EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

07.08.15

Red Hat and NSA: This is Not News

Posted in GNU/Linux, Red Hat, Security at 6:47 am by Dr. Roy Schestowitz

Red Hat and back doors: poll from FOSS Force

Red Hat poll

Summary: The return of XKEYSCORE to some media outlets (not news anymore) brings us back to debating Red Hat’s role (also not really news)

QUITE a few sites (see [1-3] below) seem to be talking about Red Hat’s special (but no longer secret) relationship with the NSA, which is not at all news. The NSA uses a lot of RHEL (and also Fedora) on some malicious spying equipment, based on various NSA leaks. We already wrote a great deal about this back in 2013 [1, 2, 3, 4]. The only new thing we learn from the latest articles is that Red Hat continues to refuse to remark on the subject, even when asked by journalists (see the first article below).

Related/contextual items from the news:

  1. NSA runs its spying activities on Red Hat Linux

    A little over two years ago, the first disclosures about the massive surveillance operation being carried out by the NSA were made in the Guardian, thanks to an intrepid contractor named Edward Snowden.

    Now comes the rather disturbing information that the NSA runs its XKEYSCORE program — an application that the Intercept, the website run by journalist Glenn Greenwald, describes as NSA’s Google for private communications — for the most part on Red Hat Linux servers.

  2. Evil NSA runs on saintly Linux, Apache, MySQL

    If report is correct, Red Hat’s marketing department has a very tricky customer reference

  3. Red Hat Used by NSA Spies, SELinux Possibly Bypassed

    SELinux is a product of the NSA and some worried when it was added to Red Hat, Fedora, and later many other distributions. Even before Snowden revealed the massive government spying, having the NSA anywhere near Linux activated certain Spidey-senses. Now we learn that SELinux may have had an exploit for bypassing the security enforcements. Italian software company Hacking Team, who admits to providing “technology to the worldwide law enforcement and intelligence communities,” has been selling technology to governments (most with bad human rights records) to assist in gathering surveillance data on citizens, groups, journalists, and other governments. Recently Hacking Team was hacked and their information has been leaked onto the Internet. Besides the SELinux exploit, it’s been reported that the FBI, U.S. Army, and the Drug Enforcement Agency are or were customers of Hacking Team’s services.

04.08.15

Security FUD Against Free Software Resurfaces, Using Promotional Branding From a Microsoft-Linked Firm, So Red Hat Finally Responds

Posted in Free/Libre Software, FUD, Microsoft, Red Hat, Security at 5:52 pm by Dr. Roy Schestowitz

Bugs
Image courtesy of Red Hat

Summary: Old news is ‘new’ again, as Microsoft-friendly media decides to keep knocking hard on the reputation of Free software, using words rather than substance

A YEAR ago there was a curious (first of its kind for Free/Open Source software) “branding” of a 2-year-old FOSS bug by a Microsoft-linked firm that did not even find the bug. An engineer from Google had found it and sought to responsibly disclose it so as to patch it properly before the Microsoft-linked opportunists blew off the lid and called it “Heartbleed”, set up a Web site to ‘celebrate’ the bug, and even made a professionally-prepared logo for it. This whole “Heartbleed” nonsense — however serious it may have been for a day — was blown out of all proportions in the media and tarnished the name of Free software because it was so ‘successfully’ marketed, even to non-technical people. It was a branding ‘success’ which many firms would later attempt to emulate, though never with the same degree of ‘success’ (where success means bamboozling the public, especially non-technical decision-making people).

“Microsoft must be laughing quite hard seeing all that media manipulation.”“Dear journalists,” I said earlier today in social media (Diapora), “bugs don’t have birthdays. Stop finding excuses to bring “Heartbleed” BS (MS name for old bug) to headlines.” I spoke to one author about it and challenged him for floating these “Heartbleed” logos and brands yet again. To us it seems quite evident that Microsoft keeps attacking Free software and GNU/Linux like no time before; it’s just more subtle and hidden in more sophisticated ways. The person who heads the incognito firm that’s known only for the “Heartbleed” brand (they control the brand) came from Microsoft (he was head of security there) and also from the FBI, whose stance on encryption is widely known by now; they actively seek to break security of software, so knowing about the 2-year-old OpenSSL bug would make sense. Some reputable media reports said that the NSA had known about this bug for about a year before it was known to the public and the NSA cooperates with the FBI on breaking software security, sharing personal (illegally intercepted) data, etc.

