Summary: The latest moves from Microsoft, which is eager to undermine Android and GNU/Linux (desktop/server) by all means possible
Microsoft really hates GNU/Linux. It shows it too. We wrote about several clear signs of it just a couple of month ago. It’s summarised in the following series which we published in order to — at the very least — act as a reminder amid Microsoft’s media blitz (claiming that it “loves Linux” and embraces “Open Source”):
“Windows ideology [is] causing harm just to be spiteful,” wrote to us a reader yesterday morning, “yet again.” He cited this new article which shows an attack on GNU/Linux from a Microsoft-faithful CIO.
“The CIO,” says the article, “had already released a memo to all tech support chiefs, stating that all retiring hardware should be placed on pallets for pick up by a soon-to-be-named reclamation and recycling vendor. The real kick? They’re paying big money to have their stuff picked up and parted out for profit — all in the name of “responsible recycling.” Rick quietly shared with me that the CIO was miffed because we were repurposing their donated computers with GNU/Linux. Because we were removing Windows, he thought the donated hardware was being wasted.”
How is it a waste to throw away proprietary software with back doors? Surely it would not be a gift if handed over to the disenfranchised in this form (with Windows). Windows is a tool of espionage against its users, so wiping it off should make sense by now, especially after the NSA leaks which prove Microsoft’s complicity. Microsoft Peter (Peter Bright) frames Microsoft as anti-leaks after the NSA’s Exchange Server spewed out almost everything the NSA had in store. It’s hilarious to see how far Microsoft propagandists in Ars Technica are willing to go with such spin.
In other news of interest, the New York Times whitewashes a patent troll (Paul Allen) who attacks Android through Interval. Microsoft, in the mean time, spreads more Android FUD (security-flavoured), showing its clear disdain for Free/Open Source software. Is this the “nice Microsoft” or “new Microsoft” we keep hearing about? How about Microsoft’s attacks on Android through Cyanogen as a proxy? It’s a Microsoft vassal which tries to remove Google from Android and put Microsoft in charge. Jack Wallen recently published this article about “Microsoft and Cyanogen”, asking: “But why Microsoft? Why jump from one juggernaut to another, from one lockdown to another? It’s really clear why Microsoft would make this deal: their mobile platform is going nowhere. In order to get their fingers embedded in the mobile pie, they have to embrace other platforms. And what better way to embrace mobility than to get in league with the leader–Android. By working with Cyanogen, Microsoft effectively gets their own version of Android–we’ll call it MS Android.
“From my perspective, Cyanogen partnering with Microsoft on Android doesn’t open the platform, it closes it up tight. This is especially true considering we’re not talking about simply adding a few apps, we’re talking about bundling. Microsoft’s history of bundling is not littered with praise for being “open”. Instead, what this looks like to me is an attempt at Cyanogen turning its back on Google to say “We’ll show you!””
Microsoft’s spinners Peter Bright and Andrew Orlowski both feel unhappy that Microsoft tries bringing Android software to Windows [1, 2]. They view this as surrender or suicide, as if Microsoft has any chance against Android/Linux and GNU/Linux, except by destroying/undermining them.
“Microsoft closes sole Helsinki outlet,” says a Microsoft-friendly paper after Microsoft killed Nokia. “Software giant Microsoft,” it explains, “has shut the doors of its only retail outlet in Helsinki, saying that it will focus sales of its consumer devices online and in other retailers’ outlets. Located in prime commercial real estate in the heart of downtown Helsinki, the store operated under the Microsoft banner for less than one year.”
Yes, just under a year. It means that Microsoft layoffs carry on. We’re entering a post-Microsoft era, one that is dominated not just by an alternative brand but also a software distribution alternative. Free software is getting its way. Microsoft actively attacks Free software. Microsoft cannot coexist with freedom, as history serves to show. █
“I do hope that the suit can help demonstrate that Microsoft’s claims of succeeding through innovation are a complete fraud. Their only innovation has been in inventing predatory business practices. Other than that, they have been perhaps the greatest borrowers in the history of the software industry.”
–Sybase Chairman Mitchell Kertzman
Send this to a friend
“Our products just aren’t engineered for security.”
–Brian Valentine, Microsoft executive
Summary: How the corporate media, especially that which is connected to Microsoft, fallaciously frames Windows issues as universal issues and lays blame on GNU/Linux where Windows is affected
Our previous post, which talks about OOXML being insecure [via], was a reminder that Microsoft is inherently insecure, usually by design (for surveillance/espionage purposes, among other reasons). Today we would like to show some gross media bias which deliberately fails to highlight Microsoft’s uniqueness when it comes to poor security.
