EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

04.18.14

Some Perspective on Heartbleed®

Posted in GNU/Linux, Microsoft, Security at 8:12 am by Dr. Roy Schestowitz

Looking through the tube

Summary: Our views on the whole Heartbleed® bonanza, which seems like partly a PR stunt (for multiple stakeholders)

A LOT has been said about Heartbleed® since the firm of Microsoft's 'former' security chief (who had worked with the FBI, the NSA’s more evil twin) irresponsibly 'leaked' the flaw, and did so at the very same moment that Windows XP users rushed to GNU/Linux for security reasons. I know of such users (even corporations I deal with) and I saw their reaction to this unforeseen ‘leak’. Funny timing.

In this post we outline some key facts (carefully and patiently studied over the past 10 days). As my doctoral degree is not far from cryptography and I have consulted people who do security for a living, I can assure readers that we do grasp the technical details, unlike many so-called ‘journalists’ with degrees in English or history. We are not going to delve into less plausible theories like a connection between the flaw and the NSA although there are circumstantial connections, an NSA program specifically designated to this (NSA operation ORCHESTRA), and we already know that Red Hat relays non-SELinux code directly from the NSA to Torvalds, as we covered earlier this year (meaning that only a developer in the middle knows where the code originally came from). In this particular post we are going to focus on other important points that ought to be made now that Heartbleed® is mostly out of the headlines and little new information will come out during Easter. This post is based on assessment of about 100 reports and subsequent research lasting many hours.

A little and slightly old tidbit shared with us by iophk (a network security professional) said that even the NSA and its circles are negatively affected by Heartbleed®. This article states: “”I am waiting for a patch,” said Jeff Moss, a security adviser to the U.S. Department of Homeland Security and founder of the Def Con hacking conference.”

There are reasons to believe that the NSA was not aware of this flaw or had not exploited it. For instance, the government’s demands from Lavabit may suggest that OpenSSL back doors were not known at that time (2013). Also, reading all about the personal background of the man behind the bug, it’s nearly impossible to find any connection to the NSA and its ilk. The guy is German, but another German Danish developer (Poul-Henning Kamp, a FreeBSD and Varnish developer) spoke only some months ago about a US program of introducing bugs into FOSS (see “NSA operation ORCHESTRA” above).

iophk responds to the article about firewalls woes by asking: “Why the hell is he not running one based on Linux or BSD? Something’s not right. Proprietary “solutions” have no place in infrastructure for just these kinds of reasons.”

Well, with Windows, for example, the NSA perhaps assumes a monopoly on back doors. It’s a form of total control.

The BSD community, which is also behind OpenSSH, has begun doing some commendable things [1,2] short of throwing away OpenSSL [3]. There is a new release of GnuTLS [4], for example, but we cannot be 100% certain that GnuTLS is immune to “bug doors”, as Julian Assange recently called them. “GnuTLS was immune to the OpenSSL bug,” writes iophk, “but in regards to the latter was ‘responsible disclosure’ followed? I got the feeling that it wasn’t and that the web site was set up and publicized before even the OpenSSL team was informed. Where can I find a detailed timeline of events?”

Well, a deceiving timeline was later published by the Australian press. Security gurus have widely chastised this form of ‘responsible’ disclosure of Heartbleed®; even the project site of OpenSSL hadn’t been patched before the disclosure. The same goes for the FBI, which again helps validate claims that the government was not fully aware of the issue.

OpenSSL was having limited resources and some articles covered it [5-7]. Regardless, it’s now claimed NSA knew about the bug for 2 years and we should always remember that Microsoft’s Howard Schmidt was connected to FBI before his firm published Heartbleed® for fame, fun, and profit. It’s not just Microsoft that makes his motives a tad suspicious. The whole Heartbleed® thing “has a very media friendly name and a cute logo,” as a British FOSS professional put it. It’s like a branding exercise. Also see this post titled “What Heartbleed Can Teach The OSS Community About Marketing”. “Ties in a bit with what you’ve posted,” iophk told me after I had noted the marketing angle.

As a recap, Heartbleed® was pretty much branded and released like a product by a firm headed by a Microsoft (and FBI) veteran. This firm also works with Microsoft, so the disclosure on Windows XP’s EOL date is too hard to ignore, If this was already known about by the NSA for years, then one may wonder if the disclosure came through whispers rather than research. Glyn Moody was told by Wikileaks (Twitter account seemingly run only by Julian Assange) that “Assange spoke about vulnerability of OS’s to bribes and bugdoors in upstream components.”

Howard Schmidt (chairman of board of company that marketed Heartbleed®) worked with the FBI and another NSA partner/PRISM pioneer (Microsoft). If the NSA knew about the bug, then one wonders what role Schmidt may have played. The last thing that the NSA wants is people (especially outside the US) adopting Free software and GNU/Linux because Microsoft is where back doors are; by design, not by accident. Heartbleed® was reportedly known to the NSA for years (every article that claims this cites Bloomberg, which is notable corporate press and usually a bit dubious when it comes to agenda). If true, this was the type of bug that Edward Snowden’s leaks had alluded to (bug doors, not back doors). Schmidt et al. might be trying to exploit it for FUD and profit, by opportunistically divulging it as soon as mass migration to GNU/Linux in enterprises and homes begins. A decade ago it seemed like a back door had been put inside Linux by the NSA, but the developers caught the intrusion and removed it. There were numerous reports last year saying that the NSA had approached Torvalds, asking him for back doors in Linux, so what Seggelmann did in OpenSSL should not be treated too lightly. The time of the committal is a little suspicious [8] (people away from home to celebrate New Year) and the reputation of OpenSSL is now thoroughly destroyed, which will help its competitors (including proprietary) [9]. There is now a lot of FUD out there about FOSS (the only one we’re willing to cite is [10] because it’s not too malicious), sometimes coming from the mouths of Microsoft boosters or challenging Torvalds’ famous “law” [11,12]. I even get taunted over this in Twitter. The old FUD is back, never mind Coverity’s latest report which again contradicts such FUD.

