System Variations:
    
    The behavior is slightly different on other operating systems. Here is
    a summary of the differences:
    
    Android: In the first phase of the attack, Android responds with
    unencrypted RSTs to unsolicited SYN-ACKs for the correct port and ICMP
    packets for the incorrect one. For the second phase, it will respond
    with RSTs on the correct four-tuple.
    
    MacOS/iOS: The first phase of the attack does not work as described
    here, but you can use an open port on the Apple machine to determine
    the virtual IP address. We use port 5223, which is used for iCloud,
    iMessage, FaceTime, Game Center, Photo Stream, and push notifications
    etc.
    
    We know the phone will communicate with one of the push notification
    servers on port 5223, and have observed that on MacOS, the port used on
    the victim device is not the same as the port used to connect to the
    VPN server, but is very close (in our testing it has always been within
    10).
    
    nping --tcp --flags SA --source-ip 17.57.144.[84-87] -g 5223 --dest-ip
    10.8.0.8 -p [X] --rate 3 -c 3 -e ap0 --dest-mac 08:00:27:9c:53:12
    
    For iOS devices, it does not follow this convention for choosing the
    client’s source port, but always choose a port between ~48000-50000
    (our testing on iOS 13.1 was between 48162-49555).
    
    FreeBSD: The first two phases work essentially the same as Linux,
    however, for the last phase, the ACK number is not needed at all, so
    that piece of phase three can be skipped.
    
    OpenBSD: OpenBSD responds to spoofed SYN packets to the correct virtual
    IP with unencrypted RST packets, and the incorrect virtual IP elicits
    unencrypted NTP packets or nothing at all for the first part of the
    attack. For the second part, the responses are encrypted, but we can
    still determine which packets are challenge ACKs from the packet size,
    as with Linux. Connections can be reset by sending a RST with the
    correct sequence number.
    
    
    
    **Possible Mitigations:
    
    1. Turning reverse path filtering on
    
    Potential problem: Asynchronous routing not reliable on mobile devices,
    etc. Also, it isn’t clear that this is actually a solution since it
    appears to work in other OSes with different networking stacks. Also,
    even with reverse path filtering on strict mode, the first two parts of
    the attack can be completed, allowing the AP to make inferences about
    active connections, and we believe it may be possible to carry out the
    entire attack, but haven’t accomplished this yet.
    
    2. Bogon filtering
    
    Potential problem: Local network addresses used for vpns and local
    networks, and some nations, including Iran, use the reserved private IP
    space as part of the public space.
    
    3. Encrypted packet size and timing
    
    Since the size and number of packets allows the attacker to bypass the
    encryption provided by the VPN service, perhaps some sort of padding
    could be added to the encrypted packets to make them the same size.
    Also, since the challenge ACK per process limit allows us to determine
    if the encrypted packets are challenge ACKs, allowing the host to
    respond with equivalent-sized packets after exhausting this limit could
    prevent the attacker from making this inference.
    
    
    We have prepared a paper for publication concerning this
    vulnerability and the related implications, but intend to keep it
    embargoed until we have found a satisfactory workaround. Then we will
    report the vulnerability to oss-security@lists.openwall.com. We are
    also reporting this vulnerability to the other services affected, which
    also includes: Systemd, Google, Apple, OpenVPN, and WireGuard, in
    addition to distros@vs.openwall.org for the operating systems affected.
    
    Thanks,
    
    William J. Tolley
    Beau Kujath
    Jedidiah R. Crandall
    
    Breakpointing Bad &
    University of New Mexico
    
  2. New Vulnerability Lets Attackers Hijack VPN Connections on Most UNIX Systems

    Affecting most GNU/Linux distributions, as well as FreeBSD, OpenBSD, Android, iOS and macOS systems, the new security vulnerability could allow a local attacker to determine if another user is connected to a VPN (Virtual Private Network) server and whether or not there’s an active connection to a certain website.

    The vulnerability (CVE-2019-14899) is exploitable with adjacent network access, which requires the attacker to have access to either the broadcast or collision domain of the vulnerable operating system, and lets attackers to hijack connections by injecting data into the TCP (Transmission Control Protocol) stream.

