Summary: Many Free/libre software-hostile articles from IDG (worsened this past week) exploit public miscomprehension or misunderstandings about computer security
TECHRIGHTS readers are advised to treat with great caution the output of IDG, perhaps the biggest network writing in a variety of languages about technology on the Internet (the paper publications of IDG are mostly defunct by now).
Readers may still recall the regular FUD from Sonatype [1, 2, 3, 4, 5], a firm which is not itself anything like a Free software firm but sure likes to talk about Free software (negatively). Sonatype’s shameless and self-promotional talking points are now being masqueraded as media articles (in the IDG network) and for extra FUD they are reposted it in many sites of IDG, even rarely-accessed ones. It smacks of misuse of media resources. They are also modifying the headline for extra reach (SEO in the news aggregators) with this same FUD that is based on/derived from a self-promotional Sonatype press release.
“If Edward Snowden’s NSA and GCHQ leaks taught us anything, it’s that proprietary software is not secure and Free software should not tolerate proprietary blobs or hardware (e.g. in hard drives).”Sonatype should issue/produce a study on how many proprietary systems are not being patched. Or worse: say how many don’t get fixed by the vendor; how many bits of proprietary software have severe flaws with never even fix issued? How many flaws are not being revealed to the public? See how Microsoft admits hiding flaws. What about back doors (intentional flaws)? Abandoned software with secret code is almost guaranteed to be Swiss cheese. These debates are mostly missing from corporate media. Only yesterday security guru Bruce Schneier wrote: “One of the biggest conceptual problems we have is that something is believed secure until demonstrated otherwise. We need to reverse that: everything should be believed insecure until demonstrated otherwise.”
Glancing at another IDG piece from the past few days, it looks like there is agenda, maybe the editor’s or publisher’s (Microsoft and Apple are big clients, e.g. with advertising and IDC contracts). The piece is a one-sided attack on Free software security; flaws in Free software aren’t any worse (or more in quantity) than in proprietary software, developers are just not hiding them. That’s not hard to understand, is it? IDG likes to promote this ‘New Illusion’ of Free software being not secure (part of the latest FUD wave/strategy), using bugs with “branding” [1, 2, 3], irrespective or real severity.
If Edward Snowden’s NSA and GCHQ leaks taught us anything, it’s that proprietary software is not secure and Free software should not tolerate proprietary blobs or hardware (e.g. in hard drives). Don’t let IDG change the consensus. Surely IDG has the budget to hire some technical journalists who can challenge myth makers, but would that ultimately suit the agenda and appease existing customers? █
Send this to a friend
Summary: Insecurity firm McAfee, whose record on Free software is appalling (it is Windows-centric for its business), continues years of tradition by slinging mud at Tor
TECHRIGHTS regards and has for many years considered McAfee to be a leading source of FUD against Free software. To give a very recent example, McAfee is connected to the "VENOM" hype (former management), just like Microsoft.
The latest McAfee FUD targets Tor [1-4]. It’s FUD which associates Tor with crime. Framing Tor as a crime tool is like framing kitchen knives as weapons for murder, but this kind of characterisation sure fits the current war against Tor (anonymity). The attack on encryption is also on the rise and much of the British media is now spreading propaganda that associates encryption with terrorism. A recent movie that I watched, The Imitation Game, shrewdly associates encryption with the Nazis. █
Related/contextual items from the news:
The ransomware is free to use but site retains 20 percent of any ransom that is collected, McAfee researcher says.
We might be entering a whole new era of malware, one where even those who lack any semblance of deep technical expertise will be able to acquire and disseminate viruses and the like on the fly.
A free collection of files has been discovered that aids in the creation of ransomware; the process of encrypting the contents of someone’s computer until they pay to have it unlocked. Set your price and away you go.
Send this to a friend
Any logo/s yet?
Summary: The Microsoft crowd is good only at marketing, even when it comes to small bugs in software
Another brand for a bug, namely “logjam”, was made up by Microsoft et al. Linux sites cover this and add to the panic already. As the Microsoft-friendly BBC put it: “The “LogJam attack” was discovered by researchers at Microsoft and a number of US and French universities.” This “logjam” nonsense already has its own brand and even a dedicated Web site, just like Heartbleed™. As a reminder, Heartbleed™ too was coined by a Microsoft-connected firm, despite the fact that the bug was found by a man from Google.