Mind the article “Heartbleed security flaw may not be as dangerous as thought” [13], which sheds some light on who’s able to exploit and who’s not able to exploit Heartbleed® given the resource limitations (the thing about crackers of the NSA and GCHQ is that they have supercomputers to have a crack at it, and the same is probably true when it comes to the FBI, which is in many ways worse and more aggressive than the NSA; the FBI infiltrates Windows with CIPAV). If the widely-cited reports are true and the NSA knew Heartbleed® (and used it for two years) [14-17], then it’s a massive revelation (the NSA denies this, but denials from the NSA are worthless given its track record when it comes to truth-telling).

Perhaps the most disturbing thing about the story is, the NSA may have discovered Heartbleed® years ago (if not made it, which sounds unlikely [18]) and the firm of Microsoft’s ‘former’ security chief is making a profit from this [19] (the Heartbleed® bounty is partly paid by Microsoft and the partly Microsoft-owned Facebook). A bunch of opportunists got paid for irresponsible disclosure that damaged the Internet [20,21] and harmed many people’s privacy (potentially leading to some people’s deaths).

The GNU/Linux brand is profoundly damaged by this (many GNU/Linux sites mentioned it [22-24]) even though the bug also affects Windows and Apple operating systems. To us it will always seem like marketing campaign coordinated to take place at a strategic date (Windows XP EOL).

Has Microsoft’s Howard Schmidt decided to ‘leak’ it to distract from XP EOL (which means insecurity by policy)? Perhaps. Schmidt had worked with the FBI, so he could have some inside knowledge. He might have former colleagues who could tell him about this (even leak it to him) before he would hype it up, give it a scary name, make a dot com web site, a logo, et cetera, essentially ‘merchandising’ the FUD.

Related/contextual items from the news:

  1. OpenBSD Team Cleaning Up OpenSSL
  2. OpenBSD has started a massive strip-down and cleanup of OpenSSL
  3. Please Put OpenSSL Out of Its Misery
  4. GNUtls: GnuTLS 3.3.0
  5. How to stop the next Heartbleed bug: pay open-source coders to protect us
  6. Will Open-Source Money Prevent the Next Heartbleed?
  7. 3 big lessons to learn from Heartbleed

    The devastating OpenSSL vulnerability proves the importance of data center orchestration, the wisdom of running older versions, and the need to give back to the OpenSSL project

  8. Heartbleed: developer who introduced the error regrets ‘oversight’

    Submitted just seconds before new year in 2012, the bug ‘slipped through’ – but discovery ‘validates’ open source

  9. After Heartbleed: 4 OpenSSL alternatives that work
  10. Heartbleed: Open source’s worst hour”>Heartbleed: Open source’s worst hour
  11. Does the Heartbleed bug refute Linus’s Law?

    The mistake being made here is a classic example of Frederic Bastiat’s “things seen versus things unseen”. Critics of Linus’s Law overweight the bug they can see and underweight the high probability that equivalently positioned closed-source security flaws they can’t see are actually far worse, just so far undiscovered.

  12. Heartbleed: Is Linus Torvald’s law invalid?

    How much data was compromised? How many billions lost? None that we know of. How much does the world loses every year because of Microsoft’s proprietary technologies? Billions of dollars are lost; nations’ securities are compromised and people lives are exposed to risks.

    A majority of NSA attacks won’t be possible without bugs in Microsoft products which the company reportedly shares with the agency so that it can be exploited to hack into computers that NSA can spy on. Microsoft bugs allowed USA to take down nuclear programs of countries like Iran, Microsoft bugs enabled NSA to spy on French president. Microsoft bugs allowed ‘alleged’ Chinese crackers to run a massive scale espionage against human rights activists in the US. In addition there are unaccounted thousands of cases every year where people and businesses lose millions due to security holes in Microsoft products.

  13. Heartbleed security flaw may not be as dangerous as thought

    But today, the content distribution network CloudFlare has announced Heartbleed may not allow access to those private keys after all. In two weeks of testing, the company has been unable to successfully access private keys with Heartbleed, suggesting the attack may not be possible at all. “If it is possible, it is at a minimum very hard,” researcher Nick Sullivan writes. “And we have reason to believe… that it may in fact be impossible.” If true, it makes Heartbleed much less dangerous than many had feared, offering a saving grace for compromised sites. Sullivan acknowledged that, in security tests, some private keys had been revealed by first requests to Apache servers, but he linked this to the process of restarting the server, which would severely limit the exposure to outside actors. Methods have also surfaced to help services tell if attackers have hit their servers using the bug. “Heartbleed still is extremely dangerous,” says CEO Matthew Prince, “but some of the worst fears about it having been used by organizations like the NSA to hoover up everyone’s private SSL keys look pretty unlikely to us based on this testing.”

  14. NSA has been exploiting Heartbleed for two years, leaving Americans exposed to cyber criminals: report [updated]

    As people were wondering NSA’s role in Heartbleed, it turned out that the agency was reportedly aware of the bug, as Bloomberg reports, for the last two years and has been exploiting it to spy on people. If the reports are true and NSA was aware of the bug and instead of getting it fixed it let extremely critical info of US citizens exposed to cyber criminals then NSA does need more oversight from the government.

    Heartbleed was not some minor bug, it affected almost every major web-service including Gmail, Amazon, Yahoo! and many more – holding the potential of exposing sensitive data to criminals. However, as soon as the bug was discovered the Open Source community immediately responded, patched the bug and start pushing the updates.

    While the Americans and the people from around the globe were exposed to cybercriminals, NSA was supposedly busy harvesting passwords and other critical to add it to already massive database.

    Bloomberg quotes Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer, “It flies in the face of the agency’s comments that defense comes first. They are going to be completely shredded by the computer security community for this.”