Anyway, the same publication (as above) also floated the “Heartbleed” nonsense in another article today. Would they do just about anything to keep it in headlines? Even a year later? They are now citing some firm called Venafi (never heard of it before), which basically relies on misleading misuse of statistics. It’s FUD from a company that tries to make money from perceived dangers and accentuates these dangers in an effort to acquire clients. What kind of ‘journalism’ is this? incidentally, Black Duck is now joining the list of such parasitic companies, with new hires and multiple press releases, so clearly it’s a growth area and the Microsoft link is easy to see. It is FUD season again this spring as more publications now float this whole nonsense. This is hardly journalism, it’s just throwback.

Thankfully enough, Red Hat demonstrates what “branding” of FOSS bugs practically means, even using the image above. There is no correlation between the naming of bugs and their severity, but press coverage sure loves a good brand. This is an important (albeit belated) response from Red Hat to “branding” of a FOSS bug by Microsoft-linked firms like the one behind “Heartbleed”.

“It’s been almost a year since the OpenSSL Heartbleed vulnerability,” says Red Hat, “a flaw which started a trend of the branded vulnerability, changing the way security vulnerabilities affecting open-source software are being reported and perceived. Vulnerabilities are found and fixed all the time, and just because a vulnerability gets a name and a fancy logo doesn’t mean it is of real risk to users.”

Well, Microsoft folks sure squeezed everything they could from this bug, seeking to discredit not just OpenSSL but the whole development process of Free software (due to just one small bug, or a few lines of code). And Microsoft still pretends that it is warming up to Open Source? Who are these frauds kidding?

There’s a lot of companies which continue to use platforms with back doors, such as Windows, but the Wintel-oriented media would rather we just obsess over this one bug from one year ago (which was patched as soon as it became publicly-known).

We are rather disappointed to see a decent journalist like Sean Michael Kerner, along with colleagues at eWEEK, swallowing the bait and serving to promote the misleading claims to advertise this company that controls the “Heartbleed” brand, among other opportunists (like fish swimming around a shark for some leftovers). Microsoft must be laughing quite hard seeing all that media manipulation.

01.28.15

Qualys Starts Self-Promotional FUD Campaign, Naming a Bug That Was Already Fixed 2 Years Ago and Distros Have Covered With Patches

Posted in FUD, GNU/Linux, Google, Red Hat, Security, Ubuntu at 12:23 pm by Dr. Roy Schestowitz

Ghostwriting a Qualys horror story for maximal FUD (fear, uncertainty, and doubt)

Spooky

Summary: Responding to the media blitz which paints GNU/Linux as insecure despite the fact that bugs were evidently found and fixed

THERE IS something to be said about the “top” news regarding GNU/Linux. It’s not really news. The so-called “GHOST” publicity stunt needn’t be repeated by FOSS sites. It is about a bug which was patched two years ago, but some sites overlook this important fact and stick lots of spooky logos, playing right into the hands of Qualys, an insecurity firm (making money from lack of security or perception of insecurity).

We have watches the ‘news’ unfolding over the past day and a half and now is a good time to explain what we deal with. The so-called “GHOST” (all capital letters!) bug is old. Qualys is going two years ago into bugfixes, giving a name to the bugfixes, then making plenty of noise (all over the news right now). Qualys does not look like a proxy of Microsoft or other GNU/Linux foes, but it is self-serving. Insecurity firms like Qualys probably learned that giving a name to a bug in GNU (SJVN mistakenly calls it “Linux”, but so do many others) would give more publicity and people will pay attention to brands and logos rather than to substance. Just before Christmas an insecurity firm tried to do that with "Grinch" and it turned out to be a farce. SJVN says that this old “vulnerability enables hackers to remotely take control of systems without even knowing any system IDs or passwords.”

Well, it was patched back in 2013. Use of names for marketing is what makes it “news”; the opportunists even prepared a PRESS RELEASE and pushed it into ‘big’ sites like CNN. It has marketing written all over it, just like “Heartbleed” that had strong Microsoft connections behind the disclosure. It is sad that Linux sites fall for this. Phoronix copies the press release as though it’s reliable rather than self-promotional. Michael Larabel writes: “The latest high-profile security vulnerability affecting Linux systems us within Glibc, the GNU C Library.”

It is not “latest”, it is 2 years old. Larabel says that “Qualys found that the bug had actually been patched with a minor bug fix released on May 21, 2013 between the releases of glibc-2.17 and glibc-2.18.”

