Summary: Windows maintains its reputation as a back doors haven, but the media is still not highlighting the severity of this issue, instead focusing on accidental bugs in Free software, even very old (and already fixed) bugs
AS our previous post stated, there is an effort to keep insecurity debates around Free software, even if by going a whole year back to the "Heartbleed" brand. “More branded bug FUD” can be found here, according to a reader of ours. So why are journalists still so stubborn and so eager to keep us talking about Free software as the risk when Microsoft deliberately makes its software insecure as if the priority is to keep remote access (by anyone) in tact (some countries now recognise this)? Why are there no brands for Microsoft's critical bugs these days? Free software is a big threat to the Security State, not to security, so a large number of moles can be suspected or even assumed. How many SSL flaws have already affected Microsoft and how many of them got “branded” in the same way as the OpenSSL bug? Some journalists don’t even name Windows, to spare Microsoft the embarrassment.
“Some journalists don’t even name Windows, to spare Microsoft the embarrassment.”Another back door/bug door in Windows has just been found. As iophk told us yesterday: “No logo or name?” No, it’s Windows. Remote access by anyone is a given any day.
As this article noted the other day, “Microsoft abruptly ended advance notification of security patches in January.”
In other words, Microsoft does not even inform those affected by serious bugs anymore. And in other news (yesterday), “HTTP ‘pings of death’ are spewing across web to kill Windows servers” (not the first of this kind).
To quote the article: “The SANS Institute has warned Windows IIS web server admins to get patching as miscreants are now exploiting a flaw in the software to crash websites.”
“For Microsoft,” says an IDG report, “the vulnerabilities just keep popping up, and appear to be surfacing more quickly than ever before.
“Like last month, Microsoft issued a fairly large number of security bulletins for April Patch Tuesday—11 bulletins addressing 26 vulnerabilities. Last month brought 14 bulletins from Microsoft, covering 43 vulnerabilities.”
Remember that Microsoft does not even report all the vulnerabilities. It games the system by making up bogus numbers (silent patches). █
Send this to a friend
Microsoft gets a free pass for insecurity
“I don’t want a back door. I want a front door.” — Director of the National Security Agency (NSA), only days ago
Summary: All versions of Microsoft Windows are found to have been insecure since 1997, but the bug responsible for this is not named as candidate for back door access, let alone named (with logo and marketing) like far less severe bugs in Free/libre software such as OpenSSL
WHILE many journalists still refuse to call out Windows (see this new piece from Dan Goodin, who writes about crackers hoarding Windows hosts by the millions — in botnets — while mentioning the word “Windows” only once, very deep inside the article), some have no choice by to acknowledge that not every single computer runs Windows and therefore we should call out Windows when it’s clearly to blame.
“This wouldn’t be the first time it happens; recall how Google had to alert Microsoft for 3 months about a serious flaw while Microsoft did absolutely nothing (as if the intention was to keep Windows insecure, albeit secretly, very much like Apple).”Although there is no “branding” yet (as Microsoft buddies from a a Microsoft-linked firm like to do to Free/libre software bugs), there is a very serious bug in all versions of Windows (even the one still in development) that Microsoft’s allies at the NSA must be very happy about, especially as the bug is 18 years old (meaning that Windows has allowed remote access since 1997, or around the time Microsoft was seeking to appease the US government after it had shamelessly broken many laws).
The bug was found not by Microsoft but by this team (press release), which probably has no access to Windows source code. This wouldn’t be the first time it happens; recall how Google had to alert Microsoft for 3 months about a serious flaw while Microsoft did absolutely nothing (as if the intention was to keep Windows insecure, albeit secretly, very much like Apple).
ISPs should now restrict or ban Windows use, as it poses a huge risk (botnets and DDOS, never mind risk to all data stored on machines running Windows). Here is some early coverage of this [1, 2], some correctly emphasising that it’s a 18-year-old vulnerability [1, 2].
Let’s see if this starts a big debate about the insecurity of proprietary software (as other bugs with “branding” did to Free software, by means of gross generalisation). This “New Security Flaw Spans All Versions Of Windows” (similar wording in this headline). 18 years, eh? It even predates 9/11. It’s older than some readers of this Web site.
Watch this disgraceful piece titled “Will Microsoft’s Security Measures in Windows 10 Tarnish Open-Source Development?”