First of all, the Microsoft-occupied BBC is a disgrace. The BBC got very badly stuffed/filled (at management level) with Microsoft UK staff. It happened several years ago. Examples were covered here before. In an article titled “Self-destructing virus kills off PCs” they completely fail to mention that it’s just Windows. Microsoft and Windows are mentioned only in context that promotes them, but not otherwise. “Restoring a PC with its MBR deleted involves reinstalling Windows,” says one paragraph in the middle, “which could mean important data is lost.” Would the article bear the same headline if the virus targeted Android? It’s just so vague. “PC” just means “Windows” now. The BBC seems to serve as a Microsoft advertising platform, there is no pretence of objectivity at all. If the BBC’s language was reversed, it would announce “new version of PC” and “Windows malware destruction of Microsoft Windows” (to amend the aforementioned headline). The BBC has a newspeak name for Microsoft Windows when there’s bad news: “PC”. But it’s called “Windows” (or Vista 10/Windows 10) when there’s good news. How convenient.
Zack Whittaker from Microsoft (formerly working for Microsoft UK) writes about the latest Lenovo back door, neglecting to say that it affects only those who use Microsoft Windows (like previous Lenovo back doors). How convenient an omission.
Last but not least, take a look at this rebuttal to articles from IDG and the highly biased Dan Goodin (among few others whom we cited here the other day). Anti-Linux circles framed general-purpose threat to computers as a “Linux” thing. What a bogus claim that was! “Stealthy Linux GPU malware can also hide in Windows PCs, maybe Macs,” says the latest headline. The author says quite correctly: “Most news stories last week about Jellyfish focused on the Linux aspect, leading some to believe that Windows or Mac PCs can’t be affected by such threats. It now seems that Team Jellyfish is bent on disproving that.”
So once again GNU/Linux is receiving bad press (perception of insecurity) despite it being just a scapegoat in an attack that is hardware-based. We covered very similar examples in recent months.
The media is just so biased against Free software. Bias by omission and scapegoating is a longstanding issue that led to the “call out Windows” campaign. It’s not acceptable that Microsoft receives special treatment. █
Send this to a friend
Summary: The spreading of fear of Free/Open Source software (FOSS) is now a growth industry, so proprietary opportunists are eager to capitalise on it, even if by distorting the truth
EARLIER THIS month some Black Duck publicity stunt fooled some journalists into promotion of Black Duck FUD. We saw that persisting until April 20th (one week ago), even in pro-FOSS sites (blogs) that did this days later. IDG made a slideshow out of it. Well, sadly, it cites Black Duck, which tries to sell proprietary software under the guise of Free software promotion.
In reality, Black Duck is not just selling fear of GPL violations — the original 'product' which was 'sold' by this firm. It’s a two-faced firm masquerading as pro-FOSS whilst attacking FOSS. Black Duck and Duck Duck Go both give a bad name to ducks. They pretend to be FOSS or at least openwash themselves (a lie) and they pretend to defend users (also a lie, they merely exploit or monetise users).
In other news, Sonatype reportedly compared FOSS to “Public Health Hazard”. To quote one report: “That’s the assessment of Joshua Corman, CTO at Sonatype, who took to the stage at RSA 2015 to characterize insecure software as a kind of “cyber-asbestos,” widely deployed, inherently dangerous, and eventually carrying an astronomical cost in terms of human suffering and cost to clean up because …we just didn’t know how dangerous it was at the time when we embraced it.”
So Sonatype is again on an anti-Free software binge. It is not the first time (see examples in [1, 2, 3, 4]) and it is easy to see why it is doing this. It’s trying to sell its products, which are nothing to do with Free software. Sonatype’s track record of FOSS FUD is expanding and may one day rival the Microsoft-connected Symantec, which continues its FUD campaign against Android, generating misleading headlines such as “One in Five Android Apps Is Malware” in this case. When people install software from Google Play, then there is virtually no risk, but don’t expect Symantec to properly analyse this. Symantec sells insecurity. To quote the misleading article: “According to Symantec’s latest Internet Security Threat Report, “17 percent of all Android apps (nearly one million total) were actually malware in disguise.” In 2013, Symantec uncovered roughly 700,000 virus-laden apps.”
