EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

07.04.15

Microsoft Windows Unsafe at Any Speed, by Design

Posted in Microsoft, Security, Windows at 11:04 am by Dr. Roy Schestowitz

“Our products just aren’t engineered for security.”

Brian Valentine, Microsoft executive

Speed limit

Summary: More timely reminders that Windows is simply not designed to be secure, irrespective of version, status of patching, etc.

GIVEN the exceptionally strong ties between Microsoft and the NSA we shouldn’t be so shocked that Microsoft constantly lets the NSA know how to break into computers with Windows installed on them. That’s a fact.

Samsung, perhaps realising that ‘updating’ Windows (or even ‘upgrading’ it) won’t make it more secure decided to altogether abandon Windows Update. As IDG put it:

This week, it’s Samsung, which has been outed as intentionally disabling Windows Update. According to independent researcher Patrick Barker, he was trying to help a customer figure out why a PC kept randomly disabling Windows Update, which caused the system to be dangerously and continuously vulnerable to open security flaws.

Remember that Windows Update can also be used (or misused) to install new back doors at any time. Richard Stallman has repeatedly warned about the danger of any such mechanism. It’s basically a remote control for one’s PC, where the controller is not the user but the software vendor and potentially crackers (like NSA and the GCHQ, as well as non-government entities). When the article above says “vulnerable to open security flaws” it probably means security flaws that are provably known to cyber criminals not affiliated with governments.

“Remember that Windows Update can also be used (or misused) to install new back doors at any time.”According to Microsoft Peter (Peter Bright), writing about how much of a farce Windows ‘security’ really is might be something that a research student cannot do. To quote the booster:

Willcox’s research investigates ways in which Microsoft’s EMET software can be bypassed. EMET is a security tool that includes a variety of mitigation techniques designed to make exploiting common memory corruption flaws harder. In the continuing game of software exploit cat and mouse, EMET raises the bar, making software bugs harder to take advantage of, but does not outright eliminate the problems. Willcox’s paper explored the limitations of the EMET mitigations and looked at ways that malware could bypass them to enable successful exploitation. He also applied these bypass techniques to a number of real exploits.

The laws here have become so ridiculous that merely pointing out that some piece of software is ‘Swiss cheese’ and ‘easy pickings’ would potentially constitute a violation of the law. Microsoft Peter, writing another article about the failing Xbox business (billions in losses), shows how Microsoft secretly tried to deal with manufacturing flaws that may have led to loss of lives (there is a famous case involving a baby who died after an Xbox-induced house fire).

It often seems like Microsoft can get away with just about anything (surveillance by the back door, house fires etc.) as long as it colludes with the state against citizens. Anyone who still believe that Windows can be made secure (intrusions-resistant) clearly is deluded, or at least misinformed.

07.01.15

The Shameless Campaign to Paint/Portray Free Software as Inherently Insecure, Using Brands, Logos, and Excessive, Selective Press Coverage

Posted in Free/Libre Software, FUD, Security at 5:39 am by Dr. Roy Schestowitz

Bugs
Image courtesy of Red Hat, demonstrating lack of correlation between severity and logos/brands

Summary: Some more FUD from firms such as Sonatype, which hope to make money by making people scared of Free/libre software

The corporate media is in the business of selling (for corporations), not informing. Advertising is the business model, as well as media ‘partnerships’ (euphemism for PR). Security firms too are in the business of selling, not informing. Misinformation often helps improve sales. We have already ranted quite a lot about media misdirection, designed to sell products or malign the competitors of those who try to sell unnecessary products. We must assume that this is happening because it has always been happening; it’s just that it got a lot more frequent now that Free/libre is more widely used.

The other day IDG published some promotion of Veracode. To quote one paragraph: “The scale of the problem is significant. Cryptographic issues are the second most common type of flaws affecting applications across all industries, according to a report this week by application security firm Veracode.”

This is not an independent security researcher; it is the Black Duck-connected Veracode (Black Duck came from Microsoft and VeraCode’s co-founder recently joined Black Duck), which overlooks security issues with proprietary software. Veracode is not an objective observer; it is trying to sell something. Sonatype too, a nasty company which we wrote about before [1, 2, 3, 4, 5, 6], rears its ugly head in the media, in an article provocatively titled “Open-Source Code Can Be More Dangerous Than Useful”.