Yes, it’s more propaganda; The disingenuous openwashing of Windows continues, as we’ll show in our next post. █
“Our products just aren’t engineered for security.”
–Brian Valentine, Microsoft executive
Send this to a friend
Image courtesy of Red Hat
Summary: Old news is ‘new’ again, as Microsoft-friendly media decides to keep knocking hard on the reputation of Free software, using words rather than substance
A YEAR ago there was a curious (first of its kind for Free/Open Source software) “branding” of a 2-year-old FOSS bug by a Microsoft-linked firm that did not even find the bug. An engineer from Google had found it and sought to responsibly disclose it so as to patch it properly before the Microsoft-linked opportunists blew off the lid and called it “Heartbleed”, set up a Web site to ‘celebrate’ the bug, and even made a professionally-prepared logo for it. This whole “Heartbleed” nonsense — however serious it may have been for a day — was blown out of all proportions in the media and tarnished the name of Free software because it was so ‘successfully’ marketed, even to non-technical people. It was a branding ‘success’ which many firms would later attempt to emulate, though never with the same degree of ‘success’ (where success means bamboozling the public, especially non-technical decision-making people).
“Microsoft must be laughing quite hard seeing all that media manipulation.”“Dear journalists,” I said earlier today in social media (Diapora), “bugs don’t have birthdays. Stop finding excuses to bring “Heartbleed” BS (MS name for old bug) to headlines.” I spoke to one author about it and challenged him for floating these “Heartbleed” logos and brands yet again. To us it seems quite evident that Microsoft keeps attacking Free software and GNU/Linux like no time before; it’s just more subtle and hidden in more sophisticated ways. The person who heads the incognito firm that’s known only for the “Heartbleed” brand (they control the brand) came from Microsoft (he was head of security there) and also from the FBI, whose stance on encryption is widely known by now; they actively seek to break security of software, so knowing about the 2-year-old OpenSSL bug would make sense. Some reputable media reports said that the NSA had known about this bug for about a year before it was known to the public and the NSA cooperates with the FBI on breaking software security, sharing personal (illegally intercepted) data, etc.
Anyway, the same publication (as above) also floated the “Heartbleed” nonsense in another article today. Would they do just about anything to keep it in headlines? Even a year later? They are now citing some firm called Venafi (never heard of it before), which basically relies on misleading misuse of statistics. It’s FUD from a company that tries to make money from perceived dangers and accentuates these dangers in an effort to acquire clients. What kind of ‘journalism’ is this? incidentally, Black Duck is now joining the list of such parasitic companies, with new hires and multiple press releases, so clearly it’s a growth area and the Microsoft link is easy to see. It is FUD season again this spring as more publications now float this whole nonsense. This is hardly journalism, it’s just throwback.
Thankfully enough, Red Hat demonstrates what “branding” of FOSS bugs practically means, even using the image above. There is no correlation between the naming of bugs and their severity, but press coverage sure loves a good brand. This is an important (albeit belated) response from Red Hat to “branding” of a FOSS bug by Microsoft-linked firms like the one behind “Heartbleed”.
“It’s been almost a year since the OpenSSL Heartbleed vulnerability,” says Red Hat, “a flaw which started a trend of the branded vulnerability, changing the way security vulnerabilities affecting open-source software are being reported and perceived. Vulnerabilities are found and fixed all the time, and just because a vulnerability gets a name and a fancy logo doesn’t mean it is of real risk to users.”
Well, Microsoft folks sure squeezed everything they could from this bug, seeking to discredit not just OpenSSL but the whole development process of Free software (due to just one small bug, or a few lines of code). And Microsoft still pretends that it is warming up to Open Source? Who are these frauds kidding?
There’s a lot of companies which continue to use platforms with back doors, such as Windows, but the Wintel-oriented media would rather we just obsess over this one bug from one year ago (which was patched as soon as it became publicly-known).
We are rather disappointed to see a decent journalist like Sean Michael Kerner, along with colleagues at eWEEK, swallowing the bait and serving to promote the misleading claims to advertise this company that controls the “Heartbleed” brand, among other opportunists (like fish swimming around a shark for some leftovers). Microsoft must be laughing quite hard seeing all that media manipulation. █
Send this to a friend
Summary: Black Duck ups the ante on Free software-hostile messages, embeds FUD in the media almost instantaneously
THERE IS an attack on Free software going on, but it’s shrewdly disguised as ‘concern’ for Free software. We are led to believe that not proprietary software with back doors is the problem but Free software that may have bugs, especially bugs that users don’t bother to patch despite having the ability (or freedom) to do so. It’s free.
