EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

07.01.15

The Shameless Campaign to Paint/Portray Free Software as Inherently Insecure, Using Brands, Logos, and Excessive, Selective Press Coverage

Posted in Free/Libre Software, FUD, Security at 5:39 am by Dr. Roy Schestowitz

Bugs
Image courtesy of Red Hat, demonstrating lack of correlation between severity and logos/brands

Summary: Some more FUD from firms such as Sonatype, which hope to make money by making people scared of Free/libre software

The corporate media is in the business of selling (for corporations), not informing. Advertising is the business model, as well as media ‘partnerships’ (euphemism for PR). Security firms too are in the business of selling, not informing. Misinformation often helps improve sales. We have already ranted quite a lot about media misdirection, designed to sell products or malign the competitors of those who try to sell unnecessary products. We must assume that this is happening because it has always been happening; it’s just that it got a lot more frequent now that Free/libre is more widely used.

The other day IDG published some promotion of Veracode. To quote one paragraph: “The scale of the problem is significant. Cryptographic issues are the second most common type of flaws affecting applications across all industries, according to a report this week by application security firm Veracode.”

This is not an independent security researcher; it is the Black Duck-connected Veracode (Black Duck came from Microsoft and VeraCode’s co-founder recently joined Black Duck), which overlooks security issues with proprietary software. Veracode is not an objective observer; it is trying to sell something. Sonatype too, a nasty company which we wrote about before [1, 2, 3, 4, 5, 6], rears its ugly head in the media, in an article provocatively titled “Open-Source Code Can Be More Dangerous Than Useful”.

So Sonatype has launched yet another FUD attack on Free software, using myths and rhetoric, capitalising on gullible ‘journalists’ who would print just about anything, along with clueless pasting of bugs with logos (for extra fear), no discussion about severe bugs in proprietary software, and many other issues. This article is relaying marketing from Sonatype and dramatises it even further. “It gets worse,” says the writer, “according to Sonatype: Many of the software companies that have built insecurities right into their products wouldn’t be able to tell which of their applications are affected by a known component flaw because of poor inventory practices.”

Well, proprietary software deliberately adds flaws to act as secret back doors. How about that in the discussion? The article totally omits that. The article then adds some talking points from the FOSS-hostile Symantec, another company which tries to sell its proprietary software based on perceptions of insecurity.

Thankfully, there are a couple of comments there (below the article) that highlight the issues with the article; both are titled “Not only open source…”

As Free/libre software becomes more mainstream we should expect more parasites like Sonatype to look out for fools who are willing to do their marketing, monetising trash-talk.

06.18.15

IDG’s Jihad Against Free/Libre Software Perpetuates Myths About Software Security (Through Obscurity)

Posted in Free/Libre Software, FUD at 8:56 am by Dr. Roy Schestowitz

Soundsky

Summary: Many Free/libre software-hostile articles from IDG (worsened this past week) exploit public miscomprehension or misunderstandings about computer security

TECHRIGHTS readers are advised to treat with great caution the output of IDG, perhaps the biggest network writing in a variety of languages about technology on the Internet (the paper publications of IDG are mostly defunct by now).

Readers may still recall the regular FUD from Sonatype [1, 2, 3, 4, 5], a firm which is not itself anything like a Free software firm but sure likes to talk about Free software (negatively). Sonatype’s shameless and self-promotional talking points are now being masqueraded as media articles (in the IDG network) and for extra FUD they are reposted it in many sites of IDG, even rarely-accessed ones. It smacks of misuse of media resources. They are also modifying the headline for extra reach (SEO in the news aggregators) with this same FUD that is based on/derived from a self-promotional Sonatype press release.

“If Edward Snowden’s NSA and GCHQ leaks taught us anything, it’s that proprietary software is not secure and Free software should not tolerate proprietary blobs or hardware (e.g. in hard drives).”Sonatype should issue/produce a study on how many proprietary systems are not being patched. Or worse: say how many don’t get fixed by the vendor; how many bits of proprietary software have severe flaws with never even fix issued? How many flaws are not being revealed to the public? See how Microsoft admits hiding flaws. What about back doors (intentional flaws)? Abandoned software with secret code is almost guaranteed to be Swiss cheese. These debates are mostly missing from corporate media. Only yesterday security guru Bruce Schneier wrote: “One of the biggest conceptual problems we have is that something is believed secure until demonstrated otherwise. We need to reverse that: everything should be believed insecure until demonstrated otherwise.”