But where are they found? Are any accessible to most Android users? No, so Symantec is defining it wrongly and framing the issue by saying that many applications’ “primary purpose is to bombard you with ads.” That’s not malware, but they made up a new word.
Google has already responded mostly by removing apps with too many ads (that’s not malware) and saying that Android “antivirus” is snake oil, as Google said before (responding to the likes of Symantec several years ago).
Android now has an industry of snake oil around it because there is a lot of market share there. The same can be said about FOSS, which is why Black Duck and Sonatype are busy badmouthing security aspects of it. They’re all just looking for a quick buck; FUD and reputation damage to FOSS are “collateral damage”. █
Send this to a friend
Microsoft gets a free pass for insecurity
“I don’t want a back door. I want a front door.” — Director of the National Security Agency (NSA), only days ago
Summary: All versions of Microsoft Windows are found to have been insecure since 1997, but the bug responsible for this is not named as candidate for back door access, let alone named (with logo and marketing) like far less severe bugs in Free/libre software such as OpenSSL
WHILE many journalists still refuse to call out Windows (see this new piece from Dan Goodin, who writes about crackers hoarding Windows hosts by the millions — in botnets — while mentioning the word “Windows” only once, very deep inside the article), some have no choice by to acknowledge that not every single computer runs Windows and therefore we should call out Windows when it’s clearly to blame.
“This wouldn’t be the first time it happens; recall how Google had to alert Microsoft for 3 months about a serious flaw while Microsoft did absolutely nothing (as if the intention was to keep Windows insecure, albeit secretly, very much like Apple).”Although there is no “branding” yet (as Microsoft buddies from a a Microsoft-linked firm like to do to Free/libre software bugs), there is a very serious bug in all versions of Windows (even the one still in development) that Microsoft’s allies at the NSA must be very happy about, especially as the bug is 18 years old (meaning that Windows has allowed remote access since 1997, or around the time Microsoft was seeking to appease the US government after it had shamelessly broken many laws).
The bug was found not by Microsoft but by this team (press release), which probably has no access to Windows source code. This wouldn’t be the first time it happens; recall how Google had to alert Microsoft for 3 months about a serious flaw while Microsoft did absolutely nothing (as if the intention was to keep Windows insecure, albeit secretly, very much like Apple).
ISPs should now restrict or ban Windows use, as it poses a huge risk (botnets and DDOS, never mind risk to all data stored on machines running Windows). Here is some early coverage of this [1, 2], some correctly emphasising that it’s a 18-year-old vulnerability [1, 2].
Let’s see if this starts a big debate about the insecurity of proprietary software (as other bugs with “branding” did to Free software, by means of gross generalisation). This “New Security Flaw Spans All Versions Of Windows” (similar wording in this headline). 18 years, eh? It even predates 9/11. It’s older than some readers of this Web site.
Watch this disgraceful piece titled “Will Microsoft’s Security Measures in Windows 10 Tarnish Open-Source Development?”
Yes, it’s more propaganda; The disingenuous openwashing of Windows continues, as we’ll show in our next post. █
“Our products just aren’t engineered for security.”
–Brian Valentine, Microsoft executive
Send this to a friend
Image courtesy of Red Hat
Summary: Old news is ‘new’ again, as Microsoft-friendly media decides to keep knocking hard on the reputation of Free software, using words rather than substance
A YEAR ago there was a curious (first of its kind for Free/Open Source software) “branding” of a 2-year-old FOSS bug by a Microsoft-linked firm that did not even find the bug. An engineer from Google had found it and sought to responsibly disclose it so as to patch it properly before the Microsoft-linked opportunists blew off the lid and called it “Heartbleed”, set up a Web site to ‘celebrate’ the bug, and even made a professionally-prepared logo for it. This whole “Heartbleed” nonsense — however serious it may have been for a day — was blown out of all proportions in the media and tarnished the name of Free software because it was so ‘successfully’ marketed, even to non-technical people. It was a branding ‘success’ which many firms would later attempt to emulate, though never with the same degree of ‘success’ (where success means bamboozling the public, especially non-technical decision-making people).
