01.21.21

How a Newly Inaugurated President Biden Can Advance Software Freedom (If He Actually Wishes to Do So)

Posted in Antitrust, Free/Libre Software, Microsoft, Security at 10:58 am by Dr. Roy Schestowitz

Spoiler: Biden does not actually care about users’ and developers’ freedom; he’ll promote monopolies like Trump and Obama did.

President Biden/Crazy Ass Biden Bug-Eyed Clinton: I... don't even think about it!

Summary: Techrights has ‘Four Suggestions’ to President Biden, the 46th ‘front end’ of American plutocracy

All those Biden images or memes should not be mistaken for — or wrongly seen as — “pro-Trump”; as we've stressed all along (even before the election), the American public was, in effect, left with no choice on the most important issues (War, Wall Street, World Climate… or WWW for short). People voted for what they perceived to be a “lesser evil”.

“Let’s see if the ‘Four Suggestions’ can be fulfilled, either in full or just partly.”That said and done, we’re gratified to know that the name “Trump” won’t be mentioned here much anymore. Let’s focus on the situation we’re in and seek to make the most out of it. Mr. Biden (now President Biden) is a close friend (kinship and personal friendship) of many who strongly oppose software freedom. We named some of these people last year.

Here are our suggestions for Biden (not that he’s going to read this blog, but let’s use that as a reference for a hypothetical ‘scorecard’):

  • Suggestion #0: Appoint a chief at the U.S. Patent and Trademark Office (USPTO) who respects and upholds 35 U.S.C. § 101, based on Alice (SCOTUS). That chief can be someone like Andrei Iancu‘s predecessor, albeit it’s better if that chief did not come from Google or IBM (like David Kappos did). Iancu resigned a day or two before inauguration, along with his troll deputy, so there are vacancies.
  • Suggestion #1: Initiate antitrust proceedings against Microsoft. There are many antitrust violations to choose from, including the basis of the GitHub takeover.
  • Suggestion #2: Choose Free software for all public infrastructure. Almost all the recent ‘hacking’ (cracking) incidents were the fault of proprietary software, often Microsoft’s (with NSA back doors which inevitably become everyone’s back doors).
  • Suggestion #3: Provide stimulus to Free software developers instead of stimulus to the crooks mentioned in Suggestion #1. Microsoft does not deserve billions of dollars in ‘gifts’ from the taxpayers; Free software developers would make much better use of that money and give back to the public.

Let’s see if the ‘Four Suggestions’ can be fulfilled, either in full or just partly. Any of the above would be very nice indeed.

01.11.21

Marketing Companies (Disguised as News Sites) Badmouth Linux, Go, Monero and More

Posted in Deception, FUD, GNU/Linux, Marketing, Security at 7:12 pm by Dr. Roy Schestowitz

Video download link

Summary: Another day, another shallow piece associating “Linux” with security risks based on something that has nothing to do with GNU/Linux and generally boils to nothing like a real threat (unlike Windows back doors)

THE so-called ‘tech’ media (or so-called ‘news’ sites) aren’t quite what they seem. The above is one typical example. A culmination of several recent “dark PR” campaigns against Go(Lang) and likely Monero as well as Linux have led to this ‘all-in-one’ FUD piece which we mentioned in our latest Daily Links. Looks like Trend Micro marketing. Like Infosecurity, they’re calling a whole bunch of Windows threats "Linux" and pretend that just because someone out there can write a malicious program and users can run that program (or misconfigure a system to allow remote access) it makes Go and Linux (or even Monero) dangerous. The code is hosted by Microsoft by the way.

01.06.21

Video: Marketing Companies in ‘News’ Clothing

Posted in Deception, FUD, Marketing, Microsoft, Security at 2:29 pm by Dr. Roy Schestowitz

The case of ‘info’ ‘security’

Video download link

Summary: Hours ago this article was bumped up by Google News; it’s a classic example of PR/face-saving puff pieces in ‘news’ clothing

01.01.21

Here Comes Again the False Parity (Comparing GNU/Linux Security to That of Platforms With NSA Back Doors)

Posted in FUD, GNU/Linux, Kernel, Security at 10:13 am by Dr. Roy Schestowitz

Video download link

Summary: Contrary to what lousy and sleazy sites claim about “Linux” (in order to sell highly misleading agenda/impression and false claims, or push ads based on provocative click-baiting), bad practices and/or clueless admins/users are to blame for what constitutes security breaches in the Free software world, unlike back doors in proprietary software (sometimes mandated by authorities)

IT is hardly a secret that despite the fact nation states bemoan security problems they themselves are the bigger/biggest contributors to security problems. They want back doors in virtually everything, ranging from operating systems to encryption algorithms. Microsoft is one of their biggest facilitators if not by far the biggest.

