A big hole in Apple, but Apple doesn’t mind as long as the public doesn’t know
Summary: Apple neglected to patch known security flaws in Mac OS X for no less than three months and only did something about that vector of intrusion when the public found out about it
LAST year Apple admitted having back doors in iOS, conveniently dubbing them “diagnostics” (Orwellian newspeak). Apple did this only after a security researcher had found and publicised severe flaws that enabled remote intrusion into any device running iOS (there are unfortunately many such devices out there). This led us to alleging that not only Microsoft and the NSA worked to enable back doors for secret access into Windows. Both Apple and Microsoft are in PRISM and both produce proprietary software onto which it’s trivial to dump back doors, both undetectable and immutable.
Weeks ago we showed that Microsoft does not strive to make Windows secure, based on its very own actions whenever the public is unaware of the insecurities (only the NSA/GCHQ and the reporter/s are 'in the know'). Now we come to realise that Apple too — like Microsoft — did not close back/bug doors in Mac OS X for 90 days despite knowing about them. This isn’t a 0-day, it is a 90-day. It’s incompetence, negligence and might one even say deliberate sabotage by Apple. Apple just chose to leave the serious flaws in tact until it was too late because the public found out about it, owing to Google.
Do not let the Wintel-centric media blame Google for merely informing the public that proprietary operating systems like Windows and Mac OS X have holes in them that Microsoft and Apple refuse to patch. We should generally be thankful for this information. It says quite a lot about Microsoft’s and Apple’s priorities. It helps prove China right for banning Windows and Apple operating systems in government.
There is increasing consensus that Apple is going down the bin when it comes to users’ trust and browsing the Net these days I often read or hear from people who abandon Apple for GNU/Linux. Suffice to say, based on public appearances, the NSA is intimately involved in the build process of OS X (for a number of years now), which does make one wonder. █
Send this to a friend
Journalists currently under heavy barrage from Microsoft marketing (outsourced and in-house)
Summary: Bad news for Microsoft shortly before the marketing extravaganza served to cover much of it up
IF YOU believe the hype (Microsoft has been talking about it for nearly 2 years), you will easily believe that Vista 10 is the return of Windows monopoly and supposed OS ‘leadership’, even though Microsoft is shrinking along with its notorious back doors and criminal behaviour (less Microsoft means less crime).
Those of us who have watched Microsoft closely for years saw a lot of the company’s boosters ebbing away. Microsoft laid off a lot of marketing people. It’s a ‘luxury’ it cannot afford anymore as breaking/infiltrating the media is not cheap. Last week we learned that Paul Thurrott left as well; he had been one of Microsoft’s leading boosters and now, according to a source of ours, he “[p]robably moved to be able to change focus, adding FUD against non-Microsoft stuff in the guise of coverage. This is how far he has gone.” (notice the usual and typical propaganda we have been seeing for weeks now).
Some falsely claim that Android is losing share and others try to paint Windows as running Android apps even though it cannot. That is the type of FUD we have been debunking here for years. This FUD is not dead yet. Just notice the patterns, part of the PR campaign perhaps. If many people repeat the same lie in unison, then the lie gains legitimacy. Just watch Microsoft’s propaganda network 1105 Media trolling FOSS yet again over ‘security’ (only yesterday). A lot of this PR/FUD started last April when a Microsoft-connected firm gave a name and a logo to a bug in OpenSSL. It did it exactly when Windows XP ran out of support (i.e. left totally vulnerable to crackers).
“A lot of this PR/FUD started last April when a Microsoft-connected firm gave a name and a logo to a bug in OpenSSL.”Either way, Microsoft boosters continue to be dissolved. We used to see many more FUD attacks on GNU/Linux or Free software several years ago and as Soylent News put it: “Longtime Microsoft-centric journalist and blogger Paul Thurrott has left Supersite for Windows, and the website he founded sixteen years ago, and its sister site Windows IT Pro, for reasons explained in his farewell post. The sites (the former of which is still branded ‘Paul Thurrott’s SuperSite for Windows’ for now, but that will surely change) will be maintained by a staff of journalists employed by Penton, an information services conglomerate.”