Just over a week ago a Microsoft-connected firm spread the word VENOM™ as part of a marketing/propaganda campaign, serving to discourage companies from adopting Free/libre software for virtualisation. People remember brands better than they remember numbers (of advisories) or technical details, which may or may not indicate level of severity. █
Send this to a friend
Summary: The latest moves from Microsoft, which is eager to undermine Android and GNU/Linux (desktop/server) by all means possible
Microsoft really hates GNU/Linux. It shows it too. We wrote about several clear signs of it just a couple of month ago. It’s summarised in the following series which we published in order to — at the very least — act as a reminder amid Microsoft’s media blitz (claiming that it “loves Linux” and embraces “Open Source”):
“Windows ideology [is] causing harm just to be spiteful,” wrote to us a reader yesterday morning, “yet again.” He cited this new article which shows an attack on GNU/Linux from a Microsoft-faithful CIO.
“The CIO,” says the article, “had already released a memo to all tech support chiefs, stating that all retiring hardware should be placed on pallets for pick up by a soon-to-be-named reclamation and recycling vendor. The real kick? They’re paying big money to have their stuff picked up and parted out for profit — all in the name of “responsible recycling.” Rick quietly shared with me that the CIO was miffed because we were repurposing their donated computers with GNU/Linux. Because we were removing Windows, he thought the donated hardware was being wasted.”
How is it a waste to throw away proprietary software with back doors? Surely it would not be a gift if handed over to the disenfranchised in this form (with Windows). Windows is a tool of espionage against its users, so wiping it off should make sense by now, especially after the NSA leaks which prove Microsoft’s complicity. Microsoft Peter (Peter Bright) frames Microsoft as anti-leaks after the NSA’s Exchange Server spewed out almost everything the NSA had in store. It’s hilarious to see how far Microsoft propagandists in Ars Technica are willing to go with such spin.
In other news of interest, the New York Times whitewashes a patent troll (Paul Allen) who attacks Android through Interval. Microsoft, in the mean time, spreads more Android FUD (security-flavoured), showing its clear disdain for Free/Open Source software. Is this the “nice Microsoft” or “new Microsoft” we keep hearing about? How about Microsoft’s attacks on Android through Cyanogen as a proxy? It’s a Microsoft vassal which tries to remove Google from Android and put Microsoft in charge. Jack Wallen recently published this article about “Microsoft and Cyanogen”, asking: “But why Microsoft? Why jump from one juggernaut to another, from one lockdown to another? It’s really clear why Microsoft would make this deal: their mobile platform is going nowhere. In order to get their fingers embedded in the mobile pie, they have to embrace other platforms. And what better way to embrace mobility than to get in league with the leader–Android. By working with Cyanogen, Microsoft effectively gets their own version of Android–we’ll call it MS Android.
“From my perspective, Cyanogen partnering with Microsoft on Android doesn’t open the platform, it closes it up tight. This is especially true considering we’re not talking about simply adding a few apps, we’re talking about bundling. Microsoft’s history of bundling is not littered with praise for being “open”. Instead, what this looks like to me is an attempt at Cyanogen turning its back on Google to say “We’ll show you!””
Microsoft’s spinners Peter Bright and Andrew Orlowski both feel unhappy that Microsoft tries bringing Android software to Windows [1, 2]. They view this as surrender or suicide, as if Microsoft has any chance against Android/Linux and GNU/Linux, except by destroying/undermining them.
“Microsoft closes sole Helsinki outlet,” says a Microsoft-friendly paper after Microsoft killed Nokia. “Software giant Microsoft,” it explains, “has shut the doors of its only retail outlet in Helsinki, saying that it will focus sales of its consumer devices online and in other retailers’ outlets. Located in prime commercial real estate in the heart of downtown Helsinki, the store operated under the Microsoft banner for less than one year.”