    The vulnerability has been reported to work against various popular VPN solutions, including OpenVPN, IKEv2/IPSec, as well as WireGuard, and it doesn’t matter which VPN technology is being used, thus allowing attacker to determine the type of packets being sent through the encrypted VPN tunnel.

  3. Tricky VPN-busting bug lurks in iOS, Android, Linux distros, macOS, FreeBSD, OpenBSD, say university eggheads

    A bug in the way Unix-flavored systems handle TCP connections could put VPN users at risk of having their encrypted traffic hijacked, it is claimed.

    The University of New Mexico team of William Tolley, Beau Kujath, and Jedidiah Crandall this week said they’ve discovered CVE-2019-14899, a security weakness they report to be present in “most” Linux distros, along with Android, iOS, macOS, FreeBSD, and OpenBSD. The upshot is, if exploited, encrypted VPN traffic can be potentially hijacked and disrupted by miscreants on the network.

    To pull off the attack, the US-based posse says, a hacker would need to be “network adjacent” to their target, or control an access point on the victim’s local network. Once the victim connected to their VPN, the spy would be able to, for one thing, tamper with the TCP stream to do things like inject packets into the stream.

  4. New Linux Vulnerability Lets Attackers Hijack VPN Connections

    Security researchers found a new vulnerability allowing potential attackers to hijack VPN connections on affected *NIX devices and inject arbitrary data payloads into IPv4 and IPv6 TCP streams. They disclosed the security flaw tracked as CVE-2019-14899 to distros and the Linux kernel security team, as well as to others impacted such as Systemd, Google, Apple, OpenVPN, and WireGuard. The vulnerability is known to impact most Linux distributions and Unix-like operating systems including FreeBSD, OpenBSD, macOS, iOS, and Android. A currently incomplete list of vulnerable operating systems and the init systems they came with is available below, with more to be added once they are tested and found to be affected: Ubuntu 19.10 (systemd), Fedora (systemd), Debian 10.2 (systemd), Arch 2019.05 (systemd), Manjaro 18.1.1 (systemd), Devuan (sysV init), MX Linux 19 (Mepis+antiX), Void Linux (runit), Slackware 14.2 (rc.d), Deepin (rc.d), FreeBSD (rc.d), and OpenBSD (rc.d).

  5. New Linux Vulnerability Lets Attackers Hijack VPN Connections

    Security researchers found a new vulnerability allowing potential attackers to hijack VPN connections on affected *NIX devices and inject arbitrary data payloads into IPv4 and IPv6 TCP streams.

    They disclosed the security flaw tracked as CVE-2019-14899 to distros and the Linux kernel security team, as well as to others impacted such as Systemd, Google, Apple, OpenVPN, and WireGuard.

  6. New vulnerability lets attackers sniff or hijack VPN connections

    The vulnerability — tracked as CVE-2019-14899 — resides in the networking stacks of multiple Unix-based operating systems, and more specifically, in how the operating systems reply to unexpected network packet probes.

  7. Hackers Can Hijack VPN Connections Using A New Linux Vulnerability

    Researchers have found a vulnerability on most Linux distros and *NIX devices which allow hackers to hijack the VPN connections and inject malicious data into the TCP stream.

    The security researchers found the vulnerability in most Linux distributions and operating systems such as Linux, FreeBSD, OpenBSD, macOS, iOS, and Android.

  8. Linux security flaw could let VPN connections be hacked

    The Breakpointing Bad cybersecurity research team from the University of New Mexico discovered and reported on a security flaw which could allow malicious actors to hack Virtual Private Network (VPN) connections.

    William J. Tolley, Beau Kujath, and Jedidiah R. Crandall said the flaw impacts Linux, Android, macOS and other Unix-based operating systems and could allow attackers to sniff, hijack and tamper with VPN-tunnelled connections. The vulnerability was named CVE-2019-14899, with the researchers claiming it takes advantage of how operating systems handle unexpected network probes.

  9. Linux Flaw Allows VPN Hijacking

    A number of Linux distributions, including Ubuntu, Fedora, and Debian, contain a newly discovered vulnerability that an attacker could use to determine whether an individual is using a VPN and then potentially hijack that encrypted connection.