Microsoft very much relies on propaganda agents who blame Google for Microsoft's failings and incite against Microsoft’s top competitors (Chromebooks seem to be Microsoft’s nightmare at the moment, not just Google Docs and ODF). Consider this rebuttal from Thom Holwerda:
First, this article makes the usual mistake of calling these vulnerabilities “zero day”. They are not zero day. They are 90 day. A huge difference that changes the entire context of the story. Microsoft gets 90 days – three months – to address these issues.
The accusations against Google were repeated later, at around the beginning of last week (second time) and the end of last week (third wave). This is totally insane an accusation to make, but given that those blaming Google are longtime Microsoft boosters, one can expect it.
In other news, a new Bloomberg puff piece glamourises Microsoft privacy violations, milking the Paris shootings for Microsoft PR. What an unbelievably shallow puff piece; then again, it’s Bloomberg. In similar news, Outlook has been cracked . Even Microsoft cannot maintain a state of security. “Clumsily done” labelled it our source. Maybe the back doors have taken their toll in the wrong country. That won’t be good for business. █
Related/contextual items from the news:
Microsoft’s Outlook email service was subject to a cyberattack over the weekend, just weeks after Google’s Gmail service was blocked in China.
On Monday, online censorship watchdog Greatfire.org said the organization received reports that Outlook was subject to a man-in-the-middle (MITM) attack in China. A MITM attack intrudes on online connections in order to monitor and control a channel, and may also be used to push connections into other areas — for example, turning a user towards a malicious rather than legitimate website.
Send this to a friend
Microsoft is essentially a snitching company, unconditionally serving those in power
Summary: Microsoft’s latest moves that help expose its real policy when it comes to computer security and people’s privacy
THE OTHER day we mentioned demands for back doors, which basically would make any piece of proprietary software (where back doors cannot be removed) utterly useless for any serious work because secure communication is a cornerstone of computing in a connected environment. We also mentioned Microsoft hiding many of its existing back doors even more aggressively, essentially telling users nothing about their easy-to-compromise systems.
“Always remember that Microsoft makes money from spying on users (government subsidies for the back door access), including in cases where this directly benefits Microsoft’s business interests”This article from the British press says that this “move was criticised by some security professionals, who said it would hinder organisations’ ability to quickly test and deploy Microsoft’s updates.”
They should just quit relying on Windows. Sony can tell them how reliance on Microsoft Windows already caused them to be doxxed against, potentially costing the company many billions of dollars in damages. One security-oriented professional “called the change, which was made with no advance notice, an “assault” on IT security teams.”
Microsoft “assaults” the IT security industry. It attacks security itself, too. To quote further from the article: “Other industry observers said the change may have resulted from a broad reorganisation at Microsoft that began in 2013 and included large-scale layoffs in the middle of last year, with the Trustworthy Computing security group shut down in September. The reorganisation is itself the result of a broad industry shift toward mobile devices which has diminished the importance of Microsoft products such as Windows.
“Prominent figures at MSRC have left Microsoft, including senior development manager Jonathan Ness and Dustin Childs, group manager of response communications. In November Microsoft discontinued a long-running webcast in which engineers gave details on the monthly updates.
“Microsoft said in a statement that while ANS is no longer public, the company may also “take the appropriate actions to reach customers” if it determines that “broad communication” is needed for a specific situation.”
So Microsoft Windows bug doors are becoming more secretive now. Nice timing given Cameron’s call for back doors in everything; he would be so proud. Remember that Microsoft tells the NSA (and hence GCHQ too) about these bug doors well before they are patched, even 3 months in advance (Microsoft does not bother to patch holes until much later, if ever).
GNU/Linux is completely different because the code is visible and everyone can patch holes as soon as they are revealed. There are huge software repositories for which source code is available, so even underlying applications — not just the operating system — can be fixed. On Windows it is a sordid mess of random downloads of binaries from the Web and so-called ‘crapware’ that comes preinstalled with Windows and often has malicious behaviour. As Jim Lynch put it the other day: “I guess the bottom line here is to try to avoid being the sucker by installing crapware in the first place, regardless of the operating system you are using. If you don’t understand or aren’t sure about what’s being installed THEN DON’T INSTALL IT on your system. And only install software from trusted sources that don’t engage in the freeware bundling shenanigans.”
Free software has none of these issues. The user is in charge.