Yes, just under a year. It means that Microsoft layoffs carry on. We’re entering a post-Microsoft era, one that is dominated not just by an alternative brand but also a software distribution alternative. Free software is getting its way. Microsoft actively attacks Free software. Microsoft cannot coexist with freedom, as history serves to show. █
“I do hope that the suit can help demonstrate that Microsoft’s claims of succeeding through innovation are a complete fraud. Their only innovation has been in inventing predatory business practices. Other than that, they have been perhaps the greatest borrowers in the history of the software industry.”
–Sybase Chairman Mitchell Kertzman
Send this to a friend
“Our products just aren’t engineered for security.”
–Brian Valentine, Microsoft executive
Summary: How the corporate media, especially that which is connected to Microsoft, fallaciously frames Windows issues as universal issues and lays blame on GNU/Linux where Windows is affected
Our previous post, which talks about OOXML being insecure [via], was a reminder that Microsoft is inherently insecure, usually by design (for surveillance/espionage purposes, among other reasons). Today we would like to show some gross media bias which deliberately fails to highlight Microsoft’s uniqueness when it comes to poor security.
First of all, the Microsoft-occupied BBC is a disgrace. The BBC got very badly stuffed/filled (at management level) with Microsoft UK staff. It happened several years ago. Examples were covered here before. In an article titled “Self-destructing virus kills off PCs” they completely fail to mention that it’s just Windows. Microsoft and Windows are mentioned only in context that promotes them, but not otherwise. “Restoring a PC with its MBR deleted involves reinstalling Windows,” says one paragraph in the middle, “which could mean important data is lost.” Would the article bear the same headline if the virus targeted Android? It’s just so vague. “PC” just means “Windows” now. The BBC seems to serve as a Microsoft advertising platform, there is no pretence of objectivity at all. If the BBC’s language was reversed, it would announce “new version of PC” and “Windows malware destruction of Microsoft Windows” (to amend the aforementioned headline). The BBC has a newspeak name for Microsoft Windows when there’s bad news: “PC”. But it’s called “Windows” (or Vista 10/Windows 10) when there’s good news. How convenient.
Zack Whittaker from Microsoft (formerly working for Microsoft UK) writes about the latest Lenovo back door, neglecting to say that it affects only those who use Microsoft Windows (like previous Lenovo back doors). How convenient an omission.
Last but not least, take a look at this rebuttal to articles from IDG and the highly biased Dan Goodin (among few others whom we cited here the other day). Anti-Linux circles framed general-purpose threat to computers as a “Linux” thing. What a bogus claim that was! “Stealthy Linux GPU malware can also hide in Windows PCs, maybe Macs,” says the latest headline. The author says quite correctly: “Most news stories last week about Jellyfish focused on the Linux aspect, leading some to believe that Windows or Mac PCs can’t be affected by such threats. It now seems that Team Jellyfish is bent on disproving that.”
So once again GNU/Linux is receiving bad press (perception of insecurity) despite it being just a scapegoat in an attack that is hardware-based. We covered very similar examples in recent months.
The media is just so biased against Free software. Bias by omission and scapegoating is a longstanding issue that led to the “call out Windows” campaign. It’s not acceptable that Microsoft receives special treatment. █
Send this to a friend
Summary: The spreading of fear of Free/Open Source software (FOSS) is now a growth industry, so proprietary opportunists are eager to capitalise on it, even if by distorting the truth
EARLIER THIS month some Black Duck publicity stunt fooled some journalists into promotion of Black Duck FUD. We saw that persisting until April 20th (one week ago), even in pro-FOSS sites (blogs) that did this days later. IDG made a slideshow out of it. Well, sadly, it cites Black Duck, which tries to sell proprietary software under the guise of Free software promotion.
In reality, Black Duck is not just selling fear of GPL violations — the original 'product' which was 'sold' by this firm. It’s a two-faced firm masquerading as pro-FOSS whilst attacking FOSS. Black Duck and Duck Duck Go both give a bad name to ducks. They pretend to be FOSS or at least openwash themselves (a lie) and they pretend to defend users (also a lie, they merely exploit or monetise users).
