EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

09.15.19

‘Open Source’ You Cannot Run Without Renting or ‘Licensing’ Windows From Microsoft

Posted in Apple, Free/Libre Software, Microsoft, Security, Vista 10, Windows at 8:30 am by Dr. Roy Schestowitz

“I would love to see all open source innovation happen on top of Windows.”

Steve Ballmer, Microsoft CEO

“[Windows Vista DRM] seems a bit like breaking the legs of Olympic athletes and then rating them based on how fast they can hobble on crutches.“

Peter Gutmann

Summary: When so-called ‘open source’ programs strictly require Vista 10 (or similar) to run, how open are they really and does that not redefine the nature of Open Source while betraying everything Free/libre software stands for?

What good is “open source” that needs a back-doored, proprietary software (i.e. back doors cannot be removed) operating system with spying and DRM just to run it? We recently wrote about this kind of situation, offering examples from both Apple and Microsoft.

“And they say “soon open source” without specifying a licence or anything.”Here comes another new example from GHacks (lots of those lately; mostly from this site). “Sandboxie, a sandbox program for Microsoft’s Windows operating system, has been turned into a free application.” Freeware. And they say “soon open source” without specifying a licence or anything. Might as well turn out to be vapourware at the end…

Tabloid troll Catalin Cimpanu is already openwashing this proprietary software based on a promise from Sophos alone. Let’s rejoice “open source” that runs only on Windows. CBS and its tabloid ZDNet are once again proving to be Microsoft propaganda and this article comes from the person who constantly slanders Linux. Help Net Security said: “Sophos plans to open-source Sandboxie, a Windows utility that allows users to run apps in a sandbox. Until that happens, they’ve made the utility free.”

“When “open source” runs only on a proprietary platform with NSA back doors what is it really worth?”BetaNews — just like the above — put “open source” in the headline even though it’s only freeware. Great! And even though it’s Windows only; just like Steve Ballmer wanted…

When “open source” runs only on a proprietary platform with NSA back doors what is it really worth? Is it good for anything? Also, it’s not security; just illusion of it…

They claim that these applications improve security, but these applications only run on a platform with NSA back doors. Here’s another new example, this one of an “app” that only runs on iOS. “If you’re looking for an alternative for Google Authenticator, Microsoft Authenticator, LastPass Authenticator, or Authy, you may want to give Authenticator a chance,” it says. How does that improve security? The underlying operating system has well known back doors. The company that monopolised maintainer-ship works with the NSA and is in the PRISM spy programme. Ed Snowden’s leaks provided actual evidence and 2 years ago Wikileaks added more with Vault 7.

“Notice that all the above are security-oriented programs but not a single platform without NSA back doors is supported.”A similar example was covered 3 days ago by GHacks: “WinOTP Authenticator is an open-source alternative for WinAuth”

The “Win” means Windows; it means you lose security. You lose privacy. When “open source” runs only under proprietary software stacks with NSA back doors, such as Vista 10 (strictly in this case), a vendor can only pretend it offers security…

One of the virtues extolled by Free software proponents is superior security; well, how much do such claims hold when one must rent (license, temporarily) a bunch of dodgy binaries from NSA partners to run the said program/s? Notice that all the above are security-oriented programs but not a single platform without NSA back doors is supported.

09.09.19

Security Boulevard is a Microsoft-Connected Attack Site Created by a Free Software-Hostile Person

Posted in Free/Libre Software, FUD, Microsoft, Security at 1:04 am by Dr. Roy Schestowitz

Anti-FOSS is to be expected. It’s the business model.

Alan Shimel
This is the founder of Security Boulevard attacking Stallman simply because he occasionally speaks of Palestinians’ human rights (article bumped up by the publisher earlier this summer)

Summary: Free/Open Source software (FOSS) is being discredited using an aggregator of Microsoft-connected FUD firms, concurring with or confirming the Halloween Documents that suggested attacking FOSS by proxy

OUR daily links can be tricky to prepare because we’re reluctant to link to FUD and misinformation. So years ago we added the “Openwashing” section to it and under “Security” we often add editorial comments (corrections and clarification attempts). The FUD typically comes from the same domains. For instance, sites called “Windows” something or “Microsoft” something are likely to be Linux-hostile sources (sometimes they push Vista 10 under the guise of “Linux”, e.g. WSL).