  15. NSA Said to Exploit Heartbleed Bug for Intelligence for Years
  16. Bloomberg: NSA Knew About, Exploited Open Source Heartbleed Bug for Years
  17. The NSA has exploited Heartbleed bug for years, Bloomberg reports
  18. Heartbleed coder admits ‘oversight’ but backs open source

    Seggelmann submitted the code at 11:59pm on New Year’s Eve 2011, but claims the timing had nothing to do with the mistake. Although the bug was also missed by the review process for OpenSSL, an open source project written and reviewed by volunteers, Seggelmann told British newspaper The Guardian that the bug’s eventual discovery shows the value of publically available open source code.

  19. Why a hacker got paid for finding the Heartbleed bug

    Microsoft and Facebook have also provided financial backing to Internet Bug Bounty, out of which Mehta’s prize money came, after running their own internal bug bounties that were very successful. Their money is benefiting the internet as a whole, but they don’t decide what money goes where.

  20. The Internet’s Telltale Heartbleed
  21. Heartbleed developer explains OpenSSL mistake that put Web at risk
  22. SteamOS Affected by Heartbleed Bug, Valve Hasn’t Updated the OS Yet
  23. Linux Foundation Responds to the Heartbleed Bug

    It’s nearly impossible to know for sure, due to the nature of the vulnerability, how much the Heartbleed vulnerability was used to snoop on secure data. We recommend for our sites the same as for other sites: first, watch for a statement to come out from your financial institutions, email providers, and others, which shares whether they were affected. Start changing your passwords. Use different passwords on different sites and store them in a password safe like KeePass, LastPass or 1Password. That way, if any sites that remain vulnerable leak your password, it won’t affect any other sites. Check back on sites that post statements after you changed the password, and then change the passwords again if needed.

  24. Working Out “Serious Security Flaws” In DRM Drivers

    While many are still busy working through fallout of the OpenSSL Heartbleed bug within organizations, on a separate but security related note, kernel developers specializing in the Direct Rendering Manager (DRM) graphics drivers are working to beef up their own driver security.

04.15.14

Public Institutions Must Dump PRISM-Associated Software

Posted in GNU/Linux, Microsoft at 9:56 am by Dr. Roy Schestowitz

Kick the NSA

Image by Will Hill

Summary: Another reminder that taxpayers-subsidised services should refuse, as a matter of principle, to pay anything for — let alone deploy — proprietary software with back doors

A FEW days ago we spoke about those who choose PRISM at taxpayers' expense, essentially choosing spyware at the expense of taxpayers who will suffer from it. Glyn Moody has published a good article about how it’s done to the British public [1], where the government pays Microsoft a lot of money because Microsoft’s own software is very insecure. This is a problem not just here in the UK.

Mr. Pogson links to IDG reports that say US “Tax collector has 58,000 PCs still running the aged XP; will spend $30M to upgrade to Windows 7″ (not even immediately). There is more about this in the British press [2] and it turns out not to be the exception.

What’s worth noting, however, is that NSA works with Microsoft, a US-based company, so the above behaviour is even more irresponsible when done outside the US. There is an interesting new petition at Avaaz titled “Computers in the post-Snowden era: choose before paying!”

To quote: “When you buy a computer, a telephone, a tablet-pc, etc., you make your choice first, and then you pay. But meanwhile, quite often you first pay the licence of an operating system (Microsoft Windows, MacOS, etc) which you then choose to use or to replace with another one. As a result, the vast majority of us all use the operating system that mainly beneficiates from this forced sale. Our addiction is so high that even those actors that should be neutral in principle help this situation continue: state, administration, school, city administration, etc. We are thus technologically very dependent, hence vulnerable. Thanks to Edward Snowden, it is now established that intelligence agencies modify hardware (computers, routers, firewalls, etc) and software (Microsoft Windows, probably all Apple operating systems, probably one GNU-Linux distribution, etc) to massively listen to communications and illegally penetrate into computers.”

It is time to publicly chastise government institutions — more so than private businesses which are only accountable to themselves and the law — over use of spyware such as Microsoft Windows.

Related/contextual items from the news:

  1. Windows XP: End of an Era, End of an Error

    This is little more than polite blackmail: if you don’t upgrade, your systems will become infected, you will lose data, and your reputation may well be ruined as a result. The stakes are incredibly high: the Microsoft-sponsored study I wrote about last week puts the global cost of flaws in Microsoft’s software at around $500 billion for 2014 alone.

    And yet despite the astonishing magnitude of the threat, laid out by Microsoft itself again and again, in various ways, people still stick with Windows XP. Really, there is no greater condemnation of Windows XP’s successors than the fact that huge swathes of Microsoft’s user base simply don’t want to upgrade.

    Shockingly, that applies to the UK government, too. Of course, they at least realise that they can’t simply carry on using Windows XP without at least nominal protection, but the price they pay for their stubborn refusal to move off XP is high…

  2. US taxman blows Win XP deadline, must now spend millions on custom support

    The April 15 deadline for Americans to pay their federal income taxes is fast approaching, but the US Internal Revenue Service has already missed an important deadline of its own – namely, Microsoft’s end-of-support date for Windows XP.

  3. Windows XP Alive & Well in ICS/SCADA Networks

    End-of-life for XP support not raising many red flags in critical infrastructure environments, where patching is the exception.

04.11.14

Microsoft: Let’s Talk About Heartbleed® (Reported by Our ‘Former’ Security Chief) While the World Migrates From XP to GNU/Linux

Posted in FUD, GNU/Linux, Microsoft, Windows at 8:43 am by Dr. Roy Schestowitz

Looking through the tube

Summary: Government the only likely entity to exploit Heartbleed®, but Microsoft and its peripheral PR apparatus try to scare everyone away from GNU/Linux

A LOT of concerned people, including large businesses, are moving to GNU/Linux for improved security right now (I am aware of some businesses but cannot name them), bearing in mind that Windows XP is no longer secure even in Microsoft’s eyes. Microsoft put back doors in Windows (for governments), so when even Microsoft claims something to be not secure, then it should be ever more alarming.