“They want back doors in virtually everything, ranging from operating systems to encryption algorithms.”According to some so-called ‘news’ [1, 2, 3], security is impossible and “Linux” is just as bad as Windows. This is the sort of message they recycle as Microsoft reveals (when everyone is on holidays) how badly screwed they are, how Azure got cracked (Azure also has layoffs, but they don’t want anybody to mention that), and how we’re supposed to think that it’s not Microsoft’s fault. I recorded this video without any preparation, so it’s a bit of a rant.

This relates to this recent article and video.

12.22.20

Microsoft Windows/IIS Down Again (Across All Server Categories), Merely Living/Surviving on ‘Borrowed Time’

Posted in GNU/Linux, Microsoft, Search, Security, Windows at 12:23 pm by Dr. Roy Schestowitz

It won’t be financially sustainable for much longer and Microsoft admits to us (in IRC) that there were also Azure layoffs this year (and Azure has just been cracked)

Microsoft IIS share

Summary: When it comes to Web servers (World Wide Web as assessed by pertinent sites), Microsoft is already a goner living its last days (months or years)

THROUGHOUT the year we wrote nearly half a dozen posts about IIS, seeing that it’s nose-diving in terms of usage during the pandemic (both in absolute and relative terms). According to this latest report, which is the most comprehensive of its kind, only 3.87% of Web sites use Windows/IIS. This share is rapidly declining.

“…the trends are telling… Windows servers are a dying breed.”The latest report is, as usual, a bunch of graphs preceded by (foreword with text) explanatory notes. The name Microsoft is repeated at least 3 times and it says “Microsoft lost 14,700 computers”. To quote just 3 paragraphs:

Microsoft, Apache and nginx each suffered losses in their total number of domains, although nginx’s loss was small enough that its market share increased slightly. 30.3% of the world’s domains are now powered by nginx, compared with 26.4% powered by Apache. Despite losses affecting each major webserver vendor, the causes were independent in each case; for example nginx’s 34,000 loss resulting from a drop of 387,000 domains at Freenom.

OpenResty is continuing to show strong growth, with GoDaddy’s use of the web server for its parked domains. It now powers 71.3 million sites across 36.9 million domains and 84,680 web-facing computers.

The number of web-facing computers running nginx, Apache and Microsoft web server software also fell this month. The largest loss was 38,600 web-facing computers for nginx, which took its total down to 3.63 million and its share down by 0.33 percentage points to 34.4%, leaving it just over one percentage point ahead of Apache. Microsoft lost 14,700 computers, while Apache lost 5,820.

This is the kind of story that Microsoft-funded (e.g. bribed through ad-buying) corporate media never covers.

NetcraftInstead, media will talk about “clown” (not servers) and hail it as a revolution like never before — one that you mustn’t miss out on or else you won’t be “smart”. They give the false impression (delusion/illusion) that Microsoft is at the cutting “edge” of things, the “recency” perception, e.g. having “secure” chips while putting NSA back doors in virtually everything.

As we said earlier this year (when the declines in Microsoft’s share were considerably bigger), it won’t be long before the cost of maintaining IIS outweighs the financial benefits. That’s when Microsoft starts rebranding and speaking about “reorg” (to avoid words like “layoffs” or “product termination”).

GNU/Linux and Free/libre Web server software is becoming very dominant; one might say it has become the norm, so all those sites that claim to compare “Windows hosting versus Linux hosting” are terribly outdated because they give the illusion of parity; the trends are telling… Windows servers are a dying breed.

As for Windows in general, it’s a mess. Microsoft cannot maintain it anymore, so it breaks itself again. Not that Red Hat or Canonical will take advantage of it to promote GNU/Linux

12.19.20

Microsoft Security Theatre and Microsoft-Funded Media Frenzy That Stigmatises “Linux”

Posted in Deception, Free/Libre Software, FUD, GNU/Linux, Microsoft, Security at 7:29 pm by Dr. Roy Schestowitz

An old lock

Summary: Misinformation about security is all too common in today’s media; the goal is to get people to embrace software with back doors and surveillance, falsely believing that it guarantees privacy and autonomy

THERE’S security, there’s false or pseudo security, blatant insecurity (not even advertised as real security), “national security” (typically means back doors), and all sorts of other nonsense.