“The FUD typically comes from the same domains. For instance, sites called “Windows” something or “Microsoft” something are likely to be Linux-hostile sources (sometimes they push Vista 10 under the guise of “Linux”, e.g. WSL).”A lot of FOSS FUD is also sourced back to ZDNet, which became an anti-FOSS propaganda machine, funded in part by Microsoft (Microsoft buys ads and bias from CBS, the parent company). Last night we saw “Lilu/Lilocked ransomware has now infected thousands of Linux servers” (this is the third such ‘report’ we see; it started with ZDNet where this got disseminated and spun as a major “Linux” issue).

Then there’s Security Boulevard, where the ‘content’ is rarely original. They mostly attack licensing and security aspects of Free software. It’s endemic. This gateway-as-a-’news’-site acts as an amplifier/loudspeaker/megaphone of anti-FOSS firms, usually Microsoft-connected ones. WhiteSource is to Microsoft the ‘new’ Black Duck and it’s a regular feature there, along with Black Duck’s parent company, Snyk, and other parasites looking to sell themselves by bashing FOSS.

Security Boulevard and WhiteSource are now working together on a “webinar” (published days ago); WhiteSource also works closely with Microsoft (co-authoring anti-FOSS papers and they are formally partners). This means that Shimel at Security Boulevard is indirectly in bed with Microsoft and is likely ‘in it’ to attack FOSS. It’s not hard to see whose voice he’s looking to facilitate. His track record was mentioned here last month and many times a decade ago when he published FOSS-hostile pieces in IDG’s “Open Source” section [1, 2, 3, 4, 5] (also see the screenshot at the top). That section of IDG (the “Open Source Subnet”) was, at least at the time, infested with people who neither understood nor liked FOSS. In fact the “Open Source Subnet” was like an extension of their “Microsoft Subnet”; only the titles varied.

As recently as days ago we saw Microsoft-connected firms (anti-FOSS FUD firms, including WhiteSource, as we noted half a decade back) again being boosted with their anti-FOSS venom by this anti-FOSS, anti-RMS, pro-Microsoft Shimel-founded Security Boulevard. It’s like its sole role is to propel these firms into Google News, ‘dressing up’ corporate lies as ‘news’.

Be careful, people; the site is pure poison which amplifies more poison. It amplifies Microsoft partners, whose principal role is delegitimising FOSS.

07.30.19

Microsoft Kills: An Introduction

Posted in Microsoft, Security, Windows at 2:42 am by Dr. Roy Schestowitz

“Our products just aren’t engineered for security.”

Brian Valentine, Microsoft executive

Microsoft gives NSA backdoor, complains about exploits

Summary: Unfit-for-use Windows, as well as other software from Microsoft, has a high mortal cost (not just monetary cost) that the media fails to properly report on

IT IS no secret that the use of Microsoft Windows causes many fatalities. In our daily links we’ve included hundreds of links to press articles about hospitals getting stung/hit by ransomware, among other modern menaces that follow a digital compromise (seizure of hospital facilities and equipment). This is killing a lot of Americans every day, but corporate media is not talking about it (not in the correct terms) and it is habitually misplacing blame. The media and NSA-like agencies, for example, couldn’t care less about the role of back doors (making systems deliberately less secure); it’s more important for them to maintain back doors on almost every computer on the planet (at the expense of people/patients who die from these back doors).

“It serves to show that these incidents aren’t even rare anymore. They’ve become a sort of new ‘norm’ — however menacing and disturbing a norm.”Sometimes the media mentions what the compromised systems were built on, but usually it’s intentionally obscured. In this series we shall explain that it’s typically Windows. We shall soon be covering Microsoft’s role in killing patients. By all means Microsoft is culpable and it isn’t just incompetent and corrupt; people actually die — sometimes in big numbers — because of these criminals who work with the state and bribe states; they put their insecure-by-design systems inside hospitals. Gates and his flunkies would of course blame the victims, notably these hospitals.