So Sonatype has launched yet another FUD attack on Free software, using myths and rhetoric, capitalising on gullible ‘journalists’ who would print just about anything, along with clueless pasting of bugs with logos (for extra fear), no discussion about severe bugs in proprietary software, and many other issues. This article is relaying marketing from Sonatype and dramatises it even further. “It gets worse,” says the writer, “according to Sonatype: Many of the software companies that have built insecurities right into their products wouldn’t be able to tell which of their applications are affected by a known component flaw because of poor inventory practices.”

Well, proprietary software deliberately adds flaws to act as secret back doors. How about that in the discussion? The article totally omits that. The article then adds some talking points from the FOSS-hostile Symantec, another company which tries to sell its proprietary software based on perceptions of insecurity.

Thankfully, there are a couple of comments there (below the article) that highlight the issues with the article; both are titled “Not only open source…”

As Free/libre software becomes more mainstream we should expect more parasites like Sonatype to look out for fools who are willing to do their marketing, monetising trash-talk.

06.25.15

Microsoft Windows So Insecure That Even Fonts Are Remotely Exploitable

Posted in Microsoft, Security, Windows at 5:28 am by Dr. Roy Schestowitz

Turning the alphabet into a security nightmare

Alphabet

Summary: Windows userbase is once again under serious threat and high risk because something as simple as fonts (rendering of text/pixels on the screen) isn’t done securely in Windows

THERE IS plenty evidence which shows that Microsoft is not interested in security, maybe because there are commitments to the NSA (the motivations are hard to reason about, but Microsoft’s reluctant to patch known holes is easily demonstrable).

Now we are being reminded that even fonts are a security risk in Windows. Yes, Microsoft continues to put users under remote execution threat because of fonts. As the British media put it:

Get patching: Google Project Zero hacker Mateusz Jurczyk has dropped 15 remote code execution vulnerabilities, including a single devastating hack against Adobe Reader and Windows he reckons beats all exploit defences.

The accomplished offensive security researcher (@j00ru) presented findings at the Recon security conference this month under the title One font vulnerability to rule them all: A story of cross-software ownage, shared codebases and advanced exploitation [PDF ] without much fanfare and published a video demonstration of the exploit overnight.

As one commenter (found by Robert Pogson) put it, “Adobe (and I guess MS as well) put font handling in the kernel from NT 4.0 to gain speed at the expense of having privileged-based protection, and against Dave Cutler’s original micro kernel plans. What could possibly go wrong?”

Proprietary software is so bad that even fonts are a huge risk. This isn’t the first such incident. It serves also as a reminder for GNU/Linux users because some users continues to install proprietary software from Adobe, despite Free/libre alternatives being equally potent.

To quote the part which shows why Windows makes things even worse: “The nastiest vulnerabilities for 32-bit (CVE-2015-3052) and 64-bit (CVE-2015-0093) systems exist in the Adobe Type Manager Font Driver (ATMFD.dll) module which has supported Type 1 and Type 2 fonts in the Windows kernel since Windows NT 4.0.”

“Our products just aren’t engineered for security.”

Brian Valentine, Microsoft executive

06.24.15

Microsoft is Again Demonstrating That It is Not Interested in Making Windows Secure

Posted in Microsoft, Security, Windows at 9:33 am by Dr. Roy Schestowitz

“Our products just aren’t engineered for security.”

Brian Valentine, Microsoft executive

Michael S. Rogers
“I don’t want a back door. I want a front door.”Director of the NSA (2015)

Summary: Microsoft decides to leave Windows with flaws in it, claiming that fixing the flaws would not be worth Microsoft’s resources

FOR A LONG period of time (3 months or more) Microsoft refused to fix a serious flaw in Windows. It only did something about it when it was too late because the public had found out. Microsoft blamed the messenger.

This is not the exception, it’s pretty much the norm. Some Windows flaws exist for as long as 15 years, but they have no "branding" like a name or a logo.

“People with access to the world’s biggest stockpile of nuclear weapons still use Windows XP.”“Dustin Childs says the company couldn’t get Microsoft to patch an IE exploit,” says this new report, pointing to HP’s Web site. “Since Microsoft feels these issues do not impact a default configuration of IE,” Childs wrote, “it is in their judgment not worth their resources and the potential regression risk” (a lot more damning information can be found in the HP Security Research Blog).