“Microsoft must be laughing quite hard seeing all that media manipulation.”“Dear journalists,” I said earlier today in social media (Diapora), “bugs don’t have birthdays. Stop finding excuses to bring “Heartbleed” BS (MS name for old bug) to headlines.” I spoke to one author about it and challenged him for floating these “Heartbleed” logos and brands yet again. To us it seems quite evident that Microsoft keeps attacking Free software and GNU/Linux like no time before; it’s just more subtle and hidden in more sophisticated ways. The person who heads the incognito firm that’s known only for the “Heartbleed” brand (they control the brand) came from Microsoft (he was head of security there) and also from the FBI, whose stance on encryption is widely known by now; they actively seek to break security of software, so knowing about the 2-year-old OpenSSL bug would make sense. Some reputable media reports said that the NSA had known about this bug for about a year before it was known to the public and the NSA cooperates with the FBI on breaking software security, sharing personal (illegally intercepted) data, etc.
Anyway, the same publication (as above) also floated the “Heartbleed” nonsense in another article today. Would they do just about anything to keep it in headlines? Even a year later? They are now citing some firm called Venafi (never heard of it before), which basically relies on misleading misuse of statistics. It’s FUD from a company that tries to make money from perceived dangers and accentuates these dangers in an effort to acquire clients. What kind of ‘journalism’ is this? incidentally, Black Duck is now joining the list of such parasitic companies, with new hires and multiple press releases, so clearly it’s a growth area and the Microsoft link is easy to see. It is FUD season again this spring as more publications now float this whole nonsense. This is hardly journalism, it’s just throwback.
Thankfully enough, Red Hat demonstrates what “branding” of FOSS bugs practically means, even using the image above. There is no correlation between the naming of bugs and their severity, but press coverage sure loves a good brand. This is an important (albeit belated) response from Red Hat to “branding” of a FOSS bug by Microsoft-linked firms like the one behind “Heartbleed”.
“It’s been almost a year since the OpenSSL Heartbleed vulnerability,” says Red Hat, “a flaw which started a trend of the branded vulnerability, changing the way security vulnerabilities affecting open-source software are being reported and perceived. Vulnerabilities are found and fixed all the time, and just because a vulnerability gets a name and a fancy logo doesn’t mean it is of real risk to users.”
Well, Microsoft folks sure squeezed everything they could from this bug, seeking to discredit not just OpenSSL but the whole development process of Free software (due to just one small bug, or a few lines of code). And Microsoft still pretends that it is warming up to Open Source? Who are these frauds kidding?
There’s a lot of companies which continue to use platforms with back doors, such as Windows, but the Wintel-oriented media would rather we just obsess over this one bug from one year ago (which was patched as soon as it became publicly-known).
We are rather disappointed to see a decent journalist like Sean Michael Kerner, along with colleagues at eWEEK, swallowing the bait and serving to promote the misleading claims to advertise this company that controls the “Heartbleed” brand, among other opportunists (like fish swimming around a shark for some leftovers). Microsoft must be laughing quite hard seeing all that media manipulation. █
Send this to a friend
Summary: Black Duck ups the ante on Free software-hostile messages, embeds FUD in the media almost instantaneously
THERE IS an attack on Free software going on, but it’s shrewdly disguised as ‘concern’ for Free software. We are led to believe that not proprietary software with back doors is the problem but Free software that may have bugs, especially bugs that users don’t bother to patch despite having the ability (or freedom) to do so. It’s free.
The other day we wrote about Black Duck entering the security FUD market, targeting Free software, as one ought to expect (it had already done the compliance FUD, neglecting to mention EULA-related issues in proprietary software). To repeat some facts for the uninitiated, Black Duck was started as an anti-GPL company, by its very own admission. Very shortly after hiring a parasite, whose company exploits security fears, Black Duck’s scope of FUD expands further and there’s an effort in the media to advertise this.
“Taft, who often promotes Microsoft PR, doesn’t mind covering something that seemingly relates to Free software if it makes Free software look bad.”Darryl K. Taft, a booster of Microsoft, already helps this anti-GPL company (Black Duck) by doing this Microsoft-esque advertising at this very moment. Taft, who often promotes Microsoft PR, doesn’t mind covering something that seemingly relates to Free software if it makes Free software look bad. No wonder Black Duck came from Microsoft. Other Microsoft boosting sites like TechFlash promoted this nonsense and spread it to media with broader reach. Watch how they wrongly describe Black Duck: “Burlington-based open-source software firm Black Duck software is making big bets on helping to make open-source software more secure for companies”
Black Duck is most definitely not “open-source software firm”, it is an anti-Open Source software firm whose products are proprietary, with software patents that relate to them. This is the kind of openwashing that has become so common when it comes to proxies of Microsoft (Microsoft works together with Black Duck, it’s not just that Black Duck came from Microsoft).