Before we commence this series, which will be based on inside sources, here are some news clippings of interest (recent news). It serves to show that these incidents aren’t even rare anymore. They’ve become a sort of new ‘norm’ — however menacing and disturbing a norm.

windows-ransomware-1

windows-ransomware-2

windows-ransomware-3

windows-ransomware-4

windows-ransomware-5

windows-ransomware-6

windows-ransomware-7

windows-ransomware-8

windows-ransomware-9

windows-ransomware-10

windows-ransomware-11

windows-ransomware-12

windows-ransomware-13

windows-ransomware-14

windows-ransomware-15

windows-ransomware-16

windows-ransomware-17

windows-ransomware-18

windows-ransomware-19

windows-ransomware-20

windows-ransomware-21

windows-ransomware-22

windows-ransomware-23

windows-ransomware-24

windows-ransomware-25

windows-ransomware-26

windows-ransomware-27

windows-ransomware-28

windows-ransomware-29

windows-ransomware-30

windows-ransomware-31

07.20.19

Slack Committed a Very Major Crime That Can Cost Many Billions If Not Trillions in Damages for Years to Come

Posted in Security at 5:32 am by Dr. Roy Schestowitz

Bankruptcy must follow, maybe arrests as well (the company’s logo gives away the company’s real worth and values)

Slack's new logo is a penis swastika

Summary: The inevitable has happened to Slack, which no longer deserves to exist as a company; moreover, the people who ran the company must be held criminally accountable

TO say that Slack got merely “compromised” would be the understatement of the decade. Yes, it did in fact get compromised, but it’s a lot worse. It’s far worse than a compromise per se. We’re going to explain, starting with the basics.

Slack is malware. Not just the ‘app’. Their Web site hardly works with any Web browser – they want the very worst and privacy-hostile browsers to be used for extraction of data. It’s a resource hog because it’s malware disguised as an IRC ‘clone’.

“It’s a resource hog because it’s malware disguised as an IRC ‘clone’.”Slack the ‘app’ is literal malware. It follows you around if you install it on a phone. The browser side is also malicious, but it’s less capable of geographical/location tracking. They use it for data-mining. See the source code (page source at least). It’s malware. GDPR should be applicable here and we suspect that EU authorities have not assessed that aspect just yet.

Slack is not a communications platform but a data harvester with an interface that looks like a communications platform. What it is to users isn’t what it is to Slack, the company. The Electronic Frontier Foundation (EFF) issued strongly-worded warnings about Slack and even Microsoft, the NSA back doors giant that kick-started PRISM, outright banned Slack for security reasons! Yes, Slack is really that bad. We won’t even call this ‘anticompetitive’ on Microsoft’s behalf; Microsoft does have a few engineers and they very well understand what Slack is and why it must be avoided. Even unqualified Microsoft hacks can understand that. Slack was always a ticking time bomb, which I warned about before, e.g. here in Tux Machines. I very much foresaw the latest disaster. I did all that I could to spread information about it, at the very least to ensure people are forewarned. Now I feel vindicated, but how much damage will be done for years if not decades to come? It’s difficult to assess or measure because it’s almost impossible to track the sources of rogue actors’ data.

“It’s the complete doomsday scenario, an equivalent of having one’s own Jabber server completely and totally hijacked, and all communications in it (names, passwords) stolen.”Slack did not have a mere ‘incident’. It was a CATASTROPHE! They knew about it for quite some time (at higher levels, too). It’s the complete doomsday scenario, an equivalent of having one’s own Jabber server completely and totally hijacked, and all communications in it (names, passwords) stolen. But in the case of Slack millions of businesses are affected. In one fell swoop. Just like that. Even the public sector. Military, hospitals, you name it…

Slack got totally ‘PWNED’, but they won’t admit that. They will lie about the extent of the damage, just like Yahoo and Equifax did (each time waiting months before revealing it was orders of magnitude worse). They game the news cycle that way. People must assume that all data is compromised. Everything! Slack sold everyone out and gave everything away. Even those who paid Slack (a small minority) were betrayed.