    A research team from the University of New Mexico discovered the vulnerability and developed an attack to exploit it. The attack has some specific requirements and relies on some analysis of the traffic going to and from the target device running the VPN client. The attack is confirmed to work against WireGuard and OpenVPN, but the researchers said that the VPN a victim is using doesn’t really matter. The main prerequisite for the attack to work is for the attacker to be able to send unsolicited packets to the victim’s VPN client.

  10. New Linux vulnerability lets attackers to hijack VPN connections

    Three researchers from the University of New Mexico and Breakpointing Bad have identified vulnerability in the way Unix and Linux-based operating systems like the macOS handle the TCIP connections. Researchers believe that vulnerability can specifically affect VPN users by hijacking encrypted traffic.

  11. New Linux Bug Lets Attackers Hijack Encrypted VPN Connections

    A team of cybersecurity researchers has disclosed a new severe vulnerability affecting most Linux and Unix-like operating systems, including FreeBSD, OpenBSD, macOS, iOS, and Android, that could allow remote ‘network adjacent attackers’ to spy on and tamper with encrypted VPN connections.
    The vulnerability, tracked as CVE-2019-14899, resides in the networking stack of various operating systems and can be exploited against both IPv4 and IPv6 TCP streams.
    Since the vulnerability does not rely on the VPN technology used, the attack works against widely implemented virtual private network protocols like OpenVPN, WireGuard, IKEv2/IPSec, and more, the researchers confirmed.
    This vulnerability can be exploited by a network attacker — controlling an access point or connected to the victim’s network — just by sending unsolicited network packets to a targeted device and observing replies, even if they are encrypted.

  12. VPN Bug Affects “Most” Linux Distros

    A team of security researchers from the University of New Mexico has disclosed a new vulnerability that could allow attackers to probe devices and determine various details about the VPN (Virtual Private Network) connection status of a user.

    The security vulnerability (CVE-2019-14899) appears to affect most GNU/Linux distributions, besides FreeBSD, OpenBSD, Android, iOS and macOS systems. William J. Tolley, one of the security researchers, explained in a post that the vulnerability could let attackers to determine if another user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and also sniff out whether or not there is an active connection to a given website.

  13. OpenBSD devs patch authentication bypass bug

    One of the internet’s most popular free operating systems allowed attackers to bypass its authentication controls, effectively leaving the keys in the back door, according to an advisory released this week. The developers of the OpenBSD system have already patched the vulnerability.

    OpenBSD allowed people access to its smtpd, ldapd, and radiusd programs – which send mail, allow access to user directories, and allow remote access to the computer system. All an attacker needed to do was enter a specific word prefixed by a hyphen as a username.

    Qualys Research Labs found four bugs in BSD Authentication, which is the code that OpenBSD uses to authenticate users. Three of them were local privilege escalation bugs, while the other, CVE-2019-19521, bypassed the authentication system altogether. According to its security advisory, BSD Authentication supports four authentication styles: password, a one-time password mechanism called S/Key, and Yubico’s YubiKey hardware token.

  14. New Linux vulnerability puts VPN connections at risk of hijacking

    Furthermore, the research team also identified the SEQ and ACK numbers from inspecting the encrypted packet size and number and managed to inject data into the TCP steam, which led to the hijacking of the connection. This means VPN technology was ineffective in preventing the attack since even encrypted packets could be assessed.

    After testing on Manjaro 18.1.1, CentOS, and Ubuntu 19, researchers discovered that the exploit was applicable to both IPv4 and IPv6. Other systems that are vulnerable to exploitation include Void Linux, Debian 10.2, Slackware 14.2, Arch 2019.5, MX Linux 19, Deepin, Fedora, Devuan, FreeBSD, and OpenBSD. They will be testing the effectiveness of the exploit against Tor as well.

  15. Attackers using Linux Vulnerability to Hijack VPN Connections
  16. Linux VPN connections can be hacked

    Insecurity experts at Breakpointing Bad have found aa new vulnerability allowing potential attackers to hijack VPN connections on affected *NIX devices and inject arbitrary data payloads into IPv4 and IPv6 TCP streams.

