SUSE (or MicroFocus) won’t even tell customers when its systems are in fact compromised
Summary: The same old and very notorious behaviour we found in Novell persists at SUSE under MicroFocus leadership; security neglected and keeping up appearances more important than honesty
TECHRIGHTS wrote many thousands of articles about Novell. We know Novell extremely well and we have documented its terrible behaviour for over half a decade, well before we began focusing on the EPO for example. As we shall show later, in a separate post, Microsoft’s and Novell’s “IP Peace of Mind” is making a comeback (as of last night), but right now we wish to focus on the crack I first wrote about on Monday (it has since then generated some press coverage, e.g. [1-3] below).
“Remember that no evidence has been presented by SUSE and moreover the gross negligence here is a bad sign in general.”A lot of people still miss the key point. IDG even went ahead with a rather misleading headline, as did Softpedia; rather than state the actual news (that OpenSUSE got cracked) the title says or overstates the ‘damage control’ from SUSE, diverting attention to what was not affected rather than what was affected (a politician’s trick). We used to see lots of that kind of spin back in the Novell days and the 2 articles below, having sought comment from SUSE, give SUSE the benefit of the doubt here. Remember that no evidence has been presented by SUSE and moreover the gross negligence here is a bad sign in general. That’s just “faith-based” security. My article about it was so short that it was mostly a screenshot, yet we understand that further coverage is on its way. So let’s elaborate a little. “They were using an outdated version of WordPress and got zapped,” one person wrote to me after I had published my findings. “It was just the front-end, no code was touched.” But says who? SUSE? Can we believe them?
“Nobody has yet covered that issue as properly as we hoped (poor security practices at SUSE) and the fact that they COMPLETELY FAILED or refused to publicly acknowledge what had happened is a serious aspect of it.”Whatever caused the defacement, it shows that they lost control of their platform. They did get cracked. Softpedia reported that “openSUSE devs immediately restored the news.opensuse.org website from a recent backup” (so the back end too appears to have been compromised).
Nobody has yet covered that issue as properly as we hoped (poor security practices at SUSE) and the fact that they COMPLETELY FAILED or refused to publicly acknowledge what had happened is a serious aspect of it. We waited patiently to see if an announcement would be made by then, even a reassurance that users should not worry. But nothing came out! To this date (half a week later). They attempted to cover it up, which is BAD BAD BAD. For a so-called “Enterprise-Grade” thing which SUSE tries to market itself as (selling SLE*) this is a serious breach of trust. Who would trust SUSE now?
“If someone injected a back door inside SLED and SLES, SUSE would probably say not a thing, only belatedly removing it and then lying about the whole thing, just like Microsoft does.”3 news sites and my own site wrote about it, but not a single word has been uttered by SUSE. They know they got cracked and they are not telling anyone, except when journalists ask them for comment (and press them with evidence).
OpenSUSE has a history of security issues in its sites (see “openSUSE Forum Hacked; 79500 Users Data Compromised” from 2014). Where are the reporters who are willing to ask SUSE some tough questions? Don’t let this slide. If someone injected a back door inside SLED and SLES, SUSE would probably say not a thing, only belatedly removing it and then lying about the whole thing, just like Microsoft does. █
In the news:
Softpedia was informed by Dr. Roy Schestowitz that the openSUSE News (news.opensuse.org) website got defaced by Kurdish hacker MuhmadEmad on the day of February 6, 2017.
It would appear that the server where the news.opensuse.org website is hosted is isolated from the rest of openSUSE’s infrastructure, which means that the hacker did not have access to any contributor data, such as email and passwords, nor to the ISO images of the openSUSE Linux operating system.
We already talked with openSUSE Chairman Richard Brown, who confirms for Softpedia that the offered openSUSE downloads remain safe and consistent, and users should not worry about anything. The vigilant openSUSE devs immediately restored the news.opensuse.org website from a recent backup, so everything is operating normally at this time.
The openSUSE team acted quickly to restore the site. When I talked to Richard Brown, openSUSE chairman, he said that “the server that hosts ‘news.opensuse.org’ is isolated from the majority of openSUSE infrastructure by design, so there was no breach of any other part of openSUSEs infrastructure, especially our build, test and download systems. Our offered downloads remain safe and consistent and there was no breach of any openSUSE contributor data.”
The team is still investigating the reason for the breach so I don’t have much information. The site ran a WordPress install and it seems that WordPress was compromised.
This site is not managed by the SUSE or openSUSE team. It is handled by the IT team of MicroFocus. However, Brown said that SUSE management certainly doesn’t want any such incident to happen again and they are considering moving the site to the infrastructure managed by SUSE and openSUSE team.