This is a major, major, MAJOR catastrophe. Businesses and their clients’ data is on Slack. Even HR stuff, which gets passed around in internal communications. Super-sensitive things like passwords, passports and so on.

Who was Slack data copied by? Mirrored or ‘stolen’, to put it another way? Possibly by rogue military actors that can leverage it for espionage and blackmail, as many do. Covertly. You rarely hear about blackmail because that’s just the nature of the blackmail. It happens silently. It’s like ‘hush money’.

Some would say Slack got “hacked” (they typically mean cracked). But it’s actually a lot worse than getting cracked! We’ll explain further…

About a month ago Slack got to its IPO milestone, the legendary capitalist pigs’ initial public offering (which one can reach even while making massive losses like Uber does). Big day for Slack! These people can pretend to be billionaires ‘on top of the world’. But they’re not. Especially as they’re not profitable at all and there’s no business model other than spying…

So for years these people consciously covered up this massive incident. Slack is therefore a criminal organisation. It must be shut down as a matter of law. These operations are illegal.

“Slack didn’t just “mess up”. It broke the law; yes, it committed an actual crime by not informing the customers.”To prevent the company from totally collapsing Slack lied to millions of people and businesses. That’s a fact. To save face…

So the only justice now would be federal and private lawsuits, forcing this company to shut down. Will anyone be arrested? Unlikely. White-collar crimes are ‘special’. No jail time (or rarely any, except as a symbolic token to the public, e.g. Madoff after the financial collapse more than a decade ago).

Slack didn’t just “mess up”. It broke the law; yes, it committed an actual crime by not informing the customers. They would change passwords etc. had they known. But Slack did not obey the law. It did not inform customers. It announced all this after the IPO, in order to make shareholders liable, and it did so late on a Friday (to minimise press coverage about this likely crime). The shareholders too should sue for concealment of critical information.

This is a very, very major scandal for Slack and if the company survives at the end, then it only means one thing: crime pays! Crime pays off. Just that. Because they committed a very major crime. Consciously. Now they need to hire PR people and lawyers. Maybe they can also bribe some journalists for puff pieces that belittle the severity of this mere ‘incident’.

As we said at the start, Slack is technically malware. Slack is surveillance. This is their business model, which isn’t even successful (so they will likely get more aggressive at spying or holding corporate data hostage in exchange for payments). For example, scrolling limits. This is like ransomware. It preys on businesses desperate to access their own data. They try to ‘monetise’ separating businesses from their data/infrastructure. It’s inherently unethical. It’s like a drug dealer’s business model/mindset.

“Companies may never know if past system breaches, identity thefts etc. were the fault of Slack.”Slack basically bet on being a ‘spy agency’ (without all the associated paperwork). And later they got cracked, passing all their surveillance ‘mine’ (trove) to even more rogue actors than the company itself. The Slack ‘incident’ doesn’t affect just Slack. Companies everywhere can now be held legally liable for having put their information on Slack servers. It’s an espionage chain. Centralisation’s doomsday in action…

Companies may never know if past system breaches, identity thefts etc. were the fault of Slack. It’s hard to prove that. But it’s guaranteed to have happened. Moreover, there are future legal ramifications.

Slack knew what had happened and why it waited all this time. This waiting makes the crime worse. This scandal can unfold for quite some time to come. The ramifications are immense! And we might not even know the full extent of these (ever). Privacy-centric competitors of Slack already capitalise on this very major scandal and use that to promote themselves; Keybase for instance…

It would be wise to move to locally-hosted FOSS. However, that would not in any way undo the damage of having uploaded piles of corporate data to Slack and their compromised servers.

Are managers at Slack criminally-liable? Probably. Just announcing this scandal after an IPO and late on a Friday when many people are on holiday won’t save Slack. They need to go bankrupt faster than the time period since their IPO. Anyone who still uses Slack must be masochistic.