    The security flaw tracked as CVE-2019-14899 to distros and the Linux kernel security team, as well as to others impacted such as Systemd, Google, Apple, OpenVPN, and WireGuard. The vulnerability is known to impact most Linux distributions and Unix-like operating systems including FreeBSD, OpenBSD, macOS, iOS, and Android.

    A currently incomplete list of vulnerable operating systems and the init systems they came with is available below, with more to be added once they are tested and found to be affected: Ubuntu 19.10 (systemd), Fedora (systemd), Debian 10.2 (systemd), Arch 2019.05 (systemd), Manjaro 18.1.1 (systemd), Devuan (sysV init), MX Linux 19 (Mepis+antiX), Void Linux (runit), Slackware 14.2 (rc.d), Deepin (rc.d), FreeBSD (rc.d), and OpenBSD (rc.d).

  17. VPN connections could be hacked due to Linux security flaw

    A new vulnerability that could allow potential attackers to hijack VPN connections on affected NIX devices and inject arbitrary data payloads into IPv4 and Ipv6 TCP streams has been discovered by security researchers.

    The researchers disclosed the security flaw they detected, tracked as CVE-2019-14899, to Linux distro makers, the Linux kernel security team and to others that are impacted including systemd, Google, Apple, OpenVPN and WireGuard.

  18. Unix-like Systems Vulnerable to VPN Inferring and Hijacking Attacks

    Three researchers from Breakpointing Bad and the University of New Mexico have discovered a vulnerability that exists in Linux and Unix-like operating systems like Android and macOS. Given the tracking code “CVE-2019-14899”, the flaw resides in the routing table code and the TCP code that is present in these systems. The vulnerability allows an attacker to perform traffic analysis via clever use of encrypted DNS queries in conjunction with error messages, leading to the sniffing of open TCP connection information. The attack was discovered quite a while back, but the researchers disclosed it publicly now, and after they allowed the vendors some time to plug the holes.

  19. Researchers say VPN bug affects Linux, Unix systems
  20. Linux Bug Opens Most VPNs to Hijacking

    In a coffee-shop scenario, attackers can hijack “secure” VPN sessions of those working remotely, injecting data into their TCP streams.

    A vulnerability in most Linux distros has been uncovered that allows a network-adjacent attacker to hijack VPN connections and inject rogue data into the secure tunnels that victims are using to communicate with remote servers.

    According to researchers at University of New Mexico and Breakpointing Bad, the bug (CVE-2019-14899), “allows…an attacker to determine if…a user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and whether or not there is an active connection to a given website.”

  21. New vulnerability lets attackers sniff or hijack VPN connections
  22. Researchers find a new Linux vulnerability that allows attackers to sniff or hijack VPN connections

    On Wednesday, security researchers from the University of New Mexico disclosed a vulnerability impacting most Linux distributions and Unix-like operating systems including FreeBSD, OpenBSD, macOS, iOS, and Android. This Linux vulnerability can be exploited by an attacker to determine if a user is connected to a VPN and to hijack VPN connections.

    The researchers shared that this security flaw tracked as CVE-2019-14899, “allows a network adjacent attacker to determine if another user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and whether or not there is an active connection to a given website.” Additionally, attackers can determine the exact sequence and acknowledgment numbers by counting encrypted packets or by examining their size. With this information in hand, they can inject arbitrary data payloads into IPv4 and IPv6 TCP streams.

  23. Hackers Exploit New Linux Vulnerability To Hijack VPN Connections

    The attack has been reported to work against several popular VPN solutions, including OpenVPN, IKEv2/IPSec, and WireGuard.

    However, the researchers are still testing their viability against Tor, as it works in a SOCKS layer and implements authentication and encryption that takes place in userspace.

    “It should be noted, however, that the VPN technology used does not seem to matter and we are able to make all of our inferences even though the responses from the victim are encrypted, using the size of the packets and number of packets sent (in the case of challenge ACKs, for example) to determine what kind of packets are being sent through the encrypted VPN tunnel,” clarifies the research team.