Black Duck, as we noted the other day, had hired a key person from Veracode, whose output is mostly FUD even today. Right now it promotes itself in CBS and other networks by saying some nonsense about a nonsense buzzword (“Internet of Things”) that means nothing in particular. To quote the CBS tabloid: “In a new report released by enterprise security firm Veracode, researchers discovered during testing of common, household IoT devices that security is not up to scratch — paving the way for exploits, data theft, robbery and potentially even stalking.”
That is just some embedded marketing for a FUD firm, one whose co-founder is now inside Black Duck.
Truth be told, Black Duck is trying to diversify or re-brand itself ‘pro-security’ as it did ‘pro-compliance’, but actually, what it really is about should be FUD. It uses fear, spreads existing fear to sell, creates more fear to sell, and overall it makes Free software look bad.
IDG is another large network that helped Black Duck advertise itself the other day. The headline is misleading because it says “Black Duck’s mission: To seek out insecure open source code in the enterprise”.
No, Black Duck’s mission is to sell its proprietary software by telling the press, enterprises etc. that Free software is not secure and needs some ‘medicine’ (Black Duck’s proprietary snake oil).
Here are the press releases from Black Duck [1, 2]. Clearly enough there is a media manipulation campaign going on and some journalists — other than Microsoft boosters disguised as ‘journalists’ — have already fallen for it. █
Send this to a friend
Summary: Two sources of fear uncertainty and doubt (FUD) against Free/Open Source software (FOSS) find themselves fused together
THE firm known as Black Duck recently admitted its roots in GPL FUD, not just in Microsoft (the founder's employer for many years). Black Duck recently took advantage of perceptions of FOSS security issues (using bugs with “branding”) to market its proprietary software products. A press release now informs us that VeraCode’s co-founder is joining Black Duck. We wrote about Veracode at Techrights several times before. Black Duck and Veracode have much in common, with examples such as security FUD that has “branding” to act as a stigma against Free software, as we recently (earlier this year) saw (both Black Duck and Veracode have been doing this in recent months). We are sure they’ll have a lot of experiences to share and many strategies to sell based on fear, or even create this fear by appearing in the media with famous brands such as “GHOST”, “Shellshock”, and “Heartbleed”. █
Send this to a friend
Summary: Black Duck “was founded [on] the idea … to keep GPL-licensed code out of corporate codebases entirely,” according to a new report
TECHRIGHTS has spent nearly a decade battling Black Duck. This schizophrenic-looking firm (trying to come across as pro-FOSS), Black Duck, is the very prominent (and well-funded) entity which has been a source of endless GPL FUD, claiming that the GPL is declining, that it is dangerous, and that it oughtn’t be embraced by businesses.
This new article from Jon Gold of the FOSS-hostile NetworkWorld happens to provide us with wonderful evidence of the roots and the original goals/raison d’être of “Black Duck” (black agent would be a more suitable name). The article is titled “Open-source’s former ‘police’ now helping businesses adopt” (the latter is pure marketing and acceptance of Black Duck’s claims at face value).
Black Duck, founded by a marketing guy from Microsoft (see the image above for highlights from LinkedIn), is mostly a marketing company. It was never ‘police’ and it was never an authority; it was a parasite pretending to be about FOSS while harvesting software patents, badmouthing Free software, and even ripping off companies like Palamida, which had done work — very time-consuming work — collecting usage figures regarding GPLv3.
Gold’s article is useful to us because of the very revealing part which says: “Executive Vice President and CTO Bill Ledingham said that when the company was founded the idea was to keep GPL-licensed code out of corporate codebases entirely.”
So Black Duck, which was founded by a guy from Microsoft, was acting more like a mole, nothing else. It was fighting copyleft adoption. No need for speculations or hypotheses anymore.
In a similar vein, Microsoft’s support for Cyanogen (do not be misled by retractions after getting caught) serves to show another mole-like strategy. This new article by Miguel Helft (to appear next month in Forbes magazine) reminds us of the real goal of Cyanogen. To quote the headline: “Meet Cyanogen, The Startup That Wants To Steal Android From Google”
This sounds exactly like what Microsoft itself has been trying to do to Android (often via or with help from proxies like Facebook, Nokia, or Amazon). Do not think for a moment that Microsoft never tried to derail and topple Free software from the inside. There is a long history to that effect and we covered many examples over the years. █
Send this to a friend
« Previous Page — « Previous entries « Previous Page · Next Page » Next entries » — Next Page »