In other news, Sonatype reportedly compared FOSS to “Public Health Hazard”. To quote one report: “That’s the assessment of Joshua Corman, CTO at Sonatype, who took to the stage at RSA 2015 to characterize insecure software as a kind of “cyber-asbestos,” widely deployed, inherently dangerous, and eventually carrying an astronomical cost in terms of human suffering and cost to clean up because …we just didn’t know how dangerous it was at the time when we embraced it.”
So Sonatype is again on an anti-Free software binge. It is not the first time (see examples in [1, 2, 3, 4]) and it is easy to see why it is doing this. It’s trying to sell its products, which are nothing to do with Free software. Sonatype’s track record of FOSS FUD is expanding and may one day rival the Microsoft-connected Symantec, which continues its FUD campaign against Android, generating misleading headlines such as “One in Five Android Apps Is Malware” in this case. When people install software from Google Play, then there is virtually no risk, but don’t expect Symantec to properly analyse this. Symantec sells insecurity. To quote the misleading article: “According to Symantec’s latest Internet Security Threat Report, “17 percent of all Android apps (nearly one million total) were actually malware in disguise.” In 2013, Symantec uncovered roughly 700,000 virus-laden apps.”
But where are they found? Are any accessible to most Android users? No, so Symantec is defining it wrongly and framing the issue by saying that many applications’ “primary purpose is to bombard you with ads.” That’s not malware, but they made up a new word.
Google has already responded mostly by removing apps with too many ads (that’s not malware) and saying that Android “antivirus” is snake oil, as Google said before (responding to the likes of Symantec several years ago).
Android now has an industry of snake oil around it because there is a lot of market share there. The same can be said about FOSS, which is why Black Duck and Sonatype are busy badmouthing security aspects of it. They’re all just looking for a quick buck; FUD and reputation damage to FOSS are “collateral damage”. █
Send this to a friend
Microsoft gets a free pass for insecurity
“I don’t want a back door. I want a front door.” — Director of the National Security Agency (NSA), only days ago
Summary: All versions of Microsoft Windows are found to have been insecure since 1997, but the bug responsible for this is not named as candidate for back door access, let alone named (with logo and marketing) like far less severe bugs in Free/libre software such as OpenSSL
WHILE many journalists still refuse to call out Windows (see this new piece from Dan Goodin, who writes about crackers hoarding Windows hosts by the millions — in botnets — while mentioning the word “Windows” only once, very deep inside the article), some have no choice by to acknowledge that not every single computer runs Windows and therefore we should call out Windows when it’s clearly to blame.
“This wouldn’t be the first time it happens; recall how Google had to alert Microsoft for 3 months about a serious flaw while Microsoft did absolutely nothing (as if the intention was to keep Windows insecure, albeit secretly, very much like Apple).”Although there is no “branding” yet (as Microsoft buddies from a a Microsoft-linked firm like to do to Free/libre software bugs), there is a very serious bug in all versions of Windows (even the one still in development) that Microsoft’s allies at the NSA must be very happy about, especially as the bug is 18 years old (meaning that Windows has allowed remote access since 1997, or around the time Microsoft was seeking to appease the US government after it had shamelessly broken many laws).
The bug was found not by Microsoft but by this team (press release), which probably has no access to Windows source code. This wouldn’t be the first time it happens; recall how Google had to alert Microsoft for 3 months about a serious flaw while Microsoft did absolutely nothing (as if the intention was to keep Windows insecure, albeit secretly, very much like Apple).
ISPs should now restrict or ban Windows use, as it poses a huge risk (botnets and DDOS, never mind risk to all data stored on machines running Windows). Here is some early coverage of this [1, 2], some correctly emphasising that it’s a 18-year-old vulnerability [1, 2].
Let’s see if this starts a big debate about the insecurity of proprietary software (as other bugs with “branding” did to Free software, by means of gross generalisation). This “New Security Flaw Spans All Versions Of Windows” (similar wording in this headline). 18 years, eh? It even predates 9/11. It’s older than some readers of this Web site.
Watch this disgraceful piece titled “Will Microsoft’s Security Measures in Windows 10 Tarnish Open-Source Development?”
Yes, it’s more propaganda; The disingenuous openwashing of Windows continues, as we’ll show in our next post. █
“Our products just aren’t engineered for security.”