The other day we wrote about Black Duck entering the security FUD market, targeting Free software, as one ought to expect (it had already done the compliance FUD, neglecting to mention EULA-related issues in proprietary software). To repeat some facts for the uninitiated, Black Duck was started as an anti-GPL company, by its very own admission. Very shortly after hiring a parasite, whose company exploits security fears, Black Duck’s scope of FUD expands further and there’s an effort in the media to advertise this.
“Taft, who often promotes Microsoft PR, doesn’t mind covering something that seemingly relates to Free software if it makes Free software look bad.”Darryl K. Taft, a booster of Microsoft, already helps this anti-GPL company (Black Duck) by doing this Microsoft-esque advertising at this very moment. Taft, who often promotes Microsoft PR, doesn’t mind covering something that seemingly relates to Free software if it makes Free software look bad. No wonder Black Duck came from Microsoft. Other Microsoft boosting sites like TechFlash promoted this nonsense and spread it to media with broader reach. Watch how they wrongly describe Black Duck: “Burlington-based open-source software firm Black Duck software is making big bets on helping to make open-source software more secure for companies”
Black Duck is most definitely not “open-source software firm”, it is an anti-Open Source software firm whose products are proprietary, with software patents that relate to them. This is the kind of openwashing that has become so common when it comes to proxies of Microsoft (Microsoft works together with Black Duck, it’s not just that Black Duck came from Microsoft).
Black Duck, as we noted the other day, had hired a key person from Veracode, whose output is mostly FUD even today. Right now it promotes itself in CBS and other networks by saying some nonsense about a nonsense buzzword (“Internet of Things”) that means nothing in particular. To quote the CBS tabloid: “In a new report released by enterprise security firm Veracode, researchers discovered during testing of common, household IoT devices that security is not up to scratch — paving the way for exploits, data theft, robbery and potentially even stalking.”
That is just some embedded marketing for a FUD firm, one whose co-founder is now inside Black Duck.
Truth be told, Black Duck is trying to diversify or re-brand itself ‘pro-security’ as it did ‘pro-compliance’, but actually, what it really is about should be FUD. It uses fear, spreads existing fear to sell, creates more fear to sell, and overall it makes Free software look bad.
IDG is another large network that helped Black Duck advertise itself the other day. The headline is misleading because it says “Black Duck’s mission: To seek out insecure open source code in the enterprise”.
No, Black Duck’s mission is to sell its proprietary software by telling the press, enterprises etc. that Free software is not secure and needs some ‘medicine’ (Black Duck’s proprietary snake oil).
Here are the press releases from Black Duck [1, 2]. Clearly enough there is a media manipulation campaign going on and some journalists — other than Microsoft boosters disguised as ‘journalists’ — have already fallen for it. █
Send this to a friend
Summary: Two sources of fear uncertainty and doubt (FUD) against Free/Open Source software (FOSS) find themselves fused together
THE firm known as Black Duck recently admitted its roots in GPL FUD, not just in Microsoft (the founder's employer for many years). Black Duck recently took advantage of perceptions of FOSS security issues (using bugs with “branding”) to market its proprietary software products. A press release now informs us that VeraCode’s co-founder is joining Black Duck. We wrote about Veracode at Techrights several times before. Black Duck and Veracode have much in common, with examples such as security FUD that has “branding” to act as a stigma against Free software, as we recently (earlier this year) saw (both Black Duck and Veracode have been doing this in recent months). We are sure they’ll have a lot of experiences to share and many strategies to sell based on fear, or even create this fear by appearing in the media with famous brands such as “GHOST”, “Shellshock”, and “Heartbleed”. █
Send this to a friend
Microsoft is ‘open’ like BP is ‘green’ (openwashing follows greenwashing tactics)
Summary: Microsoft’s charm offensives against Free/libre software are proving to be rather effective, despite them involving a gross distortion of facts and exploitation of corruptible elements in the corporate media
SIX days ago we published a series of six articles which are listed in order below:
The issue discussed in part 1 receives a lot of media attention, even from corporate media (in this case, GOP-leaning media). To quote one such report: “The feature we’re concerned with is called Secure Boot, and it’s designed to protect you: The installed OS becomes locked to the hardware itself, and if any other OS attempts to interfere (like a low-level malware app for example) then the system simply won’t start up. OEMs were ordered to make Secure Boot optional with Windows 8 but it looks like they are going to be given the opportunity to make it mandatory in Windows 10.”