“Just announcing this scandal after an IPO and late on a Friday when many people are on holiday won’t save Slack.”In the coming days many companies will come to realise that for years they tactlessly and irresponsibly gave piles of personal/corporate data to Slack and now a bunch of crackers around the world have this data.

“Trusting our data with one company isn’t feasible,” one person told me this morning. “The data lasts forever & we must expect that our worst enemies will have it or get it with small time delay. Otherwise encrypt everything which slows everything down & complicates everything making those “safe” uncompetitive.” That’s now how Slack works.

“These troves of Slack data are invaluable to those looking to use them to blackmail people, take over servers, discredit people, and generally cause complete chaos, even deaths.”We expect Slack to stonewall for a while, saying that it’s the weekend anyway. Slack lied to everyone for years. They’re a bunch of frauds. Anyone who now believes a single word that comes out of their mouths is a fool. They also committed a crime (punishable by law) with these lies. When it comes to Slack, expect what happened with Yahoo; First they say it’s a small incident; Months pass; Then they toss out a note to say it was actually big; A year later (when it’s “old news”): 3 BILLION accounts affected. Anyone who now believes the lies told by Slack’s PR people deserves a Darwin Award. These scammers lost millions/billions for years just pursuing an IPO (others bearing the losses); They lied, like frauds (like Donald Trump), just to get there (the IPO). Now, like Yahoo, they will downplay scope of impact. A lot of companies can suffer for years to come (e.g. data breaches, identity theft). These troves of Slack data are invaluable to those looking to use them to blackmail people, take over servers, discredit people, and generally cause complete chaos, even deaths. We’ll soon do a series of articles showing how Microsoft caused deaths at hospitals.

07.14.19

GitHub is Microsoft’s Proprietary Software and Centralised (Monopoly) Platform, But When Canonical’s Account There Gets Compromised Suddenly It’s Ubuntu’s Fault?

Posted in Deception, Free/Libre Software, FUD, Microsoft, Security, Ubuntu at 12:22 am by Dr. Roy Schestowitz

One year ago: GitHub as the Latest Example of Microsoft Entryism in Free/Libre Software

Internet

Summary: Typical media distortions and signs that Microsoft already uses GitHub for censorship of Free/Open Source software that does not fit Microsoft’s interests

CORPORATE media is toxic rubbish and its business model typically involves serving the companies covered. This is why the media keeps framing the latest GitHub censorship as a GitHub issue (it’s actually Microsoft using its control over GitHub to delete particular ‘naughty’ FOSS [1,2]) and earlier this month Ubuntu received a lot of negative press after its steward’s GitHub account had been compromised. Microsoft was not even mentioned. This is all very typical and we responded to that briefly in our daily links. This is the kind of thing one can expect when Microsoft pays so much money to the media, e.g. in the form of advertising.

Related/contextual items from the news:

  1. GitHub Removed Open Source Versions of DeepNude [Ed: The new company is a Microsoft censorship tool. Every image editor can be used to make fake nudes of people. Even image sequences. Will Microsoft ban image editors too? Don't even think about criticising Microsoft for its crimes in some comments, commits or code at GitHub as they might suspend the account.]
  2. Deepfake DeepNude app’s open source versions removed from GitHub [Ed: Microsoft is doing censorship of FOSS and playing/acting as morality police. Maybe banning encryption software (with no back doors) is next on the agenda because of the terror scare.]

08.31.17

Patent Trolls Are Under Attack and on the Run

Posted in America, Antitrust, Courtroom, Patents, Security at 5:51 pm by Dr. Roy Schestowitz

“I would much rather spend my time and money and energy finding ways to make the Internet safer and better than bickering over patents.”