In the latest Linux news, the news.opensuse.org got hacked and displayed “KurDish HaCk3rS WaS Here” for a while Monday and while the site has been restored, no comment on the hack has been issued. Elsewhere, Debian 9.0 has entered its final freeze in the last steps in preparations for release. FOSS Force has named their winner for top distro of 2016 and Swapnil Bhartiya shared his picks for the best for 2017. Blogger DarkDuck said MX-16 Xfce is “very close to the ideal” and Alwan Rosyidi found Solus OS is giving Elementary OS a run for its money. Phoronix.com’s Michael Larabel explained why he uses Fedora and Jeremy Garcia announced the winners of the 2016 LinuxQuestions.org Members Choice Awards.
openSUSE’s news portal was compromised Monday by a hacker or group of hackers called MuhmadEmad, via the message left in its place. A Kurdish flag with the message “HaCkeD by MuhmadEmad – KurDish HaCk3rS WaS Here” was displayed for hours before it was taken down and the site’s content restored. Roy Schestowitz has a screen capture and said that openSUSE has not yet publicly acknowledged the hack. Swapnil Bhartiya spoke to Richard Brown, openSUSE chairman, who said that site was isolated from most SUSE infrastructure, especially the distribution code. There was no breach of any contributor data either. The site in question is run by MicroFocus, but all are investigating to make sure it’s an isolated incident.
Send this to a friend
Summary: Microsoft’s “Partner of the Year” is taking over the patron of SUSE and all of Novell’s remains, except the patents (Microsoft has already grabbed those)
EIGHT YEARS AGO this site was born. This was motivated by the Microsoft-Novell deal. The deal heralded the beginning of Microsoft’s patent assault on GNU/Linux and Free software — an assault that continues unabated to this date.
Novell’s virtual assets are now being passed to a new entity called Micro Focus, which is Microsoft's "Partner of the Year". This has just been finalised  and there is press coverage about it [2,3], including some interviews [4,5,6,7], reviews [8,9], and analysis from the OSI’s President [10,11] amid SUSECon 2014  that showcased and emitted some technical announcements [13-16] (not many, mostly one that’s actually significant).
SUSE has certainly received a lot of coverage over the past week (while my wife and I moved between homes), but one must remember that SUSE is not free from Microsoft; if anything, now it is more Microsoft-tied than before. People must continue to boycott SUSE, not just Novell (or what’s left of it). Attachmate did not give SUSE full independence, only symbolic. Just look who manages SUSE. It’s not independence. With Microsoft’s “Partner of the Year” in charge of SUSE we can expect to see the same pro-Microsoft agenda and sickening relationships inside SUSE (OOXML, Hyper-V, Mono and so on). It’s about Microsoft controlling and profiting from GNU/Linux, hoping to put Red Hat or Debian at peril.
For those who are still in denial over Micro Focus’s role in SUSE, read . Microsoft’s “Partner of the Year” is now in charge. █
Related/contextual items from the news:
The SUSE parent company Attachmate and Micro Focus merger is now complete and Sam Varghese has several interviews from SUSECon today.
If there is one aspect in the open source world that can prove detrimental, it is companies that indulge in lock-in to the extent possible, according to Gerald Pfeifer, senior director of product management at SUSE.
Speaking to iTWire on the sidelines of SUSECon 2014, the third annual conference of the Germany-based SUSE Linux, which is being held in Orlando, Florida this week, Pfeifer (lictured above) did not mention any companies by name, though he did make a passing reference to Oracle.
One aspect of GNU/Linux that does not figure much in discussion when commercial Linux is the topic, is the desktop. SUSE Linux is no exception.
The man who in every sense sits at the nerve centre of SUSE Linux has no airs about him. At 38, Vojtěch Pavlík is disarmingly frank and often seems a bit embarrassed to talk about his achievements, which are many and varied.
He is every bit a nerd, but can be candid, though precise. As director of SUSE Labs, it would be no exaggeration to call him the company’s kernel guru. Both recent innovations that have come from SUSE – patching a live kernel, technology called kGraft, and creating a means for booting openSUSE on machines locked down with secure boot, have been his babies.
When Roger Williams wanted to increase the market for ShadowDisk/Z, a product made by the little Gainesville-based company he works for, he headed to meet the experts, those at SUSE Linux which has something like three-quarters of the market for all Z/Linux customers.
Finally. After three and a half years of sucking, openSUSE is a top performance once again. This is an excellent all-around distribution, and it comes with some neat solutions both over and underneath the hood. You can’t deny its amazing looks, and with the 13.2 release, performance, functionality and stability are back.