We are still seeing many articles about migration from Windows XP to GNU/Linux, not just in blogs of GNU/Linux advocates [1,2,3] but also in Microsoft-friendly news sites [4], widely-distributed publications like The Economist [5] (typically GNU/Linux-hostile or just ignoring GNU/Linux), GNU/Linux-oriented sites [6,7], and the Linux Foundation [8]. There are other general news sites [9-12] that cover this (suggesting GNU/Linux as a replacement for XP) and on the other hand there are those in the GNU/Linux world who are apathetic about it [13]. The common theme, however, is rather clear. People are being advised to explore GNU/Linux and jump off the treadmill of Windows ‘upgrades’. Microsoft must be worried. There are many confirmatory indicators of this worry — ones that we covered before.

We recently saw a lot of FUD over GNU/Linux security coming from Microsoft-linked sources, basically inciting/creating unnecessary panic by twisting facts and never mentioning Microsoft’s security issues (some are there by design, like NSA back doors or even FBI entry points).

Someone who worked for the FBI (worse than the NSA by some criteria) and then Microsoft (the back doors partner of the NSA) then revealed Heartbleed®, on the very same date that Windows XP is officially dead. What’s the likelihood that this was a coincidence? Microsoft’s ‘former’ security chief sure helped distract from stuff like the articles about moving to GNU/Linux for security. If it was a stunt, then it sure worked like a charm.

Heartbleed® does not seem like the work of secret agencies [14], but it sure helps them a lot [15], undermining activism [16] and Free software [17], as well as security in Apple and Microsoft products (they use OpenSSL too and they still have no patches, unlike GNU/Linux distributions). Pay attention to how Microsoft boosters like Miguel de Icaza twist this to look like a problem only for GNU/Linux. Microsoft propagandist and partner Tony Bradley (he works with Microsoft) plants some FOSS-hostile articles to that effect [18] as well. Microsoft must be having a day field with its PR/propaganda agents. As we expected, Microsoft partners now spread articles full of FUD — stuff which was published in a timely fashion by a Microsoft-linked firm, exactly upon Windows XP EOL. Watch some timely new revisionism (PR) from Microsoft Peter, using false claims (changing history) to push people to ‘upgrade’ from XP to Vista 8. This is not journalism; it’s advertising from a Microsoft booster who infiltrated a news site. Many sites are still affected by Heartbleed®, but reports from Microsoft-friendly journalists (who were behind some of the previous security smears against GNU/Linux) exaggerate the numbers. At my job, for example, no Web site was found to be affected by Heartbleed® (one can check this online [19]). The main source of danger right now is government spies [20,21] (or government crackers). Those who understand the technical details [20] even guess that government actors may have played a role in putting the bug there [22]. The FSF responded by highlighting the fact that proprietary system have back doors by design [23] (the FSF says “Microsoft are even sharing bugs with others like the NSA without fixing them”) and other GNU/Linux-oriented sites did cover the incident, but not with an excessive sense of panic [24-29], unlike Gates-funded papers [30].

To summarise, what we are dealing with here is an incident where the firm of Microsoft’s ‘former’ security chief shares bugs with the whole world irresponsibly (many sites had not been secured by that time in which his firm decided to release details, exactly when XP hits EOL). And having checked customers’ systems overnight, I found that nothing was affected by this OpenSSL bug. Irresponsible reporting from Microsoft-friendly journalists (with history) claims — falsely — that 2/3 of the Web is affected. Talk about appalling FUD. Wow!

One sure thing is, Chromebook sales are not going to be stopped by it, not even by Microsoft's attack ads (hypocritical FUD is now central to Microsoft’s official strategy and there is no hiding it).

Related/contextual items from the news:

  1. Good News And Bad News Depending On Whether Or Not You Enslave People To Wintel
  2. OEMs Aren’t Going To Replace XP With GNU/Linux. Real People Have To Do That
  3. What To Do With XP PCs

    If you think you can’t do without XP, think again. I have not touched an XP machine or any other OS from M$ for years now because all my PCs run GNU/Linux. If you think you can’t do without some application that only runs on XP or any other OS from M$, think again. Many millions of users of GNU/Linux don’t have those problems that M$ causes: malware, spyware, re-re-reboots, and lock-in.

  4. Windows XP’s Demise Will Help Linux Leapfrog Mac OS X 10.9

    Linux is frequently touted as one of the most successful open-source projects ever. Since its release in the 90s, the versatile OS has gradually become more popular with users. With a 1.49% market share, Linux is now rated the third-most popular PC operating system after Windows and Mac OS X operating systems.

  5. End of the road for Windows XP

    But to what? For those determined to stay in the Microsoft camp, forget Windows 8 or 8.1. Not only do they demand too much in the way of hardware, both have been been written off as a debacle as bad as the Windows Vista disaster. With their touch-based design, they require users to do things differently from the way they are familiar with. Microsoft is now hurrying out Windows 9 in a bid to pre-empt a mass migration to Linux or Macintosh.

  6. A Beginners Guide for XP Users to Switch to Linux

    Microsoft has ended its support for Windows XP and most of you might not even care but for some of you who do care and understand the complications involved in using a discontinued piece of software, you are in for a change. You can either install already outdated Windows 7, no one’s favourite Windows 8 or you can join the elite group of Linux users by installing on of the many available flavours of Linux.

  7. Windows XP and the Changing Calculus of Technology Choice

    One reason technology choices are so difficult is technology is always a work in progress; your one choice has lasting consequences since the technology rarely ever lives on its own, and most good technology is never done — that is unless you’re Windows XP. As most of us know, Microsoft today is turning off support for Windows XP. That means that roughly 30 percent of all Windows users will cease to get security updates and other ongoing maintenance. Since hackers disproportionately target Windows products, this is a big deal.