11.19.19

ZDNet (CBS) Associates GNU/Linux Users With ISIS

Posted in FUD, GNU/Linux at 11:39 pm by Dr. Roy Schestowitz

ZDNet FUD

Summary: Response to “US student was allegedly building a custom Gentoo Linux distro for ISIS,” just published by ZDNet and composed by their biggest troll, Catalin Cimpanu

10.13.19

Firm of Microsoft’s Former Litigation Chief Uses Microsoft-Connected Patent Lawsuit Against GNU/Linux (GNOME Foundation) for New Breed of FUD Campaigns

Posted in Bill Gates, Free/Libre Software, FUD, GNOME, Microsoft, Patents at 11:39 pm by Dr. Roy Schestowitz

There’s also an apparent connection to Epstein’s notorious pedophile/child trafficking ring — perhaps a subject to explore another day

Birds of a feather...
Birds of a feather… Nathan Myhrvold with Epstein

Summary: The patent troll of Bill Gates and Nathan Myhrvold has fed a patent troll that’s attacking GNU/Linux and a firm owned by Microsoft’s former litigation chief says it proves “Open Source Software Remains a Target”

WHAT do the men at the top have in common? Both are close friends of Bill Gates, the famous criminal with his scam/sham ‘charity’. We keep gathering new and interesting facts about Gates. “Both of his “Science” advisors were Epsteinites,” told us an anonymous source close to Microsoft, “one of which is shacked up with Steve Sinofsky, the other was the backup executor of his will. Even Nathan Myhrvold got caught hanging out with him. Such a small world…”

“Firm of Microsoft people celebrating (or leveraging for FUD) a lawsuit against GNU/Linux by a patent troll armed by a Microsoft proxy? If Groklaw was still around, PJ would have something to say about it.”We were also sent the above photo. So even Intellectual Ventures (IV) — the world’s largest patent troll created by a close friend of Bill Gates — is possibly connected to this pedophile ring.

Last month GNU/Linux was sued by a troll that this bigger troll had armed and supported. This hasn’t been mentioned in a while, but here’s all the media/blog coverage. Notice how nobody except us [1, 2] took note of the connection. Are they blind? Are they unwilling to research a little? It’s not hard. It’s right there in the public domain.

Shook, Hardy & Bacon LLP, a firm headed/created by Microsoft’s former litigation bigwig (we wrote about this before, e.g. in [1, 2, 3]), has just weighed in by saying “Open Source Software Remains a Target as GNOME Foundation Hit with Patent Infringement Lawsuit” (the words between the lines are, “FOSS is dangerous!”).

“The GNOME Foundation is the non-profit organization that coordinates the development and operation of the popular open source desktop environment with which it shares a name,” they said. “The GNOME desktop environment supports many free and open source software applications.”

The USPTO granted a likely bogus patent and the likes of OIN plan to leverage against it prior art instead of 35 U.S.C. § 101 (typical IBM).

In a move that evidences an emerging pattern, Rothschild Patent Imaging LLC, a non-practicing entity (“NPE”), has filed a complaint asserting patent infringement against the open source software organization, the GNOME Foundation. The GNOME Foundation is the non-profit organization that coordinates the development and operation of the popular open source desktop environment with which it shares a name. The GNOME desktop environment supports many free and open source software applications. Rothschild alleges in the only count of the complaint filed in the U.S. District Court for the Northern District of California, that the GNOME image management software “Shotwell” infringes their U.S. Patent 9,936,086, directed to “a wireless image distribution system and method.” Rothschild Patent Imaging did not just single out GNOME Foundation, but cast a nationwide net in asserting the ‘086 patent – since July 2019 it has filed five other cases against various defendants (Magix Computer, Cyberlink, Zoner, QNAP, and Monument Labs) in Nevada, Delaware, Illinois and California.

Firm of Microsoft people celebrating (or leveraging for FUD) a lawsuit against GNU/Linux by a patent troll armed by a Microsoft proxy? If Groklaw was still around, PJ would have something to say about it. But all we have left is so-called ‘media’ or ‘press’ better skilled at diverting all attention from a Gates scandal to a phony Stallman ‘scandal’.