Now, openSUSE 13.2 has its problems. The screenshot thingie, subvolume handling, missing Samba printing option, plus that one inexplicable crash, which is probably the most serious item. And because of it, the final grade shall be lower. But all combined, the woes pale against the quality and general goodness radiating from this edition. Really, if you ignore the initial setup, and the one time freeze, there’s very little not to like about openSUSE 13.2. I’m pleased. And feeling somewhat fanboyish. But this is good.
Anyhow, if you’re looking for a non-Ubuntu family release that can offer you a great blend and balance between looks, modernity, functionality, stability, and performance, then you have several worthy candidates to consider. CentOS is one of them, and now openSUSE has returned, mighty and strong, and sanity has been restored into the distro world, where for many years, there’s been an almost total dominance by Mint and Ubuntu, with everyone else lagging behind. OpenSUSE 13.2 is definitely worth testing and exploring. Final grade, something like 9/10, and this is with a whole 0.5 point taken off. So it’s good. Do it.
In the first week of November the openSUSE team launched the latest version of its operating system. The project’s release announcement highlights such new features as faster boot times, KDE 4.14, GNOME 3.14 and a technical preview of KDE’s Plasma 5.1 desktop. The new version of openSUSE has undergone some visual changes and presents us with new artwork and a more streamlined system installer. The distribution also offers updated versions of Linux containers and Docker. The project’s configuration panel, YaST, underwent a major re-write last year and should now be faster. The project claims better integration with systemd too. Prior to installing or upgrading to openSUSE 13.2 I recommend reading the project’s release notes where we can find a list of known problems and workarounds.
As its steady post-Novell recovery continues, Suse moves into enterprise software-defined storage
SUSECon 2014 kicked off in Orlando this week, with the company stressing an air of open communication and transparency with its partners befitting its commitment to the Linux open source platform.
“In addition to increasing service availability by updating critical kernel patches without rebooting, and reducing the need for planned downtime by patching frequently, SUSE Linux Enterprise Live Patching preserves security and stability by applying up-to-date patches,” said Matthias Eckermann, senior product manager for SUSE. “It’s a fully open source solution that features zero-interruption interaction with the system and a familiar deployment method. It’s ideal for mission-critical systems, in-memory databases, extended simulations or quick fixes in a large server farm.”
Enterprise Linux vendor SUSE today made a series of announcements at its annual SUSEcon event, providing users with new patching, storage and cloud capabilities.
The human race has sent a small probe called Philae to land on a comet and got it right the first time it tried. As expected, a Linux operating system has been involved in the success of the mission.
The new owner of SUSE Linux does not intend to move the company from Nuremberg or change its method of operation in any substantial way, the chief executive told iTWire on Tuesday.
The deal has been ratified and is expected to be sealed on Thursday, 20 November.
Send this to a friend
Summary: OpenSUSE is not part of any commitment, except for SUSE’s; the impact of the Novell/SUSE acquisition casts uncertainty on the project’s future
YESTERDAY we quickly commented on the news that Micro Focus, a very strong British partner of Microsoft, is taking over SUSE and Novell. The British press put it like that:
Attachmate once earned the ire of the open source community for taking on Novell and then putting 882 patents in its Linux portfolio up for sale to a consortium backed by Microsoft.
Microsoft’s strategy remains the same. It is using patents to attack Linux and it is determined destroy, co-opt, assimilate, acquire, destroy, etc. Microsoft can only continue to ‘sell’ licences (for Windows, SUSE, etc.) if competition is gone and this is the reason Microsoft keeps making SUSE its own. SUSE is basically “Microsoft Linux”, which is why Microsoft keeps advertising it as the only ‘true’ GNU/Linux.
Swapnil Bhartiya, an OpenSUSE sympathiser, correctly says:
The merger will once again ruffle some features at SUSE and openSUSE which have been under continuous financial instability.
Bhartiya also covered the message sent to the mailing list of OpenSUSE (documented by LWN). It states:
Dear openSUSE Community,
As you might be aware, SUSE’s parent entity, the Attachmate Group has
entered into an agreement to merge with Micro Focus, a UK-based
enterprise software company. As the primary sponsor of the openSUSE
Project, SUSE’s President and General Manager, Nils Brauckmann has
contacted the openSUSE Board to share the following key points
* Business as Usual: There are no changes planned for the SUSE
business structure and leadership. There is no need for any action by
the openSUSE Project as a result of this announcement.