  8. Replace the Retiring Windows XP with Linux
  9. Windows XP orphaned: 1/3 of computer users vulnerable

    RMS is the guru of computing freedom, and a great source. He started the “hack” movement as an outsider inside MIT during the Vietnam protesting era, and founded both the GNU software movement and the Free S/W Foundation. He seems (to me) to be highly-influenced by socialist ideals.

  10. Forget About Windows XP, Tranform Your Linux Mint in Windows 7

    In this case, Linux Mint 16 is the perfect candidate for a Windows 7 look-alike transformation and the Windows7 Pack (Cinnamon+ GTK3/2) theme works like a charm. You will have to move the files manually in the appropriate folders, but the themes should be easy to activate.

  11. Open Source Alternatives For Windows XP

    To simplify the downloading and installing, collections of these many software components, called “distributions“, are available ready for users to download and start using straight away.

  12. Windows XP Alternatives: Six Linux Distros to Replace Microsoft’s Ageing OS

    On Tuesday, Microsoft finally end support for one of its most successful operating systems, the 13-year-old Windows XP. Owing to this, there will no longer be any official security updates and bug fixes from the company, meaning those who continue to use the OS will be left vulnerable to security threats.

  13. Why I don’t care about the end of Windows XP

    Frankly, I’ve never liked Windows XP. I found the interface to be an eyesore way back when it was first released and using it never improved the experience. I’m very glad to see that it’s going away finally, it’s demise has been been long overdue. I’m rather surprised that it has hung on this long, given that it was never all that anyway. It’s almost become like some sort of a disease you can’t quite get rid of, it just goes on and on and on.

  14. Heartbleed coder: bug in OpenSSL was an honest mistake

    The Heartbleed bug in OpenSSL wasn’t placed there deliberately, according to the coder responsible for the mistake.

  15. The Real Threat From The Heartbleed Security Flaw Is The NSA

    “The best guess is that the only ones exploiting this bug are spy agencies, if anyone at all.”

  16. Why the Web Needs Perfect Forward Secrecy More Than Ever
  17. LibreOffice 4.2.3 arrives with Heartbleed fix
  18. Is open source to blame for the Heartbleed bug?
  19. Test Sites for Heartbleed OpenSSL Vulnerability
  20. Wild at Heart: Were Intelligence Agencies Using Heartbleed in November 2013?
  21. heartbleed vs malloc.conf
  22. Heartbleed

    At this point, the probability is close to one that every target has had its private keys extracted by multiple intelligence agencies. The real question is whether or not someone deliberately inserted this bug into OpenSSL, and has had two years of unfettered access to everything. My guess is accident, but I have no proof.

  23. Free Software Foundation statement on Heartbleed vulnerability
  24. FOSS Community Hustles to Fix Gaping Heartbleed Flaw
  25. Fedora status on “Heartbleed”
  26. Fedora releases openssl security updates
  27. The Internet Goes Nuts with OpenSSL Bug Today, Linux Systems Were Fixed Yesterday
  28. How to find out if your server is affected from Openssl Heartbleed vulnerability (CVE-2014-0160) and how to fix that
  29. Heartbeat SSL Flaw Puts Linux Distros at Risk
  30. Heartbleed: Hundreds of thousands of servers at risk from catastrophic bug
  31. Google jumps on Windows XP’s demise with Chromebook for business offer

    GOOGLE HAS BEEN QUICK to jump on the demise of Windows XP, and is looking to persuade businesses still running the operating system to buy Google Chromebooks instead.

04.08.14

“Microsoft is Trying to Sabotage Linux” (AARD Returns)

Posted in GNU/Linux, Microsoft, Virtualisation at 11:17 am by Dr. Roy Schestowitz

Breaking the competition rather than competing

Summary: Microsoft’s Hyper-V is reportedly being used to cripple and marginalise — artificially — guests that are running GNU/Linux

MICROSOFT apparently has not gotten enough advantage with UEFI exclusion of GNU/Linux from new PCs. We recently learned that a lot of new computers (without Windows XP) will simply refuse to have GNU/Linux installed and/or running. Even some technical people in JoinDiaspora say that they are unable to install GNU/Linux on such computers (not OS-agnostic machines anymore, as per Microsoft’s manipulative legal requirements).

Adding insult to injury, Microsoft now uses Hyper-V, the proprietary hypervisor which is strictly attached to an NSA honeypot (Microsoft Windows), for something that resembles AARD. iophk called it “AARD again” and it should be treated as a serious antitrust violation.

Citing the original report [1], Susan Linton writes: “The Register is running an article explaining how Microsoft is trying to sabotage Linux.”

The article begins by stating that “Hyper-V was found to treat Linux guests as second-class citizens” and it should not be too shocking given that Hyper-V drivers for Linux were originally a GPL violation (Microsoft was forced to comply). This is one of the things that Microsoft paid Novell to help with (others being .NET, Moonlight/Silverlight, OOXML, patent FUD, and more).

With the death of Windows XP it is possible that the common carrier for desktops/laptops will soon be no more. FUD games like these ones are only to be expected from the thuggish, criminal company.

Related/contextual items from the news:

  1. Hyper-V telling fibs about Linux guest VMs

    If Microsoft’s Hyper-V was found to treat Linux guests as second-class citizens, the resulting storm of controversy would probably generate enough heat and light to make a dent in some climate change models.

Press Advocates Migration From Windows XP to GNU/Linux, But Not Strongly Enough

Posted in GNU/Linux, Microsoft, Windows at 10:47 am by Dr. Roy Schestowitz

Windows aging

Windows with shutters

Summary: The corporate press mentions the end of Windows XP (no more support) but rarely does it mention GNU/Linux; a migration to Free/libre software is simpler than commonly believed

THE apparent distraction efforts aside, today is the last day for Windows XP as a live operating system. In light of that serious event (relevant to many because Windows XP is still widely used), some articles don’t even mention GNU/Linux at all (see the comments, readers are not easily misled) and some provide only scarce coverage for remedies like Robolinux [1], despite an expensive press release [2,3] which was disseminated in various sites. We found only one article about Robolinux (there may be more, but they are not going ‘on the radar’).