Glancing at another IDG piece from the past few days, it looks like there is agenda, maybe the editor’s or publisher’s (Microsoft and Apple are big clients, e.g. with advertising and IDC contracts). The piece is a one-sided attack on Free software security; flaws in Free software aren’t any worse (or more in quantity) than in proprietary software, developers are just not hiding them. That’s not hard to understand, is it? IDG likes to promote this ‘New Illusion’ of Free software being not secure (part of the latest FUD wave/strategy), using bugs with “branding” [1, 2, 3], irrespective or real severity.

If Edward Snowden’s NSA and GCHQ leaks taught us anything, it’s that proprietary software is not secure and Free software should not tolerate proprietary blobs or hardware (e.g. in hard drives). Don’t let IDG change the consensus. Surely IDG has the budget to hire some technical journalists who can challenge myth makers, but would that ultimately suit the agenda and appease existing customers?

05.31.15

McAfee Associates Free Software and Anonymity With Crime

Posted in Free/Libre Software, FUD, Security at 3:23 pm by Dr. Roy Schestowitz

Summary: Insecurity firm McAfee, whose record on Free software is appalling (it is Windows-centric for its business), continues years of tradition by slinging mud at Tor

TECHRIGHTS regards and has for many years considered McAfee to be a leading source of FUD against Free software. To give a very recent example, McAfee is connected to the "VENOM" hype (former management), just like Microsoft.

The latest McAfee FUD targets Tor [1-4]. It’s FUD which associates Tor with crime. Framing Tor as a crime tool is like framing kitchen knives as weapons for murder, but this kind of characterisation sure fits the current war against Tor (anonymity). The attack on encryption is also on the rise and much of the British media is now spreading propaganda that associates encryption with terrorism. A recent movie that I watched, The Imitation Game, shrewdly associates encryption with the Nazis.

Related/contextual items from the news:

  1. ‘Tox’ Offers Ransomware As A Service

    The ransomware is free to use but site retains 20 percent of any ransom that is collected, McAfee researcher says.

  2. Almost anyone can make ransomware with this horrifying new program

    We might be entering a whole new era of malware, one where even those who lack any semblance of deep technical expertise will be able to acquire and disseminate viruses and the like on the fly.

  3. Yay for Tor! It’s given us RANSOMWARE-as-a-service
  4. Open Source Malware Lets Anyone Hold Computer Users to Ransom

    A free collection of files has been discovered that aids in the creation of ransomware; the process of encrypting the contents of someone’s computer until they pay to have it unlocked. Set your price and away you go.

05.22.15

Microsoft Gives Another Bug a Name, This Time Logjam™

Posted in FUD, Marketing, Microsoft at 10:54 am by Dr. Roy Schestowitz

Any logo/s yet?

Squirrel

Summary: The Microsoft crowd is good only at marketing, even when it comes to small bugs in software

Another brand for a bug, namely “logjam”, was made up by Microsoft et al. Linux sites cover this and add to the panic already. As the Microsoft-friendly BBC put it: “The “LogJam attack” was discovered by researchers at Microsoft and a number of US and French universities.” This “logjam” nonsense already has its own brand and even a dedicated Web site, just like Heartbleed™. As a reminder, Heartbleed™ too was coined by a Microsoft-connected firm, despite the fact that the bug was found by a man from Google.

Just over a week ago a Microsoft-connected firm spread the word VENOM™ as part of a marketing/propaganda campaign, serving to discourage companies from adopting Free/libre software for virtualisation. People remember brands better than they remember numbers (of advisories) or technical details, which may or may not indicate level of severity.

05.13.15

Updates on Microsoft’s War Against GNU/Linux, Android, and Free/Libre Software

Posted in FUD, GNU/Linux, Google, Microsoft at 7:17 am by Dr. Roy Schestowitz

Toy

Summary: The latest moves from Microsoft, which is eager to undermine Android and GNU/Linux (desktop/server) by all means possible

Microsoft really hates GNU/Linux. It shows it too. We wrote about several clear signs of it just a couple of month ago. It’s summarised in the following series which we published in order to — at the very least — act as a reminder amid Microsoft’s media blitz (claiming that it “loves Linux” and embraces “Open Source”):

“Windows ideology [is] causing harm just to be spiteful,” wrote to us a reader yesterday morning, “yet again.” He cited this new article which shows an attack on GNU/Linux from a Microsoft-faithful CIO.