OK, so it’s not news. FOSS Force cites SJVN to amplify the scare and other FOSS sites are playing along as though this is top news. It oughtn’t be. It is already widely patched (maybe requiring a reboot), so let’s patch and move on (unless it was already patched upstream/downstream years ago). IDG has already published at least three articles about it [1, 2], including one from Swapnil Bhartiya, who is not too alarmist to his credit. He noted that “there was a patch released back on May 21, 2013, between the releases of glibc-2.17 and glibc-2.18. However it was not considered to be a security risk and thus major Linux distributions that offer long term support and get security updates remained vulnerable, including Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7 and Ubuntu 12.04.”

It affects very specific versions, mostly long-term support releases that already have reliable patches available. It should be clear that some headlines such as this or that clarify the limited scope of impact (not bad reporting) unlike the alarmist trolls.

What Techrights generally found was that early coverage came from so-called ‘security’ sites or blogs of insecurity firms that try to sell their services (e.g. [1, 2, 3]). These set the tone for many.

The response to this bug is proportional to the perceived danger (e.g. due to media hype), not the severity of the bug. Some security news sites [1, 2] focus on names and logos while facts remain only a side issue. This so-called “ghost” nonsense (some lines of code basically) was fixed 2 years ago and as the blog post “long term support considered harmful” explains it: “In theory, somebody at glibc should have noticed that fixing a buffer flow in a function that parses network data has security implications. That doesn’t always happen, however, for many reasons. Sometimes the assessment isn’t made; sometimes the assessment fails to consider all possible exploit strategies. Security bugs are “silently” fixed frequently enough (without evil intentions) that we should consider them a fact of life and deal with them accordingly.”

Some of the worst kind of coverage we found came from The Register with its flamebait headlines (scary headlines for maximum effect) and the troll Brian Fagioli. They are only some among many who are using the name to come up with puns and FUD. Jim Finkle is back to his GNU/Linux-hostile ‘reporting’, bringing this to the corporate media (there is some in the UK also) and LWN quickly cited the GNU/Linux-hostile Dan Goodin. He called “Highly critical” a bug that was patched two years ago.

Debunking some of the latest security FUD we had Fedora Magazine which stated “don’t be [worried], on supported Fedora versions.”

For unsupported version there is a lot more than this one bug that one needs to worry about.

Apple fans were quick to take advantage of the news, despite the fact that Apple is leaving systems vulnerable for many months, knowingly (like Microsoft does, until Google steps in).

See, with proprietary systems one knows for a fact that there is no security. With GNU/Linux is an open question and it depends on what measures one takes to keep it secure. For Apple and Microsoft security is not at all the goal; back doors and unpatched flaws are not really as “interesting” and important for them to patch as helping spying agencies. Google is not at fault here, Google just saw that Apple and Microsoft had no plans to plug serious holes — a patch evidently wasn’t going to be made ready before the public finds out about it, owing to Google. Apple chooses to blame Google; same as Microsoft. They should only blame themselves both for the bugs and for negligence after the bugs were highlighted to them. There is no room here for properly comparing GNU/Linux (Free/libre) to OS X or Windows (proprietary) because evidence clearly shows that the latter are not interested in security and not pursuing security when it is trivially possible.

What we find curious amid the latest FUD campaign is that Apple back/bug doors are not as widely publicised as a GNU bug that was patched 2 years ago and mostly affects LTS systems (which already have patches available). “Nothing I can think of,” said a reader of ours about this media hype, “but the LTS model followed by RHEL and Ubuntu have different goals and purposes than the short, fast development cycle like OpenBSD.”

Nobody is forced to use an LTS release and those who choose it must be aware of the potential risk.

Regarding the other FUD that flooded the press in recent weeks, targeting for the most part Google and Android, our reader XFaCE wrote the following:

I assume you want to write about that new Android vulnerability. Basically I can see the narrative being pushed through three points

- Microsoft supported Windows XP/7/etc. for years, why doesn’t Google support old Android versions

- Google told Microsoft about a very old bug in their software, so they are hypocritical

- Heartbleed bug was fixed way back for 4.1.1

For the last point, it’s a bullshit comparison because

a) 4.1.1 was one point release where upgrading to 4.1.2 fixed the issue (it was already fixed back when 4.1.2 was released)

b) The fix was one file, as evident by XDA members patched it themselves on phones manufacturers refused to upgrade to 4.1.2 SOURCE: http://forum.xda-developers.com/showthread.php?t=2712916

c) As shown by the link, a lot of manufacturers DIDN’T update certain 4.1.1 devices to 4.1.2, hence proving Google’s point. The fix there was SIMPLE, but the OEMs didn’t bother to do it