Encryption is maths, not a myth. And it’s a science; there’s logic behind it. Those who speak of “weakening encryption” or anything along those lines basically speak of eliminating encryption, not weakening it. To claim that it’s possible to allow one entity to undermine encryption but not others is extremely dishonest. Like DRM schemes, it’s only a matter of time before it’s rendered obsolete. “Nothing protected by Widevine, FairPlay, or PlayReady ever delays the video surfacing on bittorrent sites,” Ryan notes.

The notion that the government can take away security while still preserving general security is a mirage; it’s largely responsible for the security mess we’re often reading about in the corporate media. But blame is being misplaced. How can we securely bank online using encryption that has back doors in it? Moreover, if the servers have back doors in them, should we not expect data breaches to become inevitable?

“The bank is a backdoor,” Ryan notes. “They are legally required to report suspicious transactions and large amounts of cash activity to the federal government immediately.”

When it comes to Free software, transparency (for audits among other things) ensures that back doors in encryption will be easy to see. One can even compile the code for oneself, having audited it, just to ensure the build system and the build process are intact.

There’s no need to make guesses about Microsoft back doors because in 2013 Edward Snowden leaked proof of it. Corporate media likes to pretend that this is “old news” and no longer relevant, albeit there’s nothing whatsoever which can suggest a change, so we must assume the same facts are still applicable. One reader of ours wrote regarding a subject covered some days ago in a short video:

OVERVIEW

This article is a bit of an overview over a few web pages that revolve around GNU/Linux security; it’s actually more about misinformation on the topic of GNU/Linux security.

The discussion is an overview of articles such as:

• A0: http://techrights.org/2020/11/07

• A1: https://threatpost.com/gitpaste-12-worm-widens-exploits/162290/

• A2: https://www.bleepingcomputer.com/news/security/new-windows-info-stealing-malware-may-soon-target-linux-macos/

• A3: http://techrights.org/2020/12/13/human-error-zdnet/


ATTACKS BY PROXY.

Seen from A0, A1, and A2, we see an example of attacks (propaganda) about GNU/Linux by proxy. Just because something ported to GNU/Linux (or any other operating system) is insecure, doesn’t mean GNU/Linux is insecure. This kind of attack by proxy is a standard propaganda weapon. You could call this kind of propaganda straw man arguments.

INSECURE CONFIGURATION DOES NOT EQUAL INSECURE SOFTWARE.

Seen from A3, we have another form of “attack by proxy”; it’s worth talking about this special case of straw man argument. Propaganda like A3 boils down to person(s) implementing insecure configuration of software. The underlying software is not to blame. But here we see propaganda such as A3 attacking software when the person(s) configuring the software are to blame.


WHERE TO GO FOR SECURITY ADVICE?

Security advice should be taken from people that work on security – not propaganda websites. Forums, IRC chats, email lists and such, for the SPECIFIC software are the right place to ask for advice. Mistrust everything you read, by default; this is generally the best security advice you can get. A lot of software projects have dedicated communication channels for their users; this is a good place to hang out or drop in, when you want security advice.

Ask people with provable record working on security.

With the above information, you should be better-equipped to protect yourself from malicious propaganda.

Moments ago in IRC Ryan spoke about some of the latest FUD in the media, along with PR stunts about “secure” chips. “This attitude at Microsoft has only changed to the extent that there’s security theater now and they pay off the fake news to say “PC problem” and everything open source is “Linux”,” he said. “Not only this, but Microsoft wants to port “Defender”, a backdoor and a piece of spyware, to Linux, which is not really having too much of a problem with malware,” he added. Here’s the full text of his rant:

Whenever security and usability/backwards compatibility (even with serious mistakes) clash at Microsoft, security loses.

This is the company that hooked up Windows 98 and even XP to the internet with no security model, administrator logins for everyone, and no firewall.

Then waited until the news was actually reporting on what a worm farm Windows had become and how once you had it connected to the internet, it was a matter of about 3 minutes before it was infected.

This attitude at Microsoft has only changed to the extent that there’s security theater now and they pay off the fake news to say “PC problem” and everything open source is “Linux”.

Every day, we find out that the cyberattack was worse and it’s pretty much all thanks to Microsoft’s shitty software design and the antivirus concept failing to actually keep pace with threats in the modern world.

Not only this, but Microsoft wants to port “Defender”, a backdoor and a piece of spyware, to Linux, which is not really having too much of a problem with malware, even though antivirus is relatively unheard of.

The biggest threat vector on Linux is a seriously misconfigured system that involves not the kernel, but some piece of userspace software.

Which….does happen, but it’s a lot harder to do that on Linux because of the concept of trusted software sources, open source being a lousy way to hide backdoors and malicious payloads for obvious reasons, and just the overall higher intelligence of its users.