09.22.19

Summits of Open Bear Traps: The Open Core Summit and Other ‘Open’ Events That Actually Attack Software Freedom

Posted in Deception, Free/Libre Software, FUD, IBM, Microsoft at 1:36 pm by Dr. Roy Schestowitz

Openwashing Report part II

Weekly openwashing report

Summary: Conferences that call themselves “open” something are sometimes nothing but an attack on openness (not to mention freedom) and promotion of FUD about Free/Open Source software (FOSS); there’s an ample set of examples to that effect

THIS weekend, just like this past week, there’s much attention being paid to the same old scam which is “Open Core”, fetishised by people who care about money a lot more than they care about freedom. Simon Phipps (OSI) commented about it some days ago; he’s against it. It’s because of some stupid summit set up by foes of Software Freedom.

“Who else was there? Microsoft and several of its proxies, companies that profit from attacking and slandering Open Source, e.g. Snyk and WhiteSource.”One can typically tell the motivation of an event based on who chooses to sponsor (i.e. bankroll) it. The Open Core Summit is no exception; Remember Microsoft with its “Open Cloud” charade. Who was actually there? The chief of the Linux Foundation, who told the crowd that “Open Source loves Microsoft…”

Who else was there? Microsoft and several of its proxies, companies that profit from attacking and slandering Open Source, e.g. Snyk and WhiteSource. One can rest assured that FUD about “Open Source” will carry on as long as companies look to destroy (or hijack) it.

Days ago we caught this report. It exposes GitHub as a threat because it attracts dumb employees who use it to upload sensitive data. Did the media blame Microsoft? No, it never does. Notice how corporate media loves playing along with the Microsoft lie — the intentional lie that GitHub is somehow separate from Microsoft. This is designed to entrap people and harm them. Same for Facebook with WhatsApp and Instagram. Or Google with YouTube…

“Notice how corporate media loves playing along with the Microsoft lie — the intentional lie that GitHub is somehow separate from Microsoft.”Citing BNNBloomberg, one reader told us about it yesterday. “Here’s a fun one,” the reader said, citing this report from David George-Cosh. “The Bank of Nova Scotia “inadvertently” uploaded sensitive login credentials to an open source repository…”

As the article put it: “The Bank of Nova Scotia is working to remove internal computer code reportedly containing sensitive login credentials for some online services that was inadvertently uploaded to an open-source repository.” (of Microsoft)

Remember that Microsoft is currently being sued by Capital One over a similar incident. GitHub is reckless about what’s hosted and served through it. Disclaiming liability is a classic pattern of Microsoft behaviour across a broad spectrum of its activities. Later on Microsoft says Open Source is a risk and a danger; whose fault is it though?

“That’s just classic FUD; this is the sort of thing that fills up Microsoft-run ‘open’ events. It’s all about attacking FOSS and making it look bad.”Analytics India Magazine, a Microsoft-friendly site, has just published this piece of FUD. Citing an-anti FOSS firm which is Microsoft connected they try create the stigma that so-called ‘technical debt’ is a uniquely FOSS issue (like they do “security” and “licensing”).

That’s just classic FUD; this is the sort of thing that fills up Microsoft-run ‘open’ events. It’s all about attacking FOSS and making it look bad.

There’s another new corporate ‘summit’ with lots of openwashing; it’s led by Alluxio.

Going back to the BNNBloomberg article, here’s what it says: “The Register, a U.K.-based technology website, reported on Wednesday that a Canadian IT worker discovered the uploaded source code on Github, a website that hosts programming code that is freely available for other programmers to access.

“The code contained information related to the bank’s backend systems as well as code related to Scotiabank’s mobile apps for its Central American and South American customers, the website said.”

“Open Core is just proprietary software with openwashing-themed marketing.”Whose fault is it? Or rather, if Microsoft serves this data, is it exempted from accountability?

Speaking of The Register, that same reader noted: “Now some crap about open core…”

We mentioned this in Daily Links. To quote: “Analysis On Thursday, at the Palace of Fine Arts in San Francisco, companies building open-source code gathered to figure out how to survive having Amazon, Google, and Microsoft sell their software as a service without paying for the privilege.

“The confab has a name, the Open Core Summit, where “Open Core” refers to the marketing strategy of offering a core service for free and charging for complementary capabilities. Presumably, “Freemium Summit” didn’t pass muster.

“The inaugural conference is focused on helping commercial open-source organizations develop viable business models. It’s organized by OSS Capital, a venture-capital firm founded by entrepreneur Joseph Jacks and given street cred through the presence of board partner Bruce Perens, one of the pioneering figures in the open-source movement.”