With Webview, not only is webview involved, but so is the webkit rendering engine, so the fix for all those previously releases is much more complicated

As for the second point, Google did catch it, with KitKat, and furthermore made KitKat supported on more low-end devices so theoretically older 512mb or less devices could be updated

For example, HTC said (when Jelly Bean 4.1 came out) that they would not update any device with 512 mb of RAM (SOURCE: http://www.cnet.com/news/htc-one-v-and-desire-c-will-never-get-jelly-bean/ ), so naturally when KitKat came out, they updated those devices because the OS officially was designed for such low ram devices

oh wait

http://www.androidpit.com/android-4-4-kitkat-update-plans

“Later this year, the entry-level smartphone the HTC Desire 500, should also be seeing the KitKat update. However, the One X, One X+, One S, and One V will be left in the dust and will be receiving no more official updates from HTC.”

So the OEMs are at fault for not upgrading the devices, not Google, which leads to point 1 – Google doesn’t control the Android OEMs like Microsoft does OEM pay Microsoft for the support whereby Microsoft controls all updates, Google doesn’t get paid or have the agreemeent in that way

OEMs like HTC could easily fix this by porting Kitkat to those devices, but they won’t cause they want you to buy a new HTC phone or whatever phone brand

Techrights did not cover that (except in daily links) because it should be self-evident that free-of-charge Android upgrades make it inhernetly different from proprietary software and keeping up to data typically ensures security. A lot of the analogies (Android and Windows) were inherently flawed and the FUD rather shallow.

12.19.14

Another Microsoft Partner Markets Linux FUD Using Logo, Name, and Lies

Posted in FUD, Microsoft, Red Hat, Security at 12:14 pm by Dr. Roy Schestowitz

The great power of lies and gullible journalists

Christmas lights

Summary: Microsoft’s partner Alert Logic is trying to label a feature of Linux a security flaw and even makes marketing buzz for it

IF A reporter or two can be bamboozled into printing a lie (digitally distributing it), this can lend some credibility/legitimacy to the lie and then it is possible that the lie will spread and be echoed in other reports. Hence the importance of this matter.

“They are trying to change perceptions around Free software security.”Several journalists have already rebutted something that I debunked some days ago when I first saw some nonsense about “Grinch” with a suitable “marketing” image. Here is one rebuttal among a few:

The Grinch flaw was reported by Stephen Cody, chief security evangelist at Alert Logic. Cody alleges that the Grinch flaw enables users on a local machine to escalate privileges. Leading Linux vendor Red Hat, however, disagrees that the Grinch issue is even a bug and instead notes in a Red Hat knowledge base article that the Grinch report “incorrectly classifies expected behavior as a security issue.”

The original security researcher that reported the Grinch found that if a user logs into a Linux system as the local administrator, the user could run a certain command that would enable the user to install a package, explained Josh Bressers, lead of the Red Hat Product Security Team.

“Local administrators are trusted users,” Bressers told eWEEK. “This isn’t something you hand out to everybody.”

We believe it was Joab Jackson (IDG) who first gave a platform to the Microsoft partner (Alert Logic) that used marketing buzz and a lie against Linux, soon to be rebutted by Red Hat. I had contacted Mr. Jackson, who later told me that he posted a follow-up (or correction).

Jackson’s correction may have come too late as we saw the lie spreading to a few other news sites later on (thankfully not too many sites). Here is one example of garbage ‘reporting’ (FUD and lies), generated by the FUD firm with with a catchy name, sort of logo etc. (generated by a Microsoft partner we might add). Apart from Jackson’s piece we saw at least 3 more such articles (which came afterwards). How many are going to post a correction? How many articles will be withdrawn? How many follow-ups will be published? Tumbleweed. Silence.

It is usually Windows that has zero-days during Christmas, not GNU or Linux. There was recently other nonsense with a name, claiming to be a flaw when it was actually some other malware (potentially developed by the Russian government) that users actually have to install (not from repositories) to be infected by. It was akin to a phishing attack, but it was widely used in the press (even in IDG, Jackson’s employer) to characterise GNU/Linux as insecure.

Remember what the Microsoft-connected firm did with "Heartbleed" (the name it made up with a promotional logo). It’s all about marketing and hype. They are trying to change perceptions around Free software security. What matters is what people remember, not the truth. This is all about discouraging users or buyers.

A reader has alerted us about this article from Armenia . “Note the job title of the ‘softer,” he said. Here is the relevant portion:

Armenia’s Minister of Defense Seyran Ohanyan received Microsoft Corporation’s Regional Director for Public Safety/National Security/Defense Robert Kosla.