* Commitment to Open Source: SUSE remains passionately committed to
innovation through Open Source. This has always been the foundation of
our business and that will continue as we grow and innovate in new
* Commitment to openSUSE: SUSE is also fully committed to being a
sponsor and supporter of an open, highly independent and dynamic
openSUSE community and project. We are proud of openSUSE and greatly
value the collaborative relationship between SUSE and the openSUSE
The combination of the Attachmate Group and Micro Focus creates a
larger, global enterprise software entity, operating at a greater
global scale. This provides an even stronger foundation for the
continued investment in SUSE and our continued innovation through Open
The openSUSE Board would like to thank Nils and SUSE for this
reassuring statement. The Board is enthusiastic about the benefits of
the merger may bring to SUSE and ultimately also to our openSUSE
If anyone has any questions, there will be an opportunity to raise
them at tomorrow (Wednesdays) regular openSUSE Project Meeting at
15:00 UTC in #opensuse-project on the Freenode IRC network.
The openSUSE Board
Notice how Brauckmann does not say anything at all about a commitment from Micro Focus to SUSE and OpenSUSE. He speaks of a SUSE commitment to OpenSUSE. That’s it. This is a classic non-denying denial, where what one neglects to say actually says quite a lot.
Michael Larabel’s interpretation is that “Richard Brown relayed a message on the behalf of SUSE’s President and General Manager, Nils Brauckmann, that basically everything is alive and well.”
That’s MBA speak. As it was put by Susan Linton: “The Attachmate Group, announced a merger with Micro Focus leaving openSUSE users nervous.”
This nervousness is why Brauckmann, by proxy, relayed some face-saving talking points. The acquisition seems imminent:
Micro Focus buying Novell, Suse Linux owner for $1.2 billion
Micro Focus expects the deal to close by November.
Our assessment is that changes are afoot. SUSE is now at the mercy of a strong ally of Microsoft, which is likely to keep SUSE or run SUSE only in a way that appeases Microsoft’s interests. █
Send this to a friend
Summary: Not much too see in the land of SUSE and Attachmate, or formerly the company known as Novell
Last week we were asked about Attachmate, which we no longer keep track of because Novell is pretty much dead and SUSE is not doing well. They are going extinct. The Xandros Web site is no longer even accessible and when it comes to SUSE, the community in particular, it is going down the same route. Well, judging by the declining volume of activity in OpenSUSE News, Greg K-H’s move to the Linux Foundation, the fact that community manager left (he works for ownCloud now) and now the departure of the chairman of the OpenSUSE board (more on that here), we think it is safe to treat SUSE as irrelevant, or not relevant enough for us to track. Here is the latest:
The openSUSE Board announced this morning that Vincent Untz has stepped down as the openSUSE Board Chairman.
Several days ago I spent some time looking at years’ worth of Novell news, Attachmate news, and SUSE news (I am still subscribed to dozens of feeds related to all those). This was done after a discussion in IRC. I am reluctant to bother with any of them because 1) there is not much news at all and 2) the news hardly relates to FOSS. Novell will go down the same route as Corel and SUSE will end up like Xandros. As for Xamarin, which was created after Novell/Attachmate had abandoned Mono, it is mostly an extension of Microsoft now (a bit like SUSE, which shows up in Microsoft sites because their goal is to tax GNU/Linux servers).
SUSE and Novell pretty much became what we foresaw and feared. Novell’s patents are in Microsoft’s hands now, SUSE serves no purpose other than taxing GNU/Linux for Microsoft, and Novell was not allowed to truly complete with Microsoft. AttachMSFT ensures that much of Novell’s proprietary portfolio is a dying breed. Mono became more closely tied and entangled with Microsoft. █
Send this to a friend
Summary: The lesser-explored side of SUSE, which is being hosted by freedom-hostile companies including Microsoft
OpenSUSE 12.2 is officially dead now  and blogs begin to advertise a new release of the Microsoft-friendly (and funded) distribution, perhaps unknowingly helping Microsoft. One such site says that the new release is now offered in Microsoft-owned servers, demonstrating patent and control issues, not to mention privacy issues. Other reports mention SLE* (SUSE)  on Amazon, the CIA’s privacy-infringing special partner. This is the very opposite of what the GNU/Linux world should strive for. At the same time, Microsoft is “openwashing” its datacentre  and so does the Microsoft-owned (partially) Facebook [4,5], which is a censorship/surveillance company (users are the products, not the customers, and the business model is brainwashing them, also with pseudo “search” like Microsoft’s). Amazon has already shown us how “open” it is when it started paying Microsoft for GNU/Linux, deleted files (remotely) from people’s devices, and kicked out Wikileaks from its hosting plan at its most critical time (censorship). █
Related/contextual items from the news:
The openSUSE Project has just announced that openSUSE 12.2 has reached end of life (EOL) and it will no longer be supported.