Caspar Bowden, whom Microsoft fired for 'daring' to care about security and privacy, talks about Microsoft’s publicity stunt case (intended to make it look like Microsoft cares about security and privacy). He now says he hopes Microsoft’s publicity stunt will go down in flames and here is why: “His reasoning is that the US government can use other legal instruments, such as FISA 702 or Executive Order 12333, to brush aside such niceties as Safe Harbor or binding corporate rules (BCR) to get its hands on such data perfectly legally any time it likes, and as such the whole case is a smokescreen that actually suits both parties.
“”Even if Microsoft wins that case, and I hope they don’t because that’ll just shore up the whole rotten system, it will make no difference to surveillance by the NSA under FISA 702 or Executive Order 12333 [see below],” he told Computing.
“Bowden – who was the chief privacy adviser to 40 national technology officers at Microsoft before he was “let go” in 2011 after revealing what FISA 702 implies for the firm’s non-US customers – believes that this is all for show. It is part of a campaign of “cloudwashing” on the part of government and the industry, he says, that deliberately conflates data security – over which US cloud companies and their customers can take an active role – and government surveillance, over which, for legal reasons, they cannot. FISA 702 allows the US government to install surveillance apparatus inside the data centres of US companies. These interventions are covered by the espionage law, and anyone revealing their existence could face a lengthy jail sentence, as Yahoo’s Marissa Mayer revealed.”
Bowden is a Brit speaking about Ireland in the British press. We are happy to see him using the term “cloudwashing” — a term we have used a lot for years. A lot of the pro-cloud hype is about increasing surveillance; it’s often the business model. Always remember that Microsoft makes money from spying on users (government subsidies for the back door access), including in cases where this directly benefits Microsoft's business interests. █
Send this to a friend
Closed doors keep the back doors out of sight and resistant to change
Summary: Microsoft willingly leaves Windows users exposed to costly attacks and surveillance, but its propaganda blames the messenger that warned Microsoft about the problem 3 months ago
BASED on Microsoft’s own actions, the company is not at all interested in security and as we last noted the other day, the company is now pulling out of (withdrawing) notifications of back doors, except for the NSA. One might guess this would appease British Prime Minister Cameron, who now openly calls for back doors in everything and a ban on everything without back doors, but will this appease the rest of us, including journalists (never mind banks) who require encryption for secure communication? We have put some related articles in our daily links for those who wish to know more.
“One might guess this would appease British Prime Minister Cameron, who now openly calls for back doors in everything and a ban on everything without back doors, but will this appease the rest of us, including journalists (never mind banks) who require encryption for secure communication?”For those who missed last week’s news, here is what the British press wrote: “MICROSOFT HAS ESCHEWED the first Update Tuesday, or ‘Patch Tuesday’, Advance Notification of the year to announce that it is killing off the Advance Notification Service (ANS) for the general public and, as such, from next month there will be no Advance Notification.”
This basically means that while the NSA, GCHQ etc. know about back doors (or bug doors) that are not patched, the rest of us will know nothing. Since it is secret proprietary code, there is nothing that can be done about it either.
Earlier this month there were also report about Microsoft knowingly failing to patch a serious Windows flaw. It took Microsoft 3 months to actually do anything and when it did do something it was after Google had forced it to. It was Google that originally told Microsoft about this flaw 3 months ago. Here is what a reader of ours insists on calling “Microsoft apologists” wrote about it. They basically blame it all on Google rather than chastise Microsoft for leaving a lot of Windows users vulnerable due to Microsoft’s own laziness. It is worth emphasising that “the problem was not fixed within 90 days.” That’s how much of a priority security is to Microsoft.
Amid the calls for encryption bans in the UK it is clear that everyone who cares about privacy should move to Free software. Software freedom is imperative for privacy because only when the code is free can one be sure there are no back doors and also remove any that exist. Proprietary software exercises unjust power and control over its user, as Richard Stallman said all along, and the calls to ban encryption in the UK reinforce Stallman’s views. Microsoft’s negligence and reluctance to patch known flaws which are very serious also prove Stallman’s point to be valid. It is almost as though Microsoft actually chose to leave users exposed. Remember that the so-called ‘Sony hack’ was due to use of Microsoft Windows, based on numerous reliable reports. Also remember that about half a decade ago Google prevented its staff from using Windows. That was due to recognition that Windows was Swiss cheese when it comes to security. █
Send this to a friend
Summary: Some blobs like Microsoft’s Windows patches and the binary-level UEFI ‘validation’ do not and cannot provide real security, only insecurity in disguise
THE ‘PROMISE’ of UEFI ‘secure’ boot is as ludicrous as Microsoft's claims that it pursues security. UEFI does nothing real for security; in fact, it once again does the very opposite. Quoting the news:
A pair of security researchers have found a buffer overflow vulnerability within the implementation of the unified extensible firmware interface (UEFI) within the EDK1 project used in firmware development.