Joke or real? It sounds like a joke, but they are definitely not joking. Armenia talks to the NSA’s biggest partner and back doors-loving company about ‘security’, so seeing the job title from Microsoft is truly hilarious! Microsoft is good at insecurity and lies, not security.

“Our products just aren’t engineered for security.”

Brian Valentine, Microsoft executive

05.03.14

The Debate About Software Patents is Still Dead Because Large Corporations Killed It

Posted in IBM, Law, Patents, Red Hat at 7:58 am by Dr. Roy Schestowitz

Pheasants

Summary: Corporate overloads have successfully shot down any chance of attaining freedom for software developers

HAVING spent about a decade of my life fighting against software patents, it is just too hard to let the cause go. I sometimes revisit relevant news sites and blogs, hoping to find some relevant coverage, parliamentary action, activism, etc. Over the past year or so this has been a depressing exercise because on people’s lips there’s no longer (or rarely) the goal of eliminating software patents. Companies like Google joined the ranks of IBM and are now hiring patent lawyers, acquiring software patents, and so on. I had warned managers at Google about it and their responses to me were largely defeatist. The SCOTUS, which historically is just a plutocrats’ tool for authorising the plutocrat’s will, continues to support the USPTO’s patent maximalism (the USPTO is headed by corporations such as IBM).

There is no substantial bill seeking to truly reform the patent system and those which exist, including corresponding press coverage, are focusing on trolls, costs, and other side issues. The EFF, which once upon a time promised to fight against software patents, recently hired some more lawyers whose articles on the matter tend to be a waste of time (and whose focus is truly bizarre, misguided at best). Here is one new example, the latest of many that we covered last year:

The Supreme Court heard oral argument today in another patent case, Limelight Networks, Inc. v. Akamai Technologies, Inc. In this case, the Court considers what to do when one party performs some steps of a patented method and another party performs the remaining steps. Specifically, Akamai wants to hold Limelight liable for patent infringement even though its customers perform one of the steps of the patent (i.e. four steps are performed by Limelight, one by the customers). The Federal Circuit had ruled for Akamai and effectively held Limelight responsible for the actions of its customers.

But that’s not the point. The point is, patents like these should be out of scope, it doesn’t matter who performs which action, who pays for litigation, who the plaintiff is, and so forth. Even Red Hat, which takes pride in “Open Source” (not so much in freedom) focuses on “trolls” in this latest post on the topic:

Patent trolling—the aggressive assertion of weak or meritless patent claims by non-practicing entities—is a frequent target of disdain from open source enthusiasts. Thus it may be of some comfort to readers that the highest court in the US has recently decided the issue is worth looking into. Three cases have already been heard, but decisions are, as usual, still a ways off.

When even entities like the EFF and Red Hat waste their efforts (if not hijack the voice of patents opposition) trying to tackle the wrong question it seems clear that activists against software patents (that’s software developers, both free/libre and proprietary) are pretty much alone. We oughtn’t expect corporations, corporate press or even politicians to help our cause. They don’t understand, they don’t care, and if they care, then it’s not because they want to see software patents abolished. IBM is probably one of the worst pretenders; unlike Microsoft, it also tries to convince us that it’s on our side and many people fall for it.

04.02.14

Red Hat Should Keep Its Distance From NSA Facilitator Microsoft

Posted in Microsoft, Red Hat, Security, Windows at 6:27 am by Dr. Roy Schestowitz

Dragonfly

Summary: Criticism of Red Hat’s increasing proximity to some of the very same bits of proprietary software which are accompanied by back doors (for the NSA)

THE DANGERS of Microsoft are very real, as a former foe of Microsoft, Novell, helped prove. Five years ago Red Hat consented to playing an active part in Microsoft VM hosts, despite knowing (even back then) about Microsoft’s relationship with the NSA, which meant that VMs running RHEL would be accessible (to the NSA) from the back door, Microsoft Windows.

There are many back doors in Windows and therefore in Hyper-V, which sits on top of Windows (back doors further down the stack). Microsoft tells the NSA about these back doors. To give the latest example of back doors, see this new report [2] which says: “Nearly 30 days after reports of a zero-day flaw being exploited in the wild, Microsoft will finally patch this critical vulnerability.”