Also, not being buried under an OS that’s 90% crap that harkens back to the 90s and 2000s because some business will whine if Internet Explorer and the driver model from Windows XP isn’t there.

People who value real security and accurate information about threats will stay away from media that overlaps the PR industry. They want us to believe that companies which actively undermine security are in fact the biggest champions of security; similarly, those mass surveillance giants are often being portrayed as guardians of people’s privacy.

12.17.20

Video: The FUD of the Month About GNU/Linux, Seeded by ZDNet and Similarly Awful Sites

Posted in Deception, FUD, GNU/Linux, Security at 9:47 am by Dr. Roy Schestowitz

Summary: In this video (unscripted, one/first take) I discuss some of the stuff that’s in this week’s “Linux” headlines (in effect lots of FUD and scaremongering, as usual)

11.27.20

Guarding Your Privacy With E2EE: Primer

Posted in Free/Libre Software, Security at 11:48 am by Guest Editorial Team

End-to-end encryption deciphered

Lock and Key

Summary: “As with all security, there is assumed risk no matter how careful you are. There are no security guarantees but that doesn’t mean you shouldn’t try.”

End-to-end encryption (E2EE) is something that’s been in the news quite frequently. Lack of education about E2EE is being exploited. Your fundamental human rights are being violated. This article serves to educate the non-technical person about E2EE and how it affects their everyday life.

Let us get a few fundamental things clarified, first. Without these basic things, no proper discussion can happen around E2EE.

“Another important thing to note is that the sender sees the data that will be encrypted in its unencrypted form anyway. Obvious statement but important to remember.”What is E2EE? E2EE is a system in which data is encrypted so that only one party can decrypt the data: the intended recipient(s).

Note that we used the word “system” in our definition for E2EE. This is done to keep the scope of this article separate from any specific E2EE software.

Another important thing to note is that the sender sees the data that will be encrypted in its unencrypted form anyway. Obvious statement but important to remember.

Next, let us note articles 12 and 19 of the Universal Declaration of Human Rights (UDHR).

LockArticle 12 UDHR: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”

Article 19 UDHR: “Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.”

We’ll refer to these as A12UDHR and A19UDHR, from now on.

We’ve now established some fundamental definitions; we can move on to what all this means in the context of E2EE.

Let’s now connect what A12UDHR and A19UDHR have to do with E2EE.

A12UDHR mentions privacy. Our data privacy is a form of privacy. Thus, according to A12UDR, every human being has a fundamental right to data privacy. The only way we can achieve data privacy is via E2EE.

“The only way we can achieve data privacy is via E2EE.”A19UDHR mentions the freedom to hold opinions WITHOUT INTERFERENCE and to seek and impart INFORMATION and ideas THROUGH ANY MEDIA (we’re paraphrasing here to highlight information relevant to this article). Thus, according to A19UDHR, every human being has a right to exchange INFORMATION THROUGH ANY MEDIA. End-to-end-encrypted data (E2EED) is a form of information; thus A19UDHR gives every human being a right to seek and impart E2EED over any medium they wish.

So, in summary, we’ve established the following as an inalienable right of every human being:

Every human being has a fundamental right to use E2EE and seek and impart E2EED over any medium they wish (Internet,
printed documents, etc.).

Now it’s time to consider the technical side.

If you go back to our definition of E2EE, you will see that there are strict requirements about who can decrypt E2EED.

Many platforms (email, social control media, messaging apps, etc.) advertise E2EE. They are pretty much all not E2EE. Why? They have the keys that can decrypt your data. Go back and read the definition of E2EE again.

What are these “keys”? Good question.

Every system of E2EE is basically built on the idea of a pair of keys:

“Many platforms (email, social control media, messaging apps, etc.) advertise E2EE. They are pretty much all not E2EE.”Public Key (PKEY): Just a file. A sort of identifier. PKEYs are used in E2EE to encrypt data so that only the intended recipient(s) can decrypt the encrypted data.

Secret Key (SKEY): Just a file. This is the (only) file which can be used to decrypt the encrypted data.

There exists a mathematical relationship between a PKEY and a SKEY which makes it infeasible to decrypt the encrypted data without access to the recipient’s SKEY. When used correctly, E2EED is safe even from the quantum computers of today.

You can refer to the end of this article for the technical details.