Bromium researcher Rafal Wojtczuk and MITRE Corp’s Corey Kallenberg said the bug in the FSVariable.c source file was linked to a variable used to reclaim empty space on SPI flash chips.
According to other news, as told (spun) by a Microsoft booster.,”Microsoft’s advance security notification service no longer publicly available”. The booster says that “Microsoft is taking its Advance Notification Service private, claiming the change is due to changes in the way users want their advance security notifications.” Microsoft sure
tells the NSA about ways to hijack/wiretap Microsoft software, so it’s a matter of privilege, not some company-wide policy.
How does the above serve users? It doesn’t. This is about Microsoft, not users. Users will be left even more vulnerable. As Pogson correctly points out, “There are no Patch Tuesdays with Debian GNU/Linux so the bad guys are no further ahead. We can all get Debian’s patches as soon as they generate them and we can usually install the updates on running systems with no adverse consequences, like a re-re-reboot.”
Moreover, in large corporations in particular, patching code internally is possible or even relying on third parties. Don’t ever trust security at binary level, such as large blobs being sent that are supposedly ‘patched’ or some opaque board giving ‘approval’ before the running of a binary blob, mostly likely based on some cryptic signature approved by unknown people for unknown reasons (usually employees of companies that work with the NSA). Real security emanates from transparency, which breeds trust and provides to ability for one to study and patch one’s own programs (or rely on others to do so using their specialised skills). █
“Anyone wonder why the Microsoft SQL server is called the sequel server? Is that because no matter what version it’s at there’s always going to be a sequel needed to fix the major bugs and security flaws in the last version?”
Send this to a friend
Summary: The PHP-based WordPress is reported as the cause for ISC’s woes, but it was not kept up to date (a very simple and risk-free task) and the victims are actually Microsoft Windows PCs
I could personally relate to this report about a high-profile WordPress site getting cracked as it very closely relates to my job. What’s interesting about it is that the victim (or the target) is really Windows, not GNU/Linux.
“So, it looks like the chances are that ISC’s problem is limited to Windows PC malware and it hasn’t effected BIND or ISC’s DNS site,” wrote Steven J. Vaughan-Nichols. Microsoft Windows is targeted via the browser. It’s just so easy.
“Bind is outdated anyway,” told us a reader. “Better replacements have been available for a long time.”
According to the first report, “ISC was hacked by way of a WordPress flaw, but there is now an automatic way to secure WordPress sites and (eventually) eliminate the risk of nonpatched systems.” This might not help protect from out-of-date or vulnerable extensions to WordPress. It’s not an easy task. I have worked with WordPress for over 10 years and with Drupal for close to 5 years (including involvement in the development community), so I can confess that some flaws are inevitable. When it comes to Free software, however, the patching process is vastly superior to that of proprietary software, where many of the flaws are never patched or are silently patched without even informing users.
The whole notion of protecting from bugs at a binary level is ludicrous. Someone who is a programmer from Microsoft spoke to me for hours some days ago and told me that Windows system updates can take a vast amount of time because of lack of modularity. Large blobs that have unknown changes in them are not the way to patch flaws, let alone inform those affected of what is being patched and why.
It is with that in mind that we also approach the binary-level checks for ‘security’ by UEFI ‘secure’ boot. It’s complete nonsense. It doesn’t work and it does not improve security, it just restricts the function of general-purpose computing. Bottomley from Novell continues to support this nonsense based on a Phoronix report that says:
James Bottomley has updated the open-source UEFI Secure Boot Tools for Linux distributions to build against the UEFI 2.4 specification.
UEFI 2.4 has been out for the past year and a half while finally now the UEFI Secure Boot Tools have been updated against the latest spec.