Dean Drako, Barracuda’s CEO

Summary: Wetro Lan LLC panics and pays ‘protection’ money after a failed trolling attempt; MPEG-LA too is under fire, as an antitrust lawsuit has finally been filed against it

EARLIER today we found two interesting reports, one from Dale Walker and another from Joe Mullin, who has been tracking and writing about patent trolls for about a decade. Following TC Heartland we certainly hope that things will change; patent trolls will hopefully altogether go out of business [sic] some time soon. Extortion and racketeering have no value/benefit to the economy.

Walker explained how the latest twist of events got started: “The Moscow-based security company [Kaspersky] was first approached by a patent holder in October last year, who issued a patent lawsuit and demanded a $60,000 cash settlement to make the case disappear.”

Guess what happened instead (and not for the first time).

The tables are turning. Wetro Lan and other patent trolls find themselves on the run when they may be forced to pay the defendant’s legal fees and sometimes lose their patents too. This is what happened in this latest case. To quote Mullin:

The patent-licensing company, Wetro Lan LLC, owned US Patent No. 6,795,918, which essentially claimed an Internet firewall. The patent was filed in 2000 despite the fact that computer network firewalls date to the 1980s. The ’918 patent was used in what the Electronic Frontier Foundation called an “outrageous trolling campaign,” in which dozens of companies were sued out of Wetro Lan’s “headquarters,” a Plano office suite that it shared with several other firms that engage in what is pejoratively called “patent-trolling.” Wetro Lan’s complaints argued that a vast array of Internet routers and switches infringed its patent.

This is the key part:

As claim construction approached, Kaspersky’s lead lawyer Casey Kniser served discovery requests for Wetro Lan’s other license agreements. He suspected the amounts were low.

Finally there’s this:

On a post to his personal blog detailing the victory against Wetro Lan, founder and CEO Eugene Kaspersky says his company has now defeated five claims from patent assertion entities, including the infamous claims from Lodsys, a much-maligned patent holder that sent demand letters to small app developers. Lodsys dropped its case against Kaspersky right before a trial.

While the company has spent plenty in legal fees, its total payout to so-called “trolls” has been $0. Firms that engage in “trolling” know that companies often simply settle instead of dealing with the costs and pain of a court litigation.

Kaspersky and others in his field do not like software patents. They speak out about it (occasionally).

The above reveals an interesting strategy where neither invalidation or (legal) fees award acts as a deterrent; it’s discovery requests. Apropos, Patently-O published this short post earlier today about the meaning of “all expenses,” noting a new CAFC decision where the judgment “was split – with Judges Prost and Dyk in majority and Judge Stoll in dissent and arguing that the term “expenses” is not sufficient to overcome the traditional american rule regarding attorney fees.”

The second story we found today came from IAM, which revealed MPEG-LA as the target of litigation, for a change (background about this troll can be found in our Wiki). Patent trolls can, as it turns out, be sued, this time using antitrust law. This gigantic troll is in hot water not only in the far east, with the lawsuit actually being filed in the US:

Chinese appliance maker Haier has filed an antitrust lawsuit in the Northern District of New York against MPEG LA and six licensors that are part of its ATSC patent pool. The complaint accuses the companies and pool administrator of a range of anti-competitive practices affecting the market for televisions, the effect of which it says is to disadvantage implementers like Haier which compete on price at the lower end. For that reason, Chinese companies – many of which have argued that their low margins entitle them to different patent licence terms – will be interested to see how far this case goes.

It’s nice to see the patent trolls getting a taste of their own ‘medicine’ (or poison). It’s now them who find themselves needing to shell out ‘protection’ money.

02.09.17

OpenSUSE’s (or SUSE’s) Refusal to Publicly Acknowledge It Got Cracked Shows Face-Saving Arrogance Just Like Novell’s

Posted in Deception, Novell, OpenSUSE, Security, Servers, SLES/SLED at 6:16 am by Dr. Roy Schestowitz

SUSE (or MicroFocus) won’t even tell customers when its systems are in fact compromised

Novell cuffs

Summary: The same old and very notorious behaviour we found in Novell persists at SUSE under MicroFocus leadership; security neglected and keeping up appearances more important than honesty

TECHRIGHTS wrote many thousands of articles about Novell. We know Novell extremely well and we have documented its terrible behaviour for over half a decade, well before we began focusing on the EPO for example. As we shall show later, in a separate post, Microsoft’s and Novell’s “IP Peace of Mind” is making a comeback (as of last night), but right now we wish to focus on the crack I first wrote about on Monday (it has since then generated some press coverage, e.g. [1-3] below).