“Microsoft is pretending to be Open Source because of new policies that require procuring Open Source software, e.g. in India.”What the corporate media gets wrong is the part about security. It’s not “designed to protect you”. In fact, much of the recent press coverage serves to show that UEFI reduces security in many cases. Some media sites/conglomerates such as IDG already explained (last year) how it can be used for remotely bricking PCs (pretty much at hardware level). We have covered several examples over the past 3 years, so evidence continues to mount. IDG’s Microsoft booster Andy Patrizio wrote: “I suspect if you are smart enough to use Linux, you are smart enough to shut off Secure Boot in the UEFI.”
That’s not an excuse. It also perpetuate myths about GNU/Linux being “hard to use”. “Still,” he continues, “it’s a PR hit for Microsoft, a company that has been earning a lot of goodwill lately.”
That’s utter nonsense as well. As pointed out in part 6 above, Microsoft just manipulates the media (or relies on boosters like Patrizio) to make it seem as though it changed its attitude. As we’ve pointed out in 3 recent articles, there are changes in tendering processes worldwide. Microsoft is pretending to be Open Source because of new policies that require procuring Open Source software, e.g. in India. Yesterday KV Kurmanath planted a Microsoft puff piece in The Hindu Business Line, relaying the bogus narrative of Microsoft as “Open Source”. People must react and counter these lies or else Microsoft will become indistinguishable from Free/libre software, based on a reality-distorting campaign. Microsoft already pretends that Windows, its common carrier, is 'Open Source' or something along these lines. █
Send this to a friend
“It is no exaggeration to say that the national security is also implicated by the efforts of hackers to break into computing networks. Computers, including many running Windows operating systems, are used throughout the United States Department of Defense and by the armed forces of the United States in Afghanistan and elsewhere.”
–Jim Allchin, Microsoft
Summary: Amid highly misleading security-centric reports that rely on Microsoft’s bogus number of vulnerabilities (Microsoft already admitted hiding many of them) Techrights presents recent news about Windows ‘security’
WINDOWS is not a secure operating system. It’s not intended to be, either (Microsoft's actions show that security is not the goal). One cannot ever patch NSA back doors safely. When these are patched, it’s already too late and newer back doors remain in tact or are being added. Trusting Microsoft to secure Windows is misunderstanding the goal of Windows (‘privileged’ access) and as Stuxnet serves to remind us, the real owners of Windows are spy agencies, not people who use Windows (renting it from Microsoft in exchange for payments). See this new report titled “Stuxnet Redux: Microsoft patches Windows vuln left open for FIVE YEARS”. It says that “[w]hile most of the attention this Patch Tuesday has been focused on the FREAK encryption vulnerability, Microsoft’s latest batch of fixes also addresses another longstanding threat to Windows: Stuxnet.” So they hadn’t fixed it for so long and finally decided to do something about it? Knowing that espionage agencies were exploiting holes and taking control of PCs that have Windows installed? Wake up and smell the coffee. These actions speak volumes.
Adding insult to injury, last week we learned that “Microsoft RE-BORK[ED] Windows 7 patch after reboot loop horror”. To quote the report itself: “Reports are emerging that a twice-issued Microsoft Windows 7 patch is still causing pain for users, with some claiming the fix is triggering continuous reboots.
“The patch was first issued as KB2949927 and withdrawn in October due to system faults, before being re-released this week as KB3033929.”
So our conclusion is that even when Microsoft offers so-called ‘patches’ or ‘security’ there are negative consequences which are too risky to accept. For more information see this article titled “Problems reported with Microsoft patch KB 3002657, warning issued on KB 3046049″. A lot of people are still using Windows XP, which receives no patches at all. Some genius, eh?