“You can willingly forfeit your privacy (and many do by accepting “Terms and Conditions” of various platforms and services) but no body has a right to forcibly take away your privacy.”The easiest way to decrypt E2EED is to get a hold of the recipient’s SKEY or to catch the pre-encrypted data via some sort of back door in the device being used to encrypt the data. The problem is, many organisations already have your SKEY; they keep a copy for themselves, when SKEY has been generated. So, these systems don’t actually satisfy our definition of E2EE.

Remember: You have a fundamental right to end-to-end encryption. You have a fundamental right to keep the secret keys used for your end-to-end encryption software private. Nobody has the right to take these secret keys away from you – no company, no government, no individual, no organisation. You can willingly forfeit your privacy (and many do by accepting “Terms and Conditions” of various platforms and services) but no body has a right to forcibly take away your privacy.

“Complain to your local government representative about the attacks on E2EE.”There have been repeated attempts (and will continue to be repeated attempts) to outlaw end-to-end encryption. Governments want to spy on citizens; companies want to spy on individuals to profit off their private data; organisations want private data of individuals to make discriminatory decisions about said individuals. All of these actions have negative consequences on individuals: psychological abuse, economic discrimination, racial discrimination, political discrimination, exploitative psychological advertising (the list goes on and on).

So what can you do about this? You can raise awareness, first of all. Complain to your local government representative about the attacks on E2EE. You can educate yourself about which software gives you full control over your secret keys.

“Note that operating systems and devices have constantly had back doors installed into them.”Here’s a list of software you can look up which gives users control over their secret keys:

1) GnuPG and Kleopatra (GNU/Linux, BSD, OSX)

2) Gpg4win and Kleopatra (Windows)

3) OpenKeychain (Mobile)

There are many books, videos, and tutorials about the tools above. They’re a good point to start with.

Note that operating systems and devices have constantly had back doors installed into them. The best way to use E2EE software is to have a separate device for performing all E2EE tasks; said device should never be connected to the Internet. This is too inconvenient for some but is worth considering for those who want added level of security.

A note on hardware security tokens: Don’t believe in them. Most of them are likely to have back doors in them which allow extraction of your secret keys. Use an ordinary, general-purpose computer for all E2EE tasks; preferably one that never sees the Internet. Old laptops make great E2EE machines; just turn off the WIFI and don’t plug in any Ethernet cable. Devices like the Raspberry Pi are also a good candidate for an affordable system exclusively used for E2EE. You can use these devices with an HDMI cable, keyboard+mouse, and a USB stick to move data to and from the device.

Does all your data need to be E2EED? Of course not. That would be overkill. But data that you think needs to be private should be private. So use E2EE software to protect your privacy, when you see fit. This includes pictures, videos, legal documents, files containing passwords, etc.

“Old laptops make great E2EE machines; just turn off the WIFI and don’t plug in any Ethernet cable.”Remember: E2EE is a system in which data is encrypted so that ONLY ONE party can decrypt the data: intended recipient(s). Any system which doesn’t satisfy this definition is not E2EE; don’t let governments, companies, etc. convenience you otherwise.

Technical details

Say J wants to send a file F to M; J wants to encrypt F so that only M can decrypt F. We’ll refer to the encrypted form of F as EF.

What would J need to do?

We’ll establish a few more definitions (sorry about this but it’s necessary to maintain correctness).

J and M both have keys.

E2EE software : S.

Public key of J : JPKEY Secret key of J : JSKEY

Public key of M : MPKEY Secret key of M : MSKEY

(1) J and M both use S to generate their respective key files (JPKEY, JSKEY, MPKEY, MSKEY).

(2) J needs MPKEY in order to encrypt F for M.

(3) M sends J: MPKEY, in advance (this can be done over any media as MPKEY is not required to remain private).

(4) J now has the following: S, JSKEY, MPKEY, F. J can use these to obtain EF.

(5) J sends EF to M.

(6) M now has the following: MSKEY, S, EF.

(7) M can use these to obtain F from EF.

All of the above can be done with only one person. In, that case J = M. This is when you want E2EED that is “for your eyes only”.

RSA and EDDSA are considered the most secure systems for E2EE today (2020). The major weak points in any E2EE are: human error, hardware and software backdoors, hardware and software bugs. E2EE is always evolving, so what you read today may not be true tomorrow.

As with all security, there is assumed risk no matter how careful you are. There are no security guarantees but that doesn’t mean you shouldn’t try.

Be wary of any body that gives you guarantees.

« Previous entries Next Page » Next Page »

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channels: Come and chat with us in real time

New to This Site? Here Are Some Introductory Resources

No

Mono

ODF

Samba logo






We support

End software patents

GPLv3

GNU project

BLAG

EFF bloggers

Comcast is Blocktastic? SavetheInternet.com



Recent Posts