“These servers are optimized for Windows Server software and built to handle the enormous availability, scalability and efficiency requirements of Windows Azure, our global cloud platform. They offer dramatic improvements over traditional enterprise server designs: up to 40 percent server cost savings, 15 percent power efficiency gains and 50 percent reduction in deployment and service times,” Laing said.
The Open Compute Project officially got started in 2011 as a way to open up Facebook’s server designs and help the broader IT community — it’s an effort that is paying off for Facebook and many others too.
Facebook is reaping the benefits of designing its own energy efficient servers. Today at the Open Compute Summit, CEO Mark Zuckerberg said that “In the last three years alone, Facebook has saved more than a billion dollars in building out our infrastructure using Open Compute designs.”
Send this to a friend
Summary: GNU/Linux hypocrites and their addiction to proprietary software like vBulletin leads to password leakages
Ubuntu and SUSE are too rather dumb projects (in their management) because they let Microsoft spy on their users and they use proprietary software like vBulletin in their forums, showing just how apathetic they are towards software freedom.
Last year Ubuntu Forums got cracked (no surprise, as it was proprietary software) and now it’s OpenSUSE Forums . What do they have in common? Yes, proprietary software. It’s like Canonical’s mistake (leaking out passwords of users) did nothing to teach SUSE a lesson. vBulletin is a mess and it does almost nothing to guard passwords (which many people reuse across sites). In OpenSUSE’s case they say that only E-mails got leaked, but who knows if they’re honest…
What’s hard to grasp is why some companies continue to trust secret code and systems which earned no respect through independent audits.
In the next post we are going to share some of the latest revelations about the NSA. It is clear that back doors are often there by design, so it’s not a matter of whether or not a piece of proprietary software is secure, it’s a question of where there is a back door. See [2-5] below. The FBI requests that US companies make back doors and the NSA even bribes for it. █
Related/contextual items from the news:
At a recent RSA Security Conference, Nico Sell was on stage announcing that her company—Wickr—was making drastic changes to ensure its users’ security. She said that the company would switch from RSA encryption to elliptic curve encryption, and that the service wouldn’t have a backdoor for anyone.
As she left the stage, before she’d even had a chance to take her microphone off, a man approached her and introduced himself as an agent with the Federal Bureau of Investigation. He then proceeded to “casually” ask if she’d be willing to install a backdoor into Wickr that would allow the FBI to retrieve information.
Bruce Schneier, over at the Atlantic, recently made nearly the same point in talking about the massive costs of all of this NSA surveillance (as well as talking about the near total lack of benefits). There’s the cost of running these programs that are massive. There is the fact that these programs will be abused (they always are). There are the costs of destroying trust in various tech businesses (especially from foreign users and customers). But just as important is the fact that the NSA, FBI and others in the intelligence community are flat out weakening our national security by installing backdoors that malicious users can and will find and exploit:
Send this to a friend
Summary: A new OpenSUSE is out and it is in Microsoft’s Azure lock-in, helping Microsoft tax GNU/Linux while controlling it entirely
The Microsoft-funded SUSE gets integrated with Microsoft Azure following a lot of Azure openwashing. The VAR Guy says this may be part of a bigger battle, fought between Linux and Ballnux (Ballmer-taxed Linux). To quote his new article:
Red Hat and SUSE are shifting their old Linux battle to a new market: Big Data. Both open source companies made major Big Data statements this week, but they are attacking the market using completely different strategies. Here’s what channel partners need to know.
Techrights ignored the release of OpenSUSE this month. It ought to be remembered that the role of SUSE as a whole, now financially tied to Microsoft, is to normalise Microsoft ‘Linux tax’. This site was founded to oppose exactly that. █
Send this to a friend
Summary: Matt Asay writes about SUSE and despite its funding from Microsoft Asay is not too hopeful
A pro-Microsoft ‘news’ site asks, “Does SUSE Linux have a future”? He “cloudwashes” SUSE. This is from Asay of Novell, who had been interviewed for a job at Microsoft as well. Here are some numbers from SUSE and plans for an event. That’s about all we know about SUSE thse days. We hardly ever mention SUSE anymore. It’s dying on its own despite cash infusions from Microsoft, which hopes to use SUSE to tax GNU/Linux use. █
Send this to a friend
« Previous entries Next Page » Next Page »