Given Microsoft’s cooperation with the NSA on back door access, this hardly surprises us. Even more sad than this is a new report about the US Navy wasting millions in taxpayers’ money to run an operating system initially released in 2001. People with access to the world’s biggest stockpile of nuclear weapons still use Windows XP. As IDG put it:

The U.S. Navy is paying Microsoft millions of dollars to keep up to 100,000 computers afloat because it has yet to transition away from Windows XP.

After the Office of Personnel Management (OPM) disaster (Windows involved), we oughtn’t be too shocked about some nuclear disaster happening because of dependence of ancient Windows.

06.19.15

Kaspersky Lab Hypocritical on Patents

Posted in Patents, Security at 7:03 am by Dr. Roy Schestowitz

None for you, but good for us?

Kaspersky Lab logo

Summary: Kaspersky Lab shows that its stance on software patents (and the patent system in general) is not as strong as it claims

Kaspersky, which is based in Russia and is certainly no ally of the US, turns out to be pursing US-style software patents, despite Kaspersky (the chief) publicly slamming the patent system on numerous occasions. Kaspersky might try to argue that it does this for defensive purposes (the same excuse Google uses as it continues to hoard software patents), especially now that Microsoft-connected patent aggressors shake down security companies, but overall it shows that Kaspersky isn’t too serious about change or reform. It doesn’t play a role in it.

Meanwhile, as this London-based patent lawyers’ blog reminds us, software patents’ validity is being diminished in the US, with potential implications in Europe. “Coupled with the relatively restrictive (or realistic) ruling on patentability of software in Alice v CLS,” it says, “the question is asked whether this is a sea-change or merely a blip in the annual statistics, which will soon be corrected by regression to the norm. In Europe, ongoing work on fixing the procedural rules and institutional infrastructure of the Unified Patent Court has provided a major focal point for litigation interest.”

Kaspersky would be wise to stop wasting time and money acquiring patents. Developers need to focus on good programming and secure algorithms, not typing up papers to be submitted to lawyers for the acquisition of monopolies. Mr. Kaspersky ought to change his company’s policy to coincide with a computer scientist’s common sense. Besides, software patents may already be on their way out (bulk invalidation).

06.12.15

Kaspersky Reminds Us of the Dangers of Microsoft Windows

Posted in Microsoft, Security, Windows at 4:31 pm by Dr. Roy Schestowitz

Eugene Kaspersky

Summary: State-sponsored malware which targets Microsoft Windows serves to show that Windows should be banned, especially in important operations

Two readers of ours wrote to us about Kaspersky coming under Stuxnet-like attacks. We have been shown articles that completely fail to call out Windows. Some call it “state-sponsored malware attacks”. We previously wrote about Kaspersky’s rants regarding US patents [1, 2], Windows, and Windows in nuclear facilities. We recently wrote about attempted US attacks on North Korea's nuclear facilities, targeting Windows. It is rather amazing that despite mountains of evidence that Windows is not secure (often a politically-motivated trap), some states are still eager or at least willing to allow Windows installations (infestations).

06.07.15

Debunking the Idea of ‘Secure’ Windows (or Proprietary Software, by Extension)

Posted in Deception, Microsoft, Security, Windows at 4:13 am by Dr. Roy Schestowitz

“The continuous and broad peer-review enabled by publicly available source code supports software reliability and security efforts through the identification and elimination of defects that might otherwise go unrecognized by a more limited core development team.”

CIO David Wennergren, Department of Defense (October 2009)

Summary: Microsoft has a new charade, centered around lobbying hubs such as Brussels, to give non-technical people the false impression of Windows ‘security’

GIVEN the special relationship between Microsoft and the NSA (proven by NSA leaks), one might expect no sane government (or even company) to do business with Microsoft ever again. But after some show trials (e.g. in Ireland), public lobbying, and the many lies spread through corporate media (puff pieces) some actually do view Microsoft as antagonising the NSA — a nice and convenient myth if you can get yourself to believe it.

