The great power of lies and gullible journalists
Summary: Microsoft’s partner Alert Logic is trying to label a feature of Linux a security flaw and even makes marketing buzz for it
IF A reporter or two can be bamboozled into printing a lie (digitally distributing it), this can lend some credibility/legitimacy to the lie and then it is possible that the lie will spread and be echoed in other reports. Hence the importance of this matter.
“They are trying to change perceptions around Free software security.”Several journalists have already rebutted something that I debunked some days ago when I first saw some nonsense about “Grinch” with a suitable “marketing” image. Here is one rebuttal among a few:
The Grinch flaw was reported by Stephen Cody, chief security evangelist at Alert Logic. Cody alleges that the Grinch flaw enables users on a local machine to escalate privileges. Leading Linux vendor Red Hat, however, disagrees that the Grinch issue is even a bug and instead notes in a Red Hat knowledge base article that the Grinch report “incorrectly classifies expected behavior as a security issue.”
The original security researcher that reported the Grinch found that if a user logs into a Linux system as the local administrator, the user could run a certain command that would enable the user to install a package, explained Josh Bressers, lead of the Red Hat Product Security Team.
“Local administrators are trusted users,” Bressers told eWEEK. “This isn’t something you hand out to everybody.”
We believe it was Joab Jackson (IDG) who first gave a platform to the Microsoft partner (Alert Logic) that used marketing buzz and a lie against Linux, soon to be rebutted by Red Hat. I had contacted Mr. Jackson, who later told me that he posted a follow-up (or correction).
Jackson’s correction may have come too late as we saw the lie spreading to a few other news sites later on (thankfully not too many sites). Here is one example of garbage ‘reporting’ (FUD and lies), generated by the FUD firm with with a catchy name, sort of logo etc. (generated by a Microsoft partner we might add). Apart from Jackson’s piece we saw at least 3 more such articles (which came afterwards). How many are going to post a correction? How many articles will be withdrawn? How many follow-ups will be published? Tumbleweed. Silence.
It is usually Windows that has zero-days during Christmas, not GNU or Linux. There was recently other nonsense with a name, claiming to be a flaw when it was actually some other malware (potentially developed by the Russian government) that users actually have to install (not from repositories) to be infected by. It was akin to a phishing attack, but it was widely used in the press (even in IDG, Jackson’s employer) to characterise GNU/Linux as insecure.
Remember what the Microsoft-connected firm did with "Heartbleed" (the name it made up with a promotional logo). It’s all about marketing and hype. They are trying to change perceptions around Free software security. What matters is what people remember, not the truth. This is all about discouraging users or buyers.
A reader has alerted us about this article from Armenia . “Note the job title of the ‘softer,” he said. Here is the relevant portion:
Armenia’s Minister of Defense Seyran Ohanyan received Microsoft Corporation’s Regional Director for Public Safety/National Security/Defense Robert Kosla.
Joke or real? It sounds like a joke, but they are definitely not joking. Armenia talks to the NSA’s biggest partner and back doors-loving company about ‘security’, so seeing the job title from Microsoft is truly hilarious! Microsoft is good at insecurity and lies, not security. █
“Our products just aren’t engineered for security.”
–Brian Valentine, Microsoft executive
Send this to a friend
Summary: The power of media spin makes the idea of hosting Free software under the control of an NSA PRISM and back doors partner seem alluring
IN the spirit of tackling FUD we thought it would be worthwhile to tackle spin regarding the news of Ubuntu Core (news that already appears in our daily links).
Microsoft boosters such as Microsoft Gavin try to frame it as Microsoft news, saying: “A smartphone-inspired version of Ubuntu Server for Docker minimalists has been revealed with initial backing from Microsoft.” The headline is even worse. It’s deceiving for the sake of drama.
The news is not about Microsoft. This is what is called bias by omission or selection — similar to this lousy piece from Lance Whitney, former staff of Microsoft media whose latest propaganda is now omitting an old disclosure saying that he is Microsoft’s ‘former’ staff and uses US-only spin to make Android look bad (the US is not the whole world and economic advantage favours overpriced phones).
Several readers have told us that the article “Canonical restructures Ubuntu in mobile mode; Microsoft is first partner” had been removed (we searched the site to verify this) before it was reinstated. How odd. No explanation was given and while it was gone we made a copy from the Google cache of the article, very shortly after it had been deleted, then created permanent archive of the removed version. We wrote publicly at around noon yesterday about how this article vanished after it had been posted (just shortly before we made copies from Google cache and also used archive.is). We later compared the version we had archived with what was reinstated and found no obvious differences in the text. Well, maybe the problem was purely technical, but the content of the article from Paul Gillin was curious, not just the angle. A reader of ours explained: “Below is the text of an article which just disappeared. It was online for only a few hours but contains some very incriminating statements. More might show up later, but for now this is all I have. It sure explains why the Ubuntu forums moderators/staff have been slamming RMS and censoring critique of Microsoft and His Billness – in any context.”
“The situation is bad,” explained our reader. “The previous article was not a mistake” because there is other coverage although it does not provide the Microsoft spin, including phrases such as those highlighted in Diaspora. The factual part is this:
Ubuntu Core is now available on Microsoft’s Azure cloud.