“So they sponsor turning FOSS into proprietary software. In ‘the cloud’…”Open Core is just proprietary software with openwashing-themed marketing.

And “note the next paragraph links to the final Stallman interview,” our reader said, quoting “whatever those [sic] may be…”

Here’s the part in question, using words like “partisans”: “Free Software partisans describe open source as a development methodology without the Free Software movement’s moral and philosophical aspirations, whatever those may be. Distinctions aside, a common thread in the two intermingled communities continues to be figuring out how to get paid for code offered under a permissive license.”

Fun quote from the article: “Open-source licenses like Apache 2.0 have no requirement to compensate those actually crafting such software.”

Compensate? Seriously?

Here’s the full context: “Several of the companies attending, such as Elastic, have become poster children for the peril of cloud-provider parasitism. Open-source licenses like Apache 2.0 have no requirement to compensate those actually crafting such software. So, mostly, the cloud giants that deploy services based on open-source projects don’t bother to pay outsiders who improve and maintain the code.”

“Those are not FOSS companies; they’re proprietary software.”And here’s more: “If you ask nicely, these companies may sponsor your conference, as AWS has done for the Open Core Summit. At the same time, it’s tempting to see a certain zero-sum symbolism in the conference’s morning donut service, “brought to you by AWS,” not to mention interstitial music cues like Bon Jovi’s Livin’ on a Prayer and Imagine Dragons’ Whatever It Takes.”

So they sponsor turning FOSS into proprietary software. In ‘the cloud’…

As the article notes, “in March, Amazon Web Services debuted its fork of the Elastic project, all the while insisting it’s not a fork.

“During the lunch break, a co-founder of a prominent open-source project pointed to AWS’s banner for its Open Distro for Elasticsearch as “a giant f– you” to the open-source companies in attendance.”

The “article includes this note,” the reader noted: “Editor’s note: we are happy to clarify that Ben Golub described open-source software as a loss leader, and not Upbound CEO Bassam Tabbara as first reported.”

“Proprietary software giants sponsoring “open” things is matter of tossing ‘slush funds’ to improve perceptions.”Lightbend participates in this nasty conference that promotes proprietary software under the guise of ‘open’. It even issued this press release to brag about it; these openwashing attacks on Free software’s legitimacy (showing how the licence is ‘worked around’ in ‘the cloud’) is nothing to brag about. It should be a source of shame. But Lightbend keeps paying to spread this. Larry Augustin also sold us all out by joining Amazon AWS (his former employer SugarCRM has betrayed all customers by becoming proprietary software as well… whereupon the fork SuiteCRM came to their rescue). From the press release: “Brewer joins panelists Larry Augustin, VP Amazon Web Services (formerly CEO of SugarCRM) and Scott Collison, CEO Anaconda…”

Those are not FOSS companies; they’re proprietary software.

Proprietary software giants sponsoring “open” things is matter of tossing ‘slush funds’ to improve perceptions. Mac Asay does this all the time at such companies (now Amazon/AWS).

“IBM wants to stay proprietary; it can leverage Red Hat to pretend otherwise. Microsoft does more or less the same thing.”There’s also this new press release [1, 2] entitled “Top five open source-powered solutions to mitigate the impact of natural disasters announced as finalists in Call for Code global coding challenge” (“Call for Code” is not the same as “Call for Open Source Code”).

Just like AWS, “open source-powered” means “exploits FOSS but remains proprietary software itself” because it’s not about freedom but leveraging freedom to deprive others.

The “Call for Code 2019 is focused on creating solutions to help mitigate the effects of natural disasters and help communities better prepare and respond to the needs of survivors…”

IBM is OK with it being proprietary; it is, after all, just a PR stunt for them. IBM wants to stay proprietary; it can leverage Red Hat to pretend otherwise. Microsoft does more or less the same thing.

« Previous entries Next Page » Next Page »

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channels: Come and chat with us in real time

New to This Site? Here Are Some Introductory Resources

No

Mono

ODF

Samba logo






We support

End software patents

GPLv3

GNU project

BLAG

EFF bloggers

Comcast is Blocktastic? SavetheInternet.com



Recent Posts