“The CIO,” says the article, “had already released a memo to all tech support chiefs, stating that all retiring hardware should be placed on pallets for pick up by a soon-to-be-named reclamation and recycling vendor. The real kick? They’re paying big money to have their stuff picked up and parted out for profit — all in the name of “responsible recycling.” Rick quietly shared with me that the CIO was miffed because we were repurposing their donated computers with GNU/Linux. Because we were removing Windows, he thought the donated hardware was being wasted.”

How is it a waste to throw away proprietary software with back doors? Surely it would not be a gift if handed over to the disenfranchised in this form (with Windows). Windows is a tool of espionage against its users, so wiping it off should make sense by now, especially after the NSA leaks which prove Microsoft’s complicity. Microsoft Peter (Peter Bright) frames Microsoft as anti-leaks after the NSA’s Exchange Server spewed out almost everything the NSA had in store. It’s hilarious to see how far Microsoft propagandists in Ars Technica are willing to go with such spin.

In other news of interest, the New York Times whitewashes a patent troll (Paul Allen) who attacks Android through Interval. Microsoft, in the mean time, spreads more Android FUD (security-flavoured), showing its clear disdain for Free/Open Source software. Is this the “nice Microsoft” or “new Microsoft” we keep hearing about? How about Microsoft’s attacks on Android through Cyanogen as a proxy? It’s a Microsoft vassal which tries to remove Google from Android and put Microsoft in charge. Jack Wallen recently published this article about “Microsoft and Cyanogen”, asking: “But why Microsoft? Why jump from one juggernaut to another, from one lockdown to another? It’s really clear why Microsoft would make this deal: their mobile platform is going nowhere. In order to get their fingers embedded in the mobile pie, they have to embrace other platforms. And what better way to embrace mobility than to get in league with the leader–Android. By working with Cyanogen, Microsoft effectively gets their own version of Android–we’ll call it MS Android.

“From my perspective, Cyanogen partnering with Microsoft on Android doesn’t open the platform, it closes it up tight. This is especially true considering we’re not talking about simply adding a few apps, we’re talking about bundling. Microsoft’s history of bundling is not littered with praise for being “open”. Instead, what this looks like to me is an attempt at Cyanogen turning its back on Google to say “We’ll show you!””

Microsoft’s spinners Peter Bright and Andrew Orlowski both feel unhappy that Microsoft tries bringing Android software to Windows [1, 2]. They view this as surrender or suicide, as if Microsoft has any chance against Android/Linux and GNU/Linux, except by destroying/undermining them.

“Microsoft closes sole Helsinki outlet,” says a Microsoft-friendly paper after Microsoft killed Nokia. “Software giant Microsoft,” it explains, “has shut the doors of its only retail outlet in Helsinki, saying that it will focus sales of its consumer devices online and in other retailers’ outlets. Located in prime commercial real estate in the heart of downtown Helsinki, the store operated under the Microsoft banner for less than one year.”

Yes, just under a year. It means that Microsoft layoffs carry on. We’re entering a post-Microsoft era, one that is dominated not just by an alternative brand but also a software distribution alternative. Free software is getting its way. Microsoft actively attacks Free software. Microsoft cannot coexist with freedom, as history serves to show.

“I do hope that the suit can help demonstrate that Microsoft’s claims of succeeding through innovation are a complete fraud. Their only innovation has been in inventing predatory business practices. Other than that, they have been perhaps the greatest borrowers in the history of the software industry.”

Sybase Chairman Mitchell Kertzman

05.11.15

Biased Media (and Microsoft-Connected Media) Makes GNU/Linux Security Advantages Unknown

Posted in FUD, GNU/Linux, Microsoft, Security at 3:51 pm by Dr. Roy Schestowitz

“Our products just aren’t engineered for security.”

Brian Valentine, Microsoft executive

Summary: How the corporate media, especially that which is connected to Microsoft, fallaciously frames Windows issues as universal issues and lays blame on GNU/Linux where Windows is affected

Our previous post, which talks about OOXML being insecure [via], was a reminder that Microsoft is inherently insecure, usually by design (for surveillance/espionage purposes, among other reasons). Today we would like to show some gross media bias which deliberately fails to highlight Microsoft’s uniqueness when it comes to poor security.

First of all, the Microsoft-occupied BBC is a disgrace. The BBC got very badly stuffed/filled (at management level) with Microsoft UK staff. It happened several years ago. Examples were covered here before. In an article titled “Self-destructing virus kills off PCs” they completely fail to mention that it’s just Windows. Microsoft and Windows are mentioned only in context that promotes them, but not otherwise. “Restoring a PC with its MBR deleted involves reinstalling Windows,” says one paragraph in the middle, “which could mean important data is lost.” Would the article bear the same headline if the virus targeted Android? It’s just so vague. “PC” just means “Windows” now. The BBC seems to serve as a Microsoft advertising platform, there is no pretence of objectivity at all. If the BBC’s language was reversed, it would announce “new version of PC” and “Windows malware destruction of Microsoft Windows” (to amend the aforementioned headline). The BBC has a newspeak name for Microsoft Windows when there’s bad news: “PC”. But it’s called “Windows” (or Vista 10/Windows 10) when there’s good news. How convenient.

Zack Whittaker from Microsoft (formerly working for Microsoft UK) writes about the latest Lenovo back door, neglecting to say that it affects only those who use Microsoft Windows (like previous Lenovo back doors). How convenient an omission.

Last but not least, take a look at this rebuttal to articles from IDG and the highly biased Dan Goodin (among few others whom we cited here the other day). Anti-Linux circles framed general-purpose threat to computers as a “Linux” thing. What a bogus claim that was! “Stealthy Linux GPU malware can also hide in Windows PCs, maybe Macs,” says the latest headline. The author says quite correctly: “Most news stories last week about Jellyfish focused on the Linux aspect, leading some to believe that Windows or Mac PCs can’t be affected by such threats. It now seems that Team Jellyfish is bent on disproving that.”

So once again GNU/Linux is receiving bad press (perception of insecurity) despite it being just a scapegoat in an attack that is hardware-based. We covered very similar examples in recent months.

The media is just so biased against Free software. Bias by omission and scapegoating is a longstanding issue that led to the “call out Windows” campaign. It’s not acceptable that Microsoft receives special treatment.

04.27.15

The Unethical Business of Selling Fear of Free/Libre Software Bugs (Black Duck, Sonatype, and Symantec)

Posted in Free/Libre Software, FUD, Google, Marketing at 4:02 am by Dr. Roy Schestowitz

Snake oil

Summary: The spreading of fear of Free/Open Source software (FOSS) is now a growth industry, so proprietary opportunists are eager to capitalise on it, even if by distorting the truth

EARLIER THIS month some Black Duck publicity stunt fooled some journalists into promotion of Black Duck FUD. We saw that persisting until April 20th (one week ago), even in pro-FOSS sites (blogs) that did this days later. IDG made a slideshow out of it. Well, sadly, it cites Black Duck, which tries to sell proprietary software under the guise of Free software promotion.

In reality, Black Duck is not just selling fear of GPL violations — the original 'product' which was 'sold' by this firm. It’s a two-faced firm masquerading as pro-FOSS whilst attacking FOSS. Black Duck and Duck Duck Go both give a bad name to ducks. They pretend to be FOSS or at least openwash themselves (a lie) and they pretend to defend users (also a lie, they merely exploit or monetise users).

In other news, Sonatype reportedly compared FOSS to “Public Health Hazard”. To quote one report: “That’s the assessment of Joshua Corman, CTO at Sonatype, who took to the stage at RSA 2015 to characterize insecure software as a kind of “cyber-asbestos,” widely deployed, inherently dangerous, and eventually carrying an astronomical cost in terms of human suffering and cost to clean up because …we just didn’t know how dangerous it was at the time when we embraced it.”

So Sonatype is again on an anti-Free software binge. It is not the first time (see examples in [1, 2, 3, 4]) and it is easy to see why it is doing this. It’s trying to sell its products, which are nothing to do with Free software. Sonatype’s track record of FOSS FUD is expanding and may one day rival the Microsoft-connected Symantec, which continues its FUD campaign against Android, generating misleading headlines such as “One in Five Android Apps Is Malware” in this case. When people install software from Google Play, then there is virtually no risk, but don’t expect Symantec to properly analyse this. Symantec sells insecurity. To quote the misleading article: “According to Symantec’s latest Internet Security Threat Report, “17 percent of all Android apps (nearly one million total) were actually malware in disguise.” In 2013, Symantec uncovered roughly 700,000 virus-laden apps.”

But where are they found? Are any accessible to most Android users? No, so Symantec is defining it wrongly and framing the issue by saying that many applications’ “primary purpose is to bombard you with ads.” That’s not malware, but they made up a new word.

Google has already responded mostly by removing apps with too many ads (that’s not malware) and saying that Android “antivirus” is snake oil, as Google said before (responding to the likes of Symantec several years ago).

Android now has an industry of snake oil around it because there is a lot of market share there. The same can be said about FOSS, which is why Black Duck and Sonatype are busy badmouthing security aspects of it. They’re all just looking for a quick buck; FUD and reputation damage to FOSS are “collateral damage”.

04.14.15

Back Doors/Bug Doors in All Versions of Microsoft Windows Need a Name, a Logo, and Branding Too

Posted in FUD, Microsoft, Security, Windows at 10:50 am by Dr. Roy Schestowitz

Microsoft gets a free pass for insecurity

Michael S. Rogers
“I don’t want a back door. I want a front door.” — Director of the National Security Agency (NSA), only days ago

Summary: All versions of Microsoft Windows are found to have been insecure since 1997, but the bug responsible for this is not named as candidate for back door access, let alone named (with logo and marketing) like far less severe bugs in Free/libre software such as OpenSSL

WHILE many journalists still refuse to call out Windows (see this new piece from Dan Goodin, who writes about crackers hoarding Windows hosts by the millions — in botnets — while mentioning the word “Windows” only once, very deep inside the article), some have no choice by to acknowledge that not every single computer runs Windows and therefore we should call out Windows when it’s clearly to blame.

“This wouldn’t be the first time it happens; recall how Google had to alert Microsoft for 3 months about a serious flaw while Microsoft did absolutely nothing (as if the intention was to keep Windows insecure, albeit secretly, very much like Apple).”Although there is no “branding” yet (as Microsoft buddies from a a Microsoft-linked firm like to do to Free/libre software bugs), there is a very serious bug in all versions of Windows (even the one still in development) that Microsoft’s allies at the NSA must be very happy about, especially as the bug is 18 years old (meaning that Windows has allowed remote access since 1997, or around the time Microsoft was seeking to appease the US government after it had shamelessly broken many laws).

The bug was found not by Microsoft but by this team (press release), which probably has no access to Windows source code. This wouldn’t be the first time it happens; recall how Google had to alert Microsoft for 3 months about a serious flaw while Microsoft did absolutely nothing (as if the intention was to keep Windows insecure, albeit secretly, very much like Apple).

ISPs should now restrict or ban Windows use, as it poses a huge risk (botnets and DDOS, never mind risk to all data stored on machines running Windows). Here is some early coverage of this [1, 2], some correctly emphasising that it’s a 18-year-old vulnerability [1, 2].

Let’s see if this starts a big debate about the insecurity of proprietary software (as other bugs with “branding” did to Free software, by means of gross generalisation). This “New Security Flaw Spans All Versions Of Windows” (similar wording in this headline). 18 years, eh? It even predates 9/11. It’s older than some readers of this Web site.

Watch this disgraceful piece titled “Will Microsoft’s Security Measures in Windows 10 Tarnish Open-Source Development?”

Yes, it’s more propaganda; The disingenuous openwashing of Windows continues, as we’ll show in our next post.

“Our products just aren’t engineered for security.”

Brian Valentine, Microsoft executive

« Previous entries Next Page » Next Page »

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channels: Come and chat with us in real time

New to This Site? Here Are Some Introductory Resources

No

Mono

ODF

Samba logo






We support

End software patents

GPLv3

GNU project

BLAG

EFF bloggers

Comcast is Blocktastic? SavetheInternet.com



Recent Posts