This, however, is not the main news. A lot of effort was put into injecting some pro-Microsoft angle. Here is where promotional spin got injected (apart from the headline):
“Ubuntu Core is the smallest, leanest Ubuntu ever, perfect for ultra-dense computing in cloud container farms,” the company said in a press release. In a twist that’s sure to prompt a double-take from many industry veterans, Canonical chose the Azure cloud from longtime Linux foe Microsoft as its first deployment platform. “Microsoft loves Linux,” said Bob Kelly, Corporate Vice President at Microsoft, in a prepared statement.
“Microsoft has been a terrific steward of Ubuntu,” said Dustin Kirkland, product manager for Ubuntu Core, in an interview. “We have a very tight relationship.” The deal with Microsoft is exclusive for ”a couple of weeks,” after which Ubuntu Core is expected to be available on all public clouds that currently support the operating system.
So ‘“Microsoft loves Linux,” said Bob Kelly, Corporate Vice President at Microsoft, in a prepared statement.’
This is part of the new lie which we wrote about in articles such as:
The problem with articles like the above is the pursuit for talking points to lull the victim into passivity, pretending that Microsoft is now like a “best friend” of GNU/Linux. All that Microsoft does with Ubuntu Core is put it under surveillance and back door control. That’s what Azure is about, as NSA leaks serve to demonstrate.
We could of course tackle some other propaganda if we had more time for writing (I am working full time myself). Consider this new UBM spin which pretends TrueCrypt is FOSS (it’s definitely not) and cites one bug (in OpenSSL) to pretend FOSS as a whole is less secure than proprietary software blobs. There is another ugly story making the rounds about a so-called attack on GNU/Linux machines (attributing it to a government, possibly Russia’s); all the stories we have found (over a dozen so far) neglect to say that the victim must install the rogue code himself or herself, it cannot really propagate except by the user’s stupidity or recklessness. Finally, there is another batch of stories about DCOS, which is backed by a Microsoft thug who boasted about “tilting into a death spiral” competitors of Microsoft and bankrolled Microsoft proxies. DCOS — like Azure — is attempting to control GNU/Linux guests at a higher level. IDG called it a “data center OS” that “allows single-source command for Linux servers”, potentially providing a back door. I have personally seen companies that manage hundreds of GNU/Linux servers from VSphere (proprietary from EMC, which is connected to RSA and hence NSA back doors) on top of Microsoft Windows (also back doors). Can EMC be trusted to not allow intrusion? Can Microsoft? These are rhetorical questions.
Anyone who is reckless enough to put a Ubuntu machine under Microsoft hosting sure has not been keeping up with news. Canonical too would be reckless to recommend such a thing, but perhaps it has short-term thinking, pursuing Microsoft dollars at the expense of customers’ security. █
Send this to a friend
“Our products just aren’t engineered for security.”
–Brian Valentine, Microsoft executive
Summary: Errors in Windows that facilitate remote access and privilege escalation (affecting every version of Windows) continue to surface and those who fix these errors risk bricking their systems/services
Having just made (generated rather, using an online tool) the above meme to make an important point (pardon the “Windows” typo), we wish to bring together some recent news about Microsoft Windows, probably the least secure operating system in the world (by design). The NSA is involved in finalising Windows development and knowing what many people finally know about the NSA, it oughtn’t be shocking that Windows uses weakened/flawed encryption, enables remote access, etc.
Earlier this month there was a lot of press coverage about a massive flaw and an “emergency” patch for Windows. The NSA, for a fact (based on Snowden’s leaks), already knew about this. It knew about before it was patched, as Microsoft tells the NSA about every flaw before patches are applied and flaws become common knowledge.
Stephen Withers, a booster of Microsoft from Australia, said that a “very old but only just fixed Windows vulnerability is the key to a new in-the-wild attack.
“Security vendor ESET says it has detected a real-life exploit for a vulnerability that’s been part of Windows for nearly two decades.”
So it’s not just exploitable by the NSA anymore.
Over at IDG, this flaw was said to have a botched ‘solution’. As the author put it: “Last Tuesday’s MS14-066 causes some servers to inexplicably hang, AWS or IIS to break, and Microsoft Access to roll over and play dead”
So patch or don’t patch, you are in a serious problem either way. Welcome to the “professional” and “enterprise-ready” world of Microsoft.
As Microsoft boosters put it, “Microsoft has announced that they will be pushing an out-of-band security patch today. The patch, which affects nearly all of the company’s major platforms, is rated ‘critical’ and it is recommended that you install the patch immediately.”
To brick one’s system?
Here is what British press wrote about it:
MICROSOFT HAS ISSUED an emergency patch for the Kerberos Bug that could allow an attacker to perform privilege escalation in several versions of Windows.
In what will be the firm’s third emergency patch in the past three months, the fix arrives just a week after the monthly Patch Tuesday release.
In other curious news from the same source, British taxpayers’ money has just been wasted cleaning up the mess of Microsoft Windows with its baked-in back doors. Windows is being hijacked en masse, but the corporate media refers to it