This is rather disappointing. There are orders of magnitude (in terms of numbers) more articles about the Heartbleed® stunt (from Microsoft’s ‘former’ security chief) than about GNU/Linux as the logical route for computers that still run Windows XP. Users of these computers can use Wine or even the improved (but proprietary) versions of software that incorporates Wine. Inside a company they can rely on remotely-accessed application servers running Windows for troublesome applications, with rdesktop/vnc for remote access from GNU/Linux desktop (that’s what one can do at the worst scenarios) and Steven J. Vaughan-Nichols (SJVN) shows how trivially it’s done (very visual).

What we are hoping to find is that more people follow advice which recommends at least mentions migration to GNU/Linux now that Windows XP is unsupported [4-9] (there ought to be be more coverage like this). Putting the derogatory phrase aside, right now there is a big opportunity for GNU/Linux on the desktop [10], and not just because of Chrome OS (which is a GNU/Linux distribution but not a freedom-respecting one). People can now swap a PC running Windows XP with a shiny new Chromebook for just $99 and there are many options when it comes to Chromebooks [11]. Whatever people choose, they need to escape the trap of PRISM (mass surveillance) and proprietary software. BSD too is an option.

Related/contextual items from the news:

  1. Robolinux 7.4.2 Distro Can Keep Windows XP Running Inside Forever Without Viruses or Malware

    Robolinux, a fast and easy to used Linux distribution based on Debian, has just received another major update, raising the version number to 7.4.2.

  2. Solution for 500 Million Windows XP Users Who Do Not Upgrade to 7 or 8
  3. Solution for 500 Million Windows XP Users Who Do Not Upgrade to 7 or 8

    Robolinux, founded in 2011, invented and has released “Revolutionary Stealth VM” so you can run Windows XP or 7 inside all Linux Mint OS Editions or all Ubuntu Versions and Derivatives Virus Free for as long as you want to without the need for Microsoft security updates or anti virus anti malware software.

  4. The end of Windows XP: Is it time to give Linux a try?

    This week, Microsoft ends free support for Windows XP, cutting off the supply of security updates and bug fixes to anyone unwilling to pay the $200 per desktop fee MS is asking for extended support.

    XP machines aren’t just going to explode at midnight on 8th April but with hackers and malware authors already comfortable with the antiquated OS, it won’t be long before some new exploit is discovered that will never be fixed. In short, if you value security then it makes sense to stop using XP.

  5. For HTPC folks, XBMC recommends an upgrade from Windows XP to Linux

    It’s doubtful there are many people out there at this point that don’t already know that support for Windows XP will come to an end tomorrow, April 8th. Despite that, a number of individuals and businesses will continue to run the operating system.

    This doesn’t likely apply to those maintaining an HTPC, as this tends to be a more geek-savvy set, but no doubt a few are out there. For those users, XBMC has passed its judgment, and the verdict is Linux.

  6. Why so much fuss over Windows XP’s expiry?

    Other than Windows, users and companies could look at Linux versions that run many Internet servers and those in companies. GNU/Linux is also at the foundation of Google Inc’s Android mobile OS.

    Linux distributions include Ubuntu, Linux Mint, Elementary, Zorin and Lububtu. Ubuntu 12.04, for instance, comes pre-installed with the LibreOffice suite—a Microsoft Office equivalent. However, migrating applications from Windows XP to a non-Windows (read Linux) platform is easier said than done. But then, Linux distributions are free.

  7. Microsoft XP users can turn to Linux as alternative

    Microsoft’s decision to stop providing technical support for Windows XP after Tuesday has caused a great deal of confusion and consternation among the millions who still use the trusty old operating system. I’ve opined that there’s no reason to ditch Windows XP, which will continue to work as it always has, and that you can safeguard its security by installing a good antivirus/antimalware program.

    However, there is another solution that is faster and more secure than Windows XP – or any other version of Windows. It’s Linux, the long-suffering stepchild of the PC industry.

  8. Linux to the rescue! Windows XP support discontinued today

    Today, as Microsoft discontinues support for Windows XP, a 12 year old operating system, users all over the world find themselves with only a few options to choose from as they move on. It’s not surprising that Microsoft encourages users to migrate to Windows 8.1, but of course, there are other alternatives. The best one by far is Linux. With over 100 distributions, Linux not only offers flexibility, but also reliability and support.

  9. Death of Window XP Is a Golden Opportunity for Linux

    Microsoft’s Windows XP dies on April 8, and I will not be among those who mourn its loss. The sad part about the death of XP is that those who still run it might not even realize that their operating system is now dead.

  10. Will it ever be the year of the Linux Desktop?

    It used to be a rallying cry, then it turned into speculation and finally it became a joke: That the next year, or the one after that, or very soon at least, would be “the year of the Linux desktop”. Even the meaning of the term has changed a bit, depending on the time and the publication. Maybe it means the year when Linux will be a majority operating system on desktop computers. Maybe it means that Linux accounts for a significantly increased share of the market.

    [...]

    But as I have been using Linux in the past several years, it has increasingly occurred to me: We’re at a point where we have a large number of incredibly polished distributions available. You can run a Linux system for a standard user without barely ever touching the terminal. There’s a wealth of software, both applications and games available, most hardware works without any worry, and the days of manually editing xorg.conf, our old best friend, are pretty much gone.

  11. Samsung Chromebook 2 set to square off against Intel-powered Chrome OS devices

No Need For ‘Disclosure’ of Security Vulnerabilities in Microsoft Software as Microsoft Helps NSA Crack Microsoft Software and Freely Access Data/PCs

Posted in Deception, GNU/Linux, Microsoft, Security at 10:17 am by Dr. Roy Schestowitz

Microsoft software has back doors by design

Back doors

Summary: A sense of perspective in the debate over security, especially now that Windows XP is left open to crackers (other than the NSA) and Microsoft is known to be ratting on so-called ‘customers’

LAST year it was confirmed that Microsoft had been telling the NSA how to crack its software before this software could even be patched. In other words, Microsoft gave back doors to the NSA. Microsoft gave a bunch of government-sanctioned crackers monopoly or preferential access to the data and computers of Microsoft’s so-called ‘customers’. Microsoft went further than this by providing the NSA with direct access to data of so-called ‘customers’ who put their data on Microsoft servers or used Microsoft networks such as Skype or Hotmail for communication.