UEFI ‘secure’ boot is how Microsoft and Intel (Wintel) have complicated Free software use, as we’re reminded by a new article where Jamie is nagging about UEFI ‘secure’ boot when installing a new good flavour of GNU/Linux:
“Any computer that comes with UEFI should now be avoided.”“[I]f you are installing PCLinuxOS to a UEFI-firmware system,” he writes, “the best thing to do (and the most common and sensible by far, I’m sure) is to simply leave it in Legacy/MBR boot enabled, don’t try to switch back to UEFI boot.”
Any computer that comes with UEFI should now be avoided. It is possible to avoid such computers and voting with one’s wallet can be very effective. █
Send this to a friend
The great power of lies and gullible journalists
Summary: Microsoft’s partner Alert Logic is trying to label a feature of Linux a security flaw and even makes marketing buzz for it
IF A reporter or two can be bamboozled into printing a lie (digitally distributing it), this can lend some credibility/legitimacy to the lie and then it is possible that the lie will spread and be echoed in other reports. Hence the importance of this matter.
“They are trying to change perceptions around Free software security.”Several journalists have already rebutted something that I debunked some days ago when I first saw some nonsense about “Grinch” with a suitable “marketing” image. Here is one rebuttal among a few:
The Grinch flaw was reported by Stephen Cody, chief security evangelist at Alert Logic. Cody alleges that the Grinch flaw enables users on a local machine to escalate privileges. Leading Linux vendor Red Hat, however, disagrees that the Grinch issue is even a bug and instead notes in a Red Hat knowledge base article that the Grinch report “incorrectly classifies expected behavior as a security issue.”
The original security researcher that reported the Grinch found that if a user logs into a Linux system as the local administrator, the user could run a certain command that would enable the user to install a package, explained Josh Bressers, lead of the Red Hat Product Security Team.
“Local administrators are trusted users,” Bressers told eWEEK. “This isn’t something you hand out to everybody.”
We believe it was Joab Jackson (IDG) who first gave a platform to the Microsoft partner (Alert Logic) that used marketing buzz and a lie against Linux, soon to be rebutted by Red Hat. I had contacted Mr. Jackson, who later told me that he posted a follow-up (or correction).
Jackson’s correction may have come too late as we saw the lie spreading to a few other news sites later on (thankfully not too many sites). Here is one example of garbage ‘reporting’ (FUD and lies), generated by the FUD firm with with a catchy name, sort of logo etc. (generated by a Microsoft partner we might add). Apart from Jackson’s piece we saw at least 3 more such articles (which came afterwards). How many are going to post a correction? How many articles will be withdrawn? How many follow-ups will be published? Tumbleweed. Silence.
It is usually Windows that has zero-days during Christmas, not GNU or Linux. There was recently other nonsense with a name, claiming to be a flaw when it was actually some other malware (potentially developed by the Russian government) that users actually have to install (not from repositories) to be infected by. It was akin to a phishing attack, but it was widely used in the press (even in IDG, Jackson’s employer) to characterise GNU/Linux as insecure.
Remember what the Microsoft-connected firm did with "Heartbleed" (the name it made up with a promotional logo). It’s all about marketing and hype. They are trying to change perceptions around Free software security. What matters is what people remember, not the truth. This is all about discouraging users or buyers.
A reader has alerted us about this article from Armenia . “Note the job title of the ‘softer,” he said. Here is the relevant portion:
Armenia’s Minister of Defense Seyran Ohanyan received Microsoft Corporation’s Regional Director for Public Safety/National Security/Defense Robert Kosla.
Joke or real? It sounds like a joke, but they are definitely not joking. Armenia talks to the NSA’s biggest partner and back doors-loving company about ‘security’, so seeing the job title from Microsoft is truly hilarious! Microsoft is good at insecurity and lies, not security. █
“Our products just aren’t engineered for security.”
–Brian Valentine, Microsoft executive
Send this to a friend
Summary: The power of media spin makes the idea of hosting Free software under the control of an NSA PRISM and back doors partner seem alluring
IN the spirit of tackling FUD we thought it would be worthwhile to tackle spin regarding the news of Ubuntu Core (news that already appears in our daily links).
Microsoft boosters such as Microsoft Gavin try to frame it as Microsoft news, saying: “A smartphone-inspired version of Ubuntu Server for Docker minimalists has been revealed with initial backing from Microsoft.” The headline is even worse. It’s deceiving for the sake of drama.