“Remember that no evidence has been presented by SUSE and moreover the gross negligence here is a bad sign in general.”A lot of people still miss the key point. IDG even went ahead with a rather misleading headline, as did Softpedia; rather than state the actual news (that OpenSUSE got cracked) the title says or overstates the ‘damage control’ from SUSE, diverting attention to what was not affected rather than what was affected (a politician’s trick). We used to see lots of that kind of spin back in the Novell days and the 2 articles below, having sought comment from SUSE, give SUSE the benefit of the doubt here. Remember that no evidence has been presented by SUSE and moreover the gross negligence here is a bad sign in general. That’s just “faith-based” security. My article about it was so short that it was mostly a screenshot, yet we understand that further coverage is on its way. So let’s elaborate a little. “They were using an outdated version of WordPress and got zapped,” one person wrote to me after I had published my findings. “It was just the front-end, no code was touched.” But says who? SUSE? Can we believe them?

“Nobody has yet covered that issue as properly as we hoped (poor security practices at SUSE) and the fact that they COMPLETELY FAILED or refused to publicly acknowledge what had happened is a serious aspect of it.”Whatever caused the defacement, it shows that they lost control of their platform. They did get cracked. Softpedia reported that “openSUSE devs immediately restored the news.opensuse.org website from a recent backup” (so the back end too appears to have been compromised).

Nobody has yet covered that issue as properly as we hoped (poor security practices at SUSE) and the fact that they COMPLETELY FAILED or refused to publicly acknowledge what had happened is a serious aspect of it. We waited patiently to see if an announcement would be made by then, even a reassurance that users should not worry. But nothing came out! To this date (half a week later). They attempted to cover it up, which is BAD BAD BAD. For a so-called “Enterprise-Grade” thing which SUSE tries to market itself as (selling SLE*) this is a serious breach of trust. Who would trust SUSE now?

“If someone injected a back door inside SLED and SLES, SUSE would probably say not a thing, only belatedly removing it and then lying about the whole thing, just like Microsoft does.”3 news sites and my own site wrote about it, but not a single word has been uttered by SUSE. They know they got cracked and they are not telling anyone, except when journalists ask them for comment (and press them with evidence).

OpenSUSE has a history of security issues in its sites (see “openSUSE Forum Hacked; 79500 Users Data Compromised” from 2014). Where are the reporters who are willing to ask SUSE some tough questions? Don’t let this slide. If someone injected a back door inside SLED and SLES, SUSE would probably say not a thing, only belatedly removing it and then lying about the whole thing, just like Microsoft does.

In the news:

  1. Kurdish Hacker Posts Anti-ISIS Message on openSUSE’s Website, Data Remains Safe

    Softpedia was informed by Dr. Roy Schestowitz that the openSUSE News (news.opensuse.org) website got defaced by Kurdish hacker MuhmadEmad on the day of February 6, 2017.

    It would appear that the server where the news.opensuse.org website is hosted is isolated from the rest of openSUSE’s infrastructure, which means that the hacker did not have access to any contributor data, such as email and passwords, nor to the ISO images of the openSUSE Linux operating system.

    We already talked with openSUSE Chairman Richard Brown, who confirms for Softpedia that the offered openSUSE downloads remain safe and consistent, and users should not worry about anything. The vigilant openSUSE devs immediately restored the news.opensuse.org website from a recent backup, so everything is operating normally at this time.

  2. OpenSUSE site hacked; quickly restored

    The openSUSE team acted quickly to restore the site. When I talked to Richard Brown, openSUSE chairman, he said that “the server that hosts ‘news.opensuse.org’ is isolated from the majority of openSUSE infrastructure by design, so there was no breach of any other part of openSUSEs infrastructure, especially our build, test and download systems. Our offered downloads remain safe and consistent and there was no breach of any openSUSE contributor data.”