Relying on Microsoft for technology means that one should also expect and accept back doors. A reader showed us this new article, claiming that “Mono [is] infecting Android,” but it’s not just Android. Even Red Hat is now making such mistakes, in addition to hiring from Microsoft for management of virtualisation. Based on [2,3], Red Hat now accommodates Microsoft .NET applications, despite them being proprietary and potential back doors. A week or so ago some speculated that Microsoft might buy Red Hat (one day) [4,5] and yesterday we found the article “Why Microsoft Will Pick Off Red Hat” (logic of investors, not technical people).

Microsoft is now knowingly abandoning hundreds of millions of Windows users, leaving them with permanent back doors [6,7], so why should Red Hat trust Microsoft .NET applications or anything that comes from Microsoft, including Hyper-V? Articles like [8-10] remind us that in GNU/Linux the main flaw is human error (not changing default passwords or not applying patches, which Red Hat is making easier to apply without any downtime [11]).

The bottom line is, Red Hat’s relationship with the NSA withstanding, it oughtn’t connect too much to Microsoft components like .NET and Hyper-V because these constitute back doors that jeopardise security of GNU/Linux users.

Related/contextual items from the news:

  1. Microsoft to Fix an Internet Explorer Zero-Day Flaw
  2. Red Hat Adds Microsoft .NET to Its OpenShift PaaS
  3. A Red Hat stunner: ‘Miccosoft .NET apps on OpenShift’ Yes, you read correctly

    On Wednesday, Working with Uhuru Software, Red Hat is now incorporate a rival Microsoft product – .NET – to its three-year-old OpenShift platform-as-a-service. Really? Red Hat even published a blog to explain what’s going on to those who might find the concept a bit unbelievable.

    Chris Morgan, the OpenShift Partner Ecosystem Technical Director for Red Hat, wrote the blog – and even he acknowledged the incredulity of it all that something from Microsoft, which for years has been an enemy of Red Hat, Linux and Open Source, would be incorporated into OpenShift.

  4. An Indecent Proposal: Microsoft and Red Hat?
  5. Reviews, Indecent Proposal, and Ubuntu Graduation

    Today brings two new reviews. Jesse Smith reviews Linux Mint Debian Edition 201403 in today’s Distrowatch Weekly and Jamie Watson posts his latest hands-on. Steven J. Vaughan-Nichols says folks don’t care about operating systems anymore. Matt Hartley has a few suggestions for those ready to graduate from Ubuntu. All this and more in tonight’s Linux news review.

    Jesse Smith tested the latest LMDE in this week’s Distrowatch Weekly. He found a few bugs but Smith says it “lives up to its description” of having “rough edges.” With all its “nasty surprises” Smith suggests folks just stick with the Ubuntu-based version of Mint. But see his full review for all the details.

  6. Perspective: Microsoft risks security reputation ruin by retiring XP

    A decade ago, Microsoft kicked off SDL, or Security Development Lifecycle, a now-widely-adopted process designed to bake security into software, and began building what has become an unmatched reputation in how a vendor writes more secure code, keeps customers informed about security issues, and backs that up with regular patches.

  7. Positive Feedback: M$ Uses XP To Publish The Insecurity Of Using That Other OS
  8. Flaws In People And Their Software
  9. Red Hat Risk Reflex (The Linux Security Flaw That Isn’t)

    News headlines screaming that yet another Microsoft Windows vulnerability has been discovered, is in the wild or has just been patched are two a penny. Such has it ever been. News headlines declaring that a ‘major security problem’ has been found with Linux are a different kettle of fish. So when reports of an attack that could circumvent verification of X.509 security certificates, and by so doing bypass both secure sockets layer (SSL) and Transport Layer Security (TLS) website protection, people sat up and took notice. Warnings have appeared that recount how the vulnerability can impact upon Debian, Red Hat and Ubuntu distributions. Red Hat itself issued an advisory warning that “GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification… An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid.” In all, at least 200 operating systems actually use GnuTLS when it comes to implementing SSL and TLS and the knock-on effect could mean that web applications and email alike are vulnerable to attack. And it’s all Linux’s fault. Or is it?

  10. Linux Bugs, Bugs Everywhere

    “We are seeing a lot of crypto bugs surfacing lately because these libraries are suddenly getting a lot of review thanks to Snowden’s revelations,” suggested blogger Chris Traver. “I think one has to separate the crypto bugs from others because they are occurring in a different context. “From what I have read about gnutls, though, it seems to me that this is probably the tip of the iceberg.”

  11. Introducing kpatch: Dynamic Kernel Patching

    In upstream development news, the kernel team here at Red Hat has been working on a dynamic kernel patching project called kpatch for several months. At long last, the project has reached a point where we feel it’s ready for a wider audience and are very excited to announce that we’ve released the kpatch code under GPLv2.