Dr. Glyn Moody wrote a response to Microsoft’s publicity stunt which tries to sell the impression that Windows and other Microsoft software do not have back doors, despite admissions to the contrary. Microsoft is pretending that Windows is secure using the 'Transparency Centre' farce. Here is some of Moody’s response to it:

The issue of back doors and the possibility that software companies have been cooperating with the NSA to undermine the security of their products has become particularly sensitive in the wake of Edward Snowden’s revelations about the surveillance activities of the NSA and GCHQ. One of the earliest leaked documents concerned the Prism programme, which apparently showed that the NSA had direct access to the systems of all the top US software and Internet companies.

On a presentation slide indicating the dates when Prism began for each “provider,” Microsoft is listed as the very first, starting in 2007. In response, Brad Smith, General Counsel & Executive Vice President, Legal and Corporate Affairs, Microsoft, denied that the NSA had “direct and unfettered access to our customer’s data.” He insisted: “Microsoft only pulls and then provides the specific data mandated by the relevant legal demand.”

Soon after the Prism story appeared, a report from Bloomberg claimed that Microsoft “provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix.” In an article published this week by The Intercept discussing criticisms of Microsoft’s BitLocker disk encryption program, the company was asked to respond to Bloomberg’s allegations from 2013. A Microsoft spokesperson said that sharing bugs was simply part of the GSP, and that “its intention is to be transparent, not to aid spy agencies in making malicious software.”

According to the original Bloomberg article, however, that’s exactly what the NSA used them for: specifically, they “allowed the U.S. to exploit vulnerabilities in software sold to foreign governments.” Asked about “instances in which Microsoft built methods to bypass its security and about backdoors generally”, the spokesperson also told The Intercept that Microsoft “doesn’t consider complying with legitimate legal requests backdoors.”

The opening of the Transparency Centre in Brussels is evidence that Microsoft is worried that some in Europe still have their doubts about whether its software can be trusted. Microsoft’s Thomlinson described the move as “the latest step … to enhance the transparency of our software code and continue building trust with governments around the world.” He also said that there needs to be “a high level of openness and cooperation between public and private sectors.”

Microsoft’s back doors in its software do not need to be built into the binaries. Microsoft can add them when it’s time to update, it can use security holes (which it tells the NSA about before they are fixed), and it uses bogus encryption — as it does — to completely beat the purpose of secure messaging or massage-passing. Moreover, nobody supervises the build process of Windows, except the NSA. There is no telling what is being compiled and how. There is no telling what happens before binaries are installed on computers (en route), where hard drives and various other hardware have back doors (as revealed by NSA leaks) that ‘hook’ onto Windows like a hand inside a glove. Proprietary software cannot be trusted, not in this ‘transparency’ sense. It might, however, be just enough to fool some non-technical people.

06.04.15

Pretending That Windows is Secure and ‘Open’ Using the ‘Transparency Centre’ Farce

Posted in Free/Libre Software, Microsoft, Security at 10:42 pm by Dr. Roy Schestowitz

“Two security researchers have developed a new technique that essentially bypasses all of the memory protection safeguards in the Windows Vista operating system…”

Dennis Fisher, August 7th, 2008

Summary: Microsoft is trying to redefine what Free/Open Source software means and what it takes for security of software to be assured/audited

THE strategy of Microsoft as of late has been combating Free software by changing what it actually means and then pretending to be it. FOSS Force has a good new article about Microsoft’s completely bogus posturing, intended to battle Free software by pretending that Microsoft’s source code is accessible. We are soon going to show (maybe later today) how Microsoft battled Free/Open Source software in voting, essentially using truly misleading lobbying, entryism, and obfuscation ploys.

As FOSS Force put it, “The Transparency Center concept was meant to allay fears that might cause foreign governments to consider options other than Microsoft (read: Linux and FOSS), by granting them unprecedented access to source code.”

In our latest articles about SSH and Microsoft we countered the claim that Microsoft is ever pursing security. It’s not. Security is not the goal. Read the article from FOSS Force for further details.

« Previous entries Next Page » Next Page »

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channels: Come and chat with us in real time

New to This Site? Here Are Some Introductory Resources

No

Mono

ODF

Samba logo






We support

End software patents

GPLv3

GNU project

BLAG

EFF bloggers

Comcast is Blocktastic? SavetheInternet.com



Recent Posts