    The team is still investigating the reason for the breach so I don’t have much information. The site ran a WordPress install and it seems that WordPress was compromised.

    This site is not managed by the SUSE or openSUSE team. It is handled by the IT team of MicroFocus. However, Brown said that SUSE management certainly doesn’t want any such incident to happen again and they are considering moving the site to the infrastructure managed by SUSE and openSUSE team.

  3. Best Distros, openSUSE Whoops, Debian 9 One Step Closer

    In the latest Linux news, the news.opensuse.org got hacked and displayed “KurDish HaCk3rS WaS Here” for a while Monday and while the site has been restored, no comment on the hack has been issued. Elsewhere, Debian 9.0 has entered its final freeze in the last steps in preparations for release. FOSS Force has named their winner for top distro of 2016 and Swapnil Bhartiya shared his picks for the best for 2017. Blogger DarkDuck said MX-16 Xfce is “very close to the ideal” and Alwan Rosyidi found Solus OS is giving Elementary OS a run for its money. Phoronix.com’s Michael Larabel explained why he uses Fedora and Jeremy Garcia announced the winners of the 2016 LinuxQuestions.org Members Choice Awards.

    [...]

    openSUSE’s news portal was compromised Monday by a hacker or group of hackers called MuhmadEmad, via the message left in its place. A Kurdish flag with the message “HaCkeD by MuhmadEmad – KurDish HaCk3rS WaS Here” was displayed for hours before it was taken down and the site’s content restored. Roy Schestowitz has a screen capture and said that openSUSE has not yet publicly acknowledged the hack. Swapnil Bhartiya spoke to Richard Brown, openSUSE chairman, who said that site was isolated from most SUSE infrastructure, especially the distribution code. There was no breach of any contributor data either. The site in question is run by MicroFocus, but all are investigating to make sure it’s an isolated incident.

04.28.16

Latest Black Duck Puff Pieces a Good Example of Bad Journalism and How Not to Report

Posted in Deception, Free/Libre Software, FUD, Marketing, Security at 8:38 am by Dr. Roy Schestowitz

No investigation, just churnalism

Churnalism

Summary: Why the latest “Future of Open Source Survey” — much like its predecessors — isn’t really a survey but just another churnalism opportunity for the Microsoft-connected Black Duck, which is a proprietary parasite inside the FOSS community

THE “Future of Open Source Survey” is not a survey. It’s just Black Duck’s self-promotional (marketing) tripe packaged as a “survey”. This is a common PR tactic, it’s not unique. We wrote about this so-called ‘survey’ in several articles in the past, e.g.:

We now have more of the same churnalism and it comes from the usual ‘news’ networks, in addition to paid press releases. When we first mentioned Shipley 8 years ago he was busy doing one nefarious thing and two years ago we saw him joining the Microsoft-connected Black Duck. He is quoted as saying (CBS) that “the rapid adoption of open source has outpaced the implementation of effective open-source management and security practices. We see opportunities to make significant improvements in those areas. With nearly half of respondents saying they have no formal processes to track their open source, and half reporting that no one has responsibility for identifying known vulnerabilities and tracking remediation, we expect to see more focus on those areas.” Thanks for the FUD, Mr. Shipley. So where do I buy your proprietary software (and software patents-protected) ‘solution’? That is, after all, what it’s all about, isn’t it? The ‘survey’ is an excuse or a carrier (if not Trojan horse) for proprietary software marketing.

Here is similar coverage from IDG and the Linux Foundation, whose writers did little more than repeat the talking points of Black Duck after the press release got spread around.

« Previous entries Next Page » Next Page »

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channels: Come and chat with us in real time

New to This Site? Here Are Some Introductory Resources

No

Mono

ODF

Samba logo






We support

End software patents

GPLv3

GNU project

BLAG

EFF bloggers

Comcast is Blocktastic? SavetheInternet.com



Recent Posts