03.14.14

Fedora News: Fedora 21 Features, Fedora 20 Updates, and Ojuba

Posted in GNU/Linux, Red Hat at 4:33 am by Dr. Roy Schestowitz

03.07.14

Red Hat Joins the Joke Which is Amazon’s ‘Secure’ Federal ‘Cloud’

Posted in Red Hat, Servers at 10:15 am by Dr. Roy Schestowitz

Summary: Another Red Hat move which puts citizens’ data in the hands of unaccountable spies and their corporate partners/accomplices

Amazon, which is a very special partner of the CIA* (we gave dozens of references before in order to highlight this), has already earned Ubuntu some tough words and a snub from the EFF, FSF, as well as many others (nongroups). For Red Hat to play buddies with Amazon makes little or no sense. Amazon not only does many disgusting things (to customers, staff, externalities) but it also pays Microsoft for GNU/Linux, including RHEL. Like with Azure (as we explained repeatedly before), putting any computational resource on Amazon ‘clouds’ is like handing it all over to the NSA (for surveillance, interception, interference, censorship, modification leading to framing, and so on). Red Hat is said to have joined some nonsense programme that involves AWS [1-4], marketed as “secure” and “federal”. Who is this secure from? The Federal government of the United States? Surely not, unless of course you happen to be the government itself. The whole thing sounds so dodgy and it won’t give Red Hat much credibility now that Red Hat’s relationship with the NSA [1, 2, 3] is debated in some circles (it was last mentioned in an article from Sam Varghese earlier this week).

Making things even worse, Red Hat makes an approach [5] towards something which resembles Mono and promotes Microsoft APIs. This is not a wise move, for reasons that we are going to deal with in the next post.

Red Hat’s CEO speaking of himself as a “great leader” (without saying so directly) in Red Hat’s self-serving Web site that’s now treated as a news site by Google News [6]. Some say that Red Hat is a one-of-a-kind [7], but if Red Hat leans towards the NSA, puts customers’ data on Microsoft-taxed and NSA-eavesdropped ‘clouds’, hires executive staff from Microsoft and even promotes/spreads .NET and Hyper-V (which provides an NSA back door into GNU/Linux guests through Windows hosts**), then maybe it’s better to promote alternatives to Red Hat as a flag bearer and GNU/Linux leader. Red Hat recently found itself in somewhat of a scandal involving OpenStack [8-10] while it also formed OpenStack partnerships [11-15]. Red Hat really can do and should do more to embrace and disseminate freedom, not cages like AWS. Red Hat’s middleware business is a good example of this [16,17] as business (as in revenue/sales [18], like IBM's) becomes the top priority, even when Red Hat makes public appearances [19,20].

Perhaps what we need now is more strength for community projects like Arch and Debian. They, unlike Red Hat, don’t share a bed with malicious companies that violate users’ rights.
____
* The CIA was, just earlier this week, found to be illegally spying on government officials that act as watchdogs.

** Proprietary virtualisation software is the issue here. VMware is not much better because it’s run by former Microsoft executives (Microsoft is the top NSA partner) and is owned by EMC, which also runs RSA, the NSA’s notorious back doors partner.

Related/contextual items from the news:

  1. AWS launches Red Hat Enterprise GNU/Linux in AWS GovCloud (US)
  2. Red Hat Enterprise GNU/Linux now on Amazon’s GovCloud
  3. Red Hat Courts Government Customers with GNU/Linux for AWS GovCloud
  4. Red Hat GNU/Linux now available on Amazon’s secure federal cloud

    If you’re a government worker and have been wanting to run Red Hat Enterprise Linux securely on your Amazon cloud, it’s your lucky day. The popular open-source operating system is finally available on Amazon Web Services.

  5. Red Hat brings Microsoft .NET Apps to its OpenShift cloud

    Uhuru was founded just over two years ago by veteran ex-Microsoft executives: former vice president Jawad Khaki and former general manager Jawaid Ekram. They are self-proclaimed experts in bringing Windows to Open Source PaaS.

  6. Great leaders are comfortable with who they are

    Over the last 25 years of my career—from serving as a partner at the Boston Consulting Group (BCG), to my time at Delta Air Lines, to my current role as president and CEO of Red Hat—I’ve been exposed to my fair share of leaders. I’ve learned that leaders and leadership styles can vary greatly depending on the company culture, industry and size, but there’s one commonality I’ve noticed among all of them: to be effective, leaders must be respected.