The news is not about Microsoft. This is what is called bias by omission or selection — similar to this lousy piece from Lance Whitney, former staff of Microsoft media whose latest propaganda is now omitting an old disclosure saying that he is Microsoft’s ‘former’ staff and uses US-only spin to make Android look bad (the US is not the whole world and economic advantage favours overpriced phones).
Several readers have told us that the article “Canonical restructures Ubuntu in mobile mode; Microsoft is first partner” had been removed (we searched the site to verify this) before it was reinstated. How odd. No explanation was given and while it was gone we made a copy from the Google cache of the article, very shortly after it had been deleted, then created permanent archive of the removed version. We wrote publicly at around noon yesterday about how this article vanished after it had been posted (just shortly before we made copies from Google cache and also used archive.is). We later compared the version we had archived with what was reinstated and found no obvious differences in the text. Well, maybe the problem was purely technical, but the content of the article from Paul Gillin was curious, not just the angle. A reader of ours explained: “Below is the text of an article which just disappeared. It was online for only a few hours but contains some very incriminating statements. More might show up later, but for now this is all I have. It sure explains why the Ubuntu forums moderators/staff have been slamming RMS and censoring critique of Microsoft and His Billness – in any context.”
“The situation is bad,” explained our reader. “The previous article was not a mistake” because there is other coverage although it does not provide the Microsoft spin, including phrases such as those highlighted in Diaspora. The factual part is this:
Ubuntu Core is now available on Microsoft’s Azure cloud.
This, however, is not the main news. A lot of effort was put into injecting some pro-Microsoft angle. Here is where promotional spin got injected (apart from the headline):
“Ubuntu Core is the smallest, leanest Ubuntu ever, perfect for ultra-dense computing in cloud container farms,” the company said in a press release. In a twist that’s sure to prompt a double-take from many industry veterans, Canonical chose the Azure cloud from longtime Linux foe Microsoft as its first deployment platform. “Microsoft loves Linux,” said Bob Kelly, Corporate Vice President at Microsoft, in a prepared statement.
“Microsoft has been a terrific steward of Ubuntu,” said Dustin Kirkland, product manager for Ubuntu Core, in an interview. “We have a very tight relationship.” The deal with Microsoft is exclusive for ”a couple of weeks,” after which Ubuntu Core is expected to be available on all public clouds that currently support the operating system.
So ‘“Microsoft loves Linux,” said Bob Kelly, Corporate Vice President at Microsoft, in a prepared statement.’
This is part of the new lie which we wrote about in articles such as:
The problem with articles like the above is the pursuit for talking points to lull the victim into passivity, pretending that Microsoft is now like a “best friend” of GNU/Linux. All that Microsoft does with Ubuntu Core is put it under surveillance and back door control. That’s what Azure is about, as NSA leaks serve to demonstrate.
We could of course tackle some other propaganda if we had more time for writing (I am working full time myself). Consider this new UBM spin which pretends TrueCrypt is FOSS (it’s definitely not) and cites one bug (in OpenSSL) to pretend FOSS as a whole is less secure than proprietary software blobs. There is another ugly story making the rounds about a so-called attack on GNU/Linux machines (attributing it to a government, possibly Russia’s); all the stories we have found (over a dozen so far) neglect to say that the victim must install the rogue code himself or herself, it cannot really propagate except by the user’s stupidity or recklessness. Finally, there is another batch of stories about DCOS, which is backed by a Microsoft thug who boasted about “tilting into a death spiral” competitors of Microsoft and bankrolled Microsoft proxies. DCOS — like Azure — is attempting to control GNU/Linux guests at a higher level. IDG called it a “data center OS” that “allows single-source command for Linux servers”, potentially providing a back door. I have personally seen companies that manage hundreds of GNU/Linux servers from VSphere (proprietary from EMC, which is connected to RSA and hence NSA back doors) on top of Microsoft Windows (also back doors). Can EMC be trusted to not allow intrusion? Can Microsoft? These are rhetorical questions.
Anyone who is reckless enough to put a Ubuntu machine under Microsoft hosting sure has not been keeping up with news. Canonical too would be reckless to recommend such a thing, but perhaps it has short-term thinking, pursuing Microsoft dollars at the expense of customers’ security. █
Send this to a friend
« Previous entries Next Page » Next Page »