“Microsoft gave a bunch of government-sanctioned crackers monopoly or preferential access to the data and computers of Microsoft’s so-called ‘customers’.”Microsoft hardly behaves like a software company. Microsoft is an informant. As one article put it some days ago: “The Snowden documents also revealed that Microsoft allegedly helped the NSA intercept web chats on its new Outlook.com portal.”

That’s just the tip of the iceberg, but it’s stuff such as this which CIOs and CTOs must remember when moving away from Windows and from Microsoft (altogether).

Now that we know there’s 'former' Microsoft staff behind the new Heartbleed® publicity blitz (maybe the latest of or an extension of the security smears against GNU/Linux, which basically accompany that end of Windows XP patches) we should remember what the alternative to GNU/Linux (and BSD) is. The main alternative is PRISM club — a club which conspires with the NSA against computer users.

Trending in Twitter right now is the hashtag “openssl” and the reason for this is Heartbleed®, which was released strategically on this date by a company managed by Microsoft’s ‘former’ security chief. It is a sure way to distract from GNU/Linux as the solution for security woes (associated with Windows XP). Instead of talking about how and why GNU/Linux is great for people to move to after Windows XP (for security reasons) people now talk about security vulnerabilities in GNU/Linux.

Another company which was founded by a ‘former’ Microsoft manager (Black Duck) is now promoting Fog Computing (surveillance-friendly computing in ‘clouds’) under the guise of “Future of Open Source”. How typical.

What needs to be done right now is activity. We must not be passive in the face of what seems like a smear campaign and publicity stunt, well timed and well managed by allies of Microsoft. We need to remind people that Microsoft is by far the worst thing that can happen to security because Microsoft not only has security holes but it also has security lapses by design. These security lapses were designed to facilitate illegal mass surveillance by entities that pay Microsoft in bribes and favours (as emerged in the press last year). This is not exclusive to the US. We saw stories about this even in Russia. “The discussion is getting really mainstream,” iophk writes about this.

Former Chief Security Officer for Microsoft the Chairman of the Board of Firm Behind Heartbleed®

Posted in FUD, GNU/Linux, Security at 9:00 am by Dr. Roy Schestowitz

Dagger in the heart of OpenSSL

Heart Bleed

Summary: A serious conflict of interests that nobody in the media is talking about; Codenomicon is headed by Microsoft’s Howard A. Schmidt

SOMETHING fishy was in the news today (since early this morning), including articles from GNU/Linux-oriented journalists [1] and blogs [2], some of which pointed out that a vulnerability discovered and published irresponsibly by the firm headed by Microsoft’s former Chief Security Officer (we wrote about his actions before) are already “patched by all Linux distros”.

Now, looking at the site set up by his firm, you might not know this. It lists the names of many GNU/Linux distributions along with a nasty picture (the one above). This coordinated release (disclosure) of a vulnerability on the last day of Windows XP security patches (they are through unless one pays Microsoft a lot of money) is rather suspicious to us. It came with a trademark-like name, a dot-com Web site (yes .com), and soon we are guaranteed to see lots of FUD saying that GNU/Linux is not secure. We already know that the vulnerabilities industry is well inside Microsoft’s board and at highest level (look at John Thompson from Symantec; he is now Microsoft’s new chairman).

We don’t need to wait for the Microsoft press or a whisper campaign to use Heartbleed® to tell people (again) that Free software, Linux and GNU are very “bad” and are a danger for the Web (some suspect that this bug is the result of NSA intervention in code development — a subject we’ll tackle another day for sure).

“This is a man whose high-paying job required that he beats GNU/Linux at security.”Jacon Appelbaum (of Tor) says that this release was coordinated (with a date and everything) but not responsible at all because even the OpenSSL site, the FBI’s official site (whom Howard Schmidt worked with) and many more remain vulnerable. It should be noted that the flaw has existed for two years, so the timing of this disclosure is interesting. Not too long ago we showed what seemed like Microsoft's role in a campaign to paint GNU/Linux insecure and dangerous becuase of Windows XP's EOL. It was a baseless campaign of FUD, media manipulation, and distortion of facts, ignoring, as always, the elephant in the room (Windows).

For those who treat it like some innocent development at a random time in the news, remember that Howard A. Schmidt, the Chairman of the Board of Codenomicon, was the Chief Security Officer for Microsoft. He joined Codenomicon a year and a half ago. This is irresponsible disclosure and journalists who ignore the conflict of interests (namely Schmidt being the head after serving Microsoft) are equally irresponsible (for irresponsible journalism). They may unwittingly be playing a role in a “Scroogled”-like campaign.

Just go to Codenomicon’s Web site and find it described in large fonts as “A Member of the Microsoft Security Development Lifecycle (SDL) Pro Network” (in many pages). There are lots of pages like this one about involvement in Microsoft SDL.

So to summarise, what does Microsoft have to do with Heartbleed? We probably need to ask Howard Schmidt. This is a man whose high-paying job required that he beats GNU/Linux at security.

Related/contextual items from the news:

  1. Heartbleed: Serious OpenSSL zero day vulnerability revealed
  2. openssl heartbleed updates for Fedora 19 and 20
  3. Heartbleed, a serious OpenSSL bug; patched by all Linux distros

    A new vulnerability was announced in OpenSSL 1.0.1 that allows an attacker to reveal up to 64kB of memory to a connected client or server (CVE-2014-0160) which may consist of our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication. According to OpenSSL Security Advisory report Neel Mehta from Google Security has discovered this bug.