  7. A Formula for Launching the RedHats of the Future

    The bottom line, therefore, is that in order for the model promoted by Levine to succeed, it’s predicated on the existence of underlying projects that achieve the balance of benefits that I alluded to above. Without the right scope of opportunity, sufficient success in recruitment, and abundant skill in execution, there will be no more RedHats emerging from this new model than the last. But where this methodology is understood and followed, not only will such opportunities emerge, but they will do so with far greater predictability than in the past.

  8. Piston OpenStack 3.0 Arrives, Focused on Private Clouds
  9. GNU/Linux Ebb & Flow, Red Hat Oops, and Chakra Reviewed

    There’s rarely a dull moment when looking through Linux newsfeeds. Today we find Jesse Smith has reviewed Chakra GNU/Linux 2014.02. LinuxInsider.com looks at why distributions gain popularity then disappear. And finally, The Register covers a bit of convention confusion between Red Hat and cloud newcomer Piston.

  10. The importance of a community-focused mindset

    Piston, an Openstack-in-a-box vendor[1] are a sponsor of the Red Hat[2] Summit this year. Last week they briefly ceased to be for no publicly stated reason, although it’s been sugggested that this was in response to Piston winning a contract that Red Hat was also bidding on. This situation didn’t last for long – Red Hat’s CTO tweeted that this was an error and that Red Hat would pay Piston’s sponsorship fee for them.

  11. Red Hat Increases its Focus on OpenStack Partnerships

    Red Hat originally made a name for itself as the only U.S.-based public company exclusively focused on open source, as it has proved that its Linux-focused strategy could be very profitable. But the company’s future is increasingly being tied to cloud computing and OpenStack in particular. This week, Red Hat marks two years of collaborating with contributors and developers on key OpenStack.org projects “to bring OpenStack from a project to a product.”

  12. Red Hat Enterprise GNU/Linux OpenStack Platform Leveraged by Alcatel-Lucent, CloudBand ™ as Part of Its Network Functions Virtualization (NFV) Platform
  13. Alcatel-Lucent to deploy Red Hat Enterprise GNU/Linux OpenStack Platform
  14. Alcatel-Lucent deploys Red Hat Enterprise GNU/Linux platform

    Red Hat, a provider of open source solutions announced that Alcatel-Lucent deployed Red Hat Enterprise GNU/Linux OpenStack platform based on Red Hat Enterprise Linux and Kernel-based Virtual Machine (KVM), as the common platform for its Network Functions Virtualization (NFV) solution, CloudBand.

    “Alcatel-Lucent specifically chose Red Hat Enterprise GNU/Linux OpenStack Platform for use in managing CloudBand Nodes, the turn-key, all-in-one compute, storage and network node system that interfaces with the CloudBand Management System, along with any other OpenStack-enabled nodes,” the company said.

  15. Alcatel-Lucent Embraces OpenStack, as Network Function Virtualization Efforts Expand

    A key part of the overall solution is Alcatel-Lucent’s Cloudband technology which is the company’s NFV platform that provides the server, storage and networking infrastructure with the Cloudband Node. Cloudband also includes management and orchestration functionality to deploy and manage network functions deployed on the infrastructure.

  16. Red Hat Launches a 3-fer for Enterprise BPM Users

    Red Hat’s new JBoss BPM Suite is in part the result of its 2012 acquisition of Polymita, noted 451 Research analyst Carl Lehmann. The addition of that technology and other new features brings Red Hat’s BPM offering on par with other BPM suites and “gives Red Hat some competitive differentiation in the market,” he said. “I think they did a pretty good job there.”

  17. Red Hat’s Polymita acquisition to spawn new products

    That’s according to a Red Hat spokesperson who gave me some additional insight into a press conference that the Raleigh-based open source software company will hold on Tuesday at 11 a.m. to announce new products in middleware.

  18. Red Hat Executives Named 2014 CRN Channel Chiefs
  19. Red Hat to Webcast Middleware Press Conference on March 4
  20. Videos From Red Hat’s DevConf.cz Conference Now Online

    Videos from the DevConf.cz conference that happened earlier this month in Brno, Czech Republic, are now available online from the Red Hat focused event.

« Previous entries Next Page » Next Page »

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channels: Come and chat with us in real time

New to This Site? Here Are Some Introductory Resources

No

Mono

ODF

Samba logo






We support

End software patents

GPLv3

GNU project

BLAG

EFF bloggers

Comcast is Blocktastic? SavetheInternet.com



Recent Posts