Some Web sites are now claiming that the NSA and fellow espionage operations have been largely responsible for the SSL hole someone dubbed “FREAK”. Of course, despite media spin and a clear Microsoft role (perhaps inside knowledge becoming public), the flaw affects Windows as well (all versions) and Microsoft failed to properly address the problem when it was already known (advertised as public knowledge). “The response of Microsoft and cloud companies to the Freak vulnerability has been far too slow say commentators,” according to one British news site/magazine which focused on security. CBS covered this only after it had been wrongly spun as a Linux and Apple issue. “Microsoft was late with the announcement so that the press could focus on Android and iOS and make it look like their problem,” said iophk. Microsoft took many weeks to do anything, which gave enough time for passwords to be intercepted and for entire networks to be compromised. So again we are being reminded that Microsoft just doesn’t take security seriously. While some reports try to frame Windows as most secure because Microsoft hides many flaws and games the numbers to make the competition look bad, anyone with experience in this area ought to see that Microsoft’s encryption was always bogus, and very much by design! Here is another brand-new example of Microsoft ‘security’ in action: “Microsoft is scrambling to block a fraudulent HTTPS certificate that was issued for one of the company’s Windows Live Web addresses lest it be used by attackers to mount convincing man-in-the-middle attacks.”
Soon enough, based on some observers, Microsoft Windows-running “PC will become slower as it will serve the updates to another client.”
It is a peer-to-peer approach that externalises cost and liability. Is Microsoft really trusting this to work better given the above reports about man-in-the-middle attacks and fraudulent HTTPS certificates? Platforms with back doors cannot ever be relied on for serving security to other systems. It’s a collective compromise. Botmasters will love it!
Our last piece of relevant news deals with Pwn2Own. The headline says that “security [is] still a myth on Windows PCs” [via] and that it took just one day to crack Windows. To quote: “Day one of the 2015 Pwn2Own hacking contest in Vancouver, Canada, saw big wins for contestants and headaches for software makers: competing teams successfully exploited fresh vulnerabilities in Adobe Flash and Reader, Microsoft’s Windows and Internet Explorer, and Mozilla’s Firefox, to hijack PCs.”
Was it Firefox on Windows as so often is the case? Not even Tor is secure on Windows. █
Send this to a friend
Summary: Shifting focus to the root problem, which is neither Lenovo nor its laptops but the non-free programs installed on hardware
WHEN it was revealed that governments had constructed Stuxnet to sabotage computers almost all reporters refused to call out Windows, despite Stuxnet being exclusive to Windows. The same is happening right now in relation to Superfish. We posted links to a lot of articles about it (see our daily links for about a dozen) and none of them bothered reporting the fact that only clients of Microsoft (the NSA’s ally) were affected. Having watched dozens of articles about it we can say that almost not a single article emphasised that it only affects Windows. Lenovo says it didn’t know about it and given the shadowy background of Superfish (its CEO came from the surveillance complex) it’s possible that Lenovo was tricked or bribed into installing this back door.
“Lenovo’s ThinkPads, which originally came from IBM, are famously GNU/Linux-friendly.”The CBS-owned ZDNet has Microsoft booster Mary Branscombe spinning that Superfish scandal to even imply that people should “love Windows”. Well, at least she points out that it’s a Windows issue, albeit that’s not her intention (she is just a Microsoft mouthpiece seeking to divert blame).
Robert Pogson responded to Branscombe by stating:
I recommend everyone switch to GNU/Linux. It’s easy. Demand your local retailers sell them. Shop online for a GNU/Linux PC. Heck, install it yourself. Heck, you can even get that other OS to start the process. I recommend Debian GNU/Linux, software that works for you, not some corporation with the morality of a snake. The beauty of it is that the licence you get with the downloads includes the right to examine, modify and distribute the software, so you can cut out all that third-party crapware, if there were any. Debian doesn’t bother attaching crapware to PCs it doesn’t sell…
It’s not just that. Windows, with or without crapware, has back doors. GNU/Linux hasn’t. Free software is essential for those who pursue real computer security, as opposed to so-called ‘national security’.
Here is the statement that the FSF has just made about it (hours ago):
Security experts have discovered a highly threatening vulnerability in software preinstalled on some Windows computers manufactured by Lenovo through January 2015. Extreme negligence on the part of Lenovo and unscrupulous programming by its adware partner Superfish seem to have caused the vulnerability.
The FSF does point out that it’s a “Windows computers” issue. Well, there is no such thing as “Windows computers”, as such computers can have Windows wiped and GNU/Linux installed instead. Lenovo’s ThinkPads, which originally came from IBM, are famously GNU/Linux-friendly. █
Send this to a friend
« Previous entries Next Page » Next Page »