04.05.14

As the World Moves to GNU/Linux Propaganda From Microsoft-funded Proxies Claims Opposite of What Microsoft Intended

Posted in Deception, GNU/Linux, Microsoft, Vista 8, Windows at 9:39 am by Dr. Roy Schestowitz

GNU/Linux is rapidly gaining, partly because of Microsoft’s mistakes

Chart

Summary: Reports about new Microsoft-funded propaganda are easily serving as yet more proof that Windows and other Microsoft software ought to be abandoned

EVERY YEAR we are told the same lies. The propaganda is coordinated by Microsoft-funded entities like IDC and the Business Software Alliance (BSA). We tackled this propaganda year after year, also noting that IDG (the parent of IDC) helps disseminate the propaganda in the corporate press. It’s disgusting and it really ought to stop. It’s like the classic routine of rogue think tanks.

Glyn Moody has done a good job tackling the propaganda in two blogs. One of them was his Open Enterprise blog (ironically hosted by IDG), where he wrote: “As those make clear, we are talking here about Windows malware, found on purchased PCs, Web sites, in P2P downloads and CDs bought on the street. Moreover, it’s evident the infected software is proprietary, paid-for software. Why do we know that? Well, for the simple reason that nobody pirates open source software, because it’s always free of charge, by definition. So Microsoft’s report is about closed-source code, running on Windows.

“This means that IDC/Microsoft’s disturbingly high figure of $500 billion for 2014 is not so much the projected worldwide cost for enterprises of using pirated software, as the cost of running non-free programs on Windows. Most of that $500 billion could be saved – pretty much at a stroke – simply by switching to free software. ”

Glyn Moody also wrote about it in TechDirt (very large audience), under the headline “Microsoft-Sponsored Study Says Problems Caused By Using Windows Software Will Cost Businesses $500 Billion In 2014″ (similar to the other headline he chose). To quote his arguments: “Although the report doesn’t say so explicitly, we are clearly dealing with Windows systems here — computers are referred to throughout as “PCs,” never as Macs, and some of the malware is named as “Win32/Enosch.A, Win32/Sality.AT, Win32/Pramro.F,” which attack Windows systems exclusively. We can also be pretty sure that none of the infected programs was open source. Why? Because pirating software that is already freely available makes no sense — and is certainly unlikely to be as profitable as offering black market versions of costly closed-source programs.

“Putting this information together — in order to “Get The Facts” as Microsoft always liked to say — we arrive at the interesting conclusion that the use of commercial closed-source programs running on Microsoft Windows will cost businesses around $500 billion in 2014 alone because of the wasted time, lost data and reputational damage that will result from associated malware infections.”

Moody did a good job breaking down the arguments, so we need not do this again (we do this every year). Instead, let’s look at the situation Microsoft is in.

Yesterday and the day before that we wrote about the rise of Chromebooks, which led to a massive campaign of FUD and AstroTurfing from Microsoft. It’s always the same. Moody links to this article from the British press [via], stating that “London Council Dumping Windows For Chromebooks To Save £400,000″ (this was later covered in [1]). There’s no denying the fact that Vista 8 is driving many enterprises away from Windows and Vista 8.1 won’t change much, based on SJVN’s analysis that says: “By this time next year we’ll know if Microsoft has managed to reclaim its users’ and vendors’ mind-share, or if we really are seeing the end of the PC computing market in favor of a mobile, cloud-based computing paradigm.”

A state with 70 million people is now moving to GNU/Linux [2], so it’s rather clear where we’re heading. “Microsoft finally admits defeat,” says a Microsoft-friendly site [3] regarding the future Windows 8 update and based on numerous reports, Microsoft now drops the price of Windows to 0 for some device types [4]. “Apple already made the move to free-of-charge operating systems,” explains iophk. “Between that and FOSS, the OS has become a commodity. This is good, without charging, Microsoft cannot give kickbacks or similar financial incentives, at least not for much longer.”

You really know that Microsoft is deep in trouble when even its peripheral PR, such as Microsoft Peter [5], projects worry about the number of XP users (people who still use a version of Windows from 2001). Rupert Murdoch’s WSJ quotes US figures and says [6] that “[a]bout 95% of the 211,000 ATMs owned by financial institutions, run some version of XP. But some of those machines run on a unique version Microsoft will support until 2016, according to a Department of Homeland Security memo sent in March. Independent companies, such as gas stations, own another 210,000.”

Many of them will move to Linux. Even Rupert Murdoch’s company, despite being anti-Google, is dumping Microsoft for Google. Interesting times.

Related/contextual items from the news:

  1. London borough drops Windows, goes with Chromebooks, saves around £400,000

    Microsoft has more reasons to worry about Linux. After reports that an Indian state switched from Windows XP to Linux, now a UK-based organization is ditching Windows and going for Linux-based Chromebooks. The London Borough of Barking and Dagenham is going the open source way as it shifts away from Windows XP desktops in favor of 2,000 Samsung 303Cs Chromebooks for employees and 300 Chromeboxes for reception desks and shared work areas across the borough.

  2. Tamil Nadu’s XP migration plan: Go Linux like a BOSS

    The Indian State of Tamil Nadu will solve its Windows XP problem by adopting Linux.

    Tamil Nadu is home to over 70 million people and its capital city is Chennai, a hub for India’s business process outsourcing industry second only to Bangalore.

  3. Microsoft finally admits defeat, will bring Start menu back in future Windows 8 update
  4. Will free Windows make Microsoft bleed to death?
  5. One week before its end of life, 28 percent of Web users are still on Windows XP
  6. Windows XP: Old Platforms Die Hard, Security Risks Live On

« Previous entries Next Page » Next Page »

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channels: Come and chat with us in real time

New to This Site? Here Are Some Introductory Resources

No

Mono

ODF

Samba logo






We support

End software patents

GPLv3

GNU project

BLAG

EFF bloggers

Comcast is Blocktastic? SavetheInternet.com



Recent Posts