–Brian Valentine, Microsoft executive
Send this to a friend
Image courtesy of Red Hat
Summary: Old news is ‘new’ again, as Microsoft-friendly media decides to keep knocking hard on the reputation of Free software, using words rather than substance
A YEAR ago there was a curious (first of its kind for Free/Open Source software) “branding” of a 2-year-old FOSS bug by a Microsoft-linked firm that did not even find the bug. An engineer from Google had found it and sought to responsibly disclose it so as to patch it properly before the Microsoft-linked opportunists blew off the lid and called it “Heartbleed”, set up a Web site to ‘celebrate’ the bug, and even made a professionally-prepared logo for it. This whole “Heartbleed” nonsense — however serious it may have been for a day — was blown out of all proportions in the media and tarnished the name of Free software because it was so ‘successfully’ marketed, even to non-technical people. It was a branding ‘success’ which many firms would later attempt to emulate, though never with the same degree of ‘success’ (where success means bamboozling the public, especially non-technical decision-making people).
“Microsoft must be laughing quite hard seeing all that media manipulation.”“Dear journalists,” I said earlier today in social media (Diapora), “bugs don’t have birthdays. Stop finding excuses to bring “Heartbleed” BS (MS name for old bug) to headlines.” I spoke to one author about it and challenged him for floating these “Heartbleed” logos and brands yet again. To us it seems quite evident that Microsoft keeps attacking Free software and GNU/Linux like no time before; it’s just more subtle and hidden in more sophisticated ways. The person who heads the incognito firm that’s known only for the “Heartbleed” brand (they control the brand) came from Microsoft (he was head of security there) and also from the FBI, whose stance on encryption is widely known by now; they actively seek to break security of software, so knowing about the 2-year-old OpenSSL bug would make sense. Some reputable media reports said that the NSA had known about this bug for about a year before it was known to the public and the NSA cooperates with the FBI on breaking software security, sharing personal (illegally intercepted) data, etc.
Anyway, the same publication (as above) also floated the “Heartbleed” nonsense in another article today. Would they do just about anything to keep it in headlines? Even a year later? They are now citing some firm called Venafi (never heard of it before), which basically relies on misleading misuse of statistics. It’s FUD from a company that tries to make money from perceived dangers and accentuates these dangers in an effort to acquire clients. What kind of ‘journalism’ is this? incidentally, Black Duck is now joining the list of such parasitic companies, with new hires and multiple press releases, so clearly it’s a growth area and the Microsoft link is easy to see. It is FUD season again this spring as more publications now float this whole nonsense. This is hardly journalism, it’s just throwback.
Thankfully enough, Red Hat demonstrates what “branding” of FOSS bugs practically means, even using the image above. There is no correlation between the naming of bugs and their severity, but press coverage sure loves a good brand. This is an important (albeit belated) response from Red Hat to “branding” of a FOSS bug by Microsoft-linked firms like the one behind “Heartbleed”.
“It’s been almost a year since the OpenSSL Heartbleed vulnerability,” says Red Hat, “a flaw which started a trend of the branded vulnerability, changing the way security vulnerabilities affecting open-source software are being reported and perceived. Vulnerabilities are found and fixed all the time, and just because a vulnerability gets a name and a fancy logo doesn’t mean it is of real risk to users.”
Well, Microsoft folks sure squeezed everything they could from this bug, seeking to discredit not just OpenSSL but the whole development process of Free software (due to just one small bug, or a few lines of code). And Microsoft still pretends that it is warming up to Open Source? Who are these frauds kidding?
There’s a lot of companies which continue to use platforms with back doors, such as Windows, but the Wintel-oriented media would rather we just obsess over this one bug from one year ago (which was patched as soon as it became publicly-known).
We are rather disappointed to see a decent journalist like Sean Michael Kerner, along with colleagues at eWEEK, swallowing the bait and serving to promote the misleading claims to advertise this company that controls the “Heartbleed” brand, among other opportunists (like fish swimming around a shark for some leftovers). Microsoft must be laughing quite hard seeing all that media manipulation. █
Send this to a friend
« Previous Page — « Previous entries « Previous Page · Next Page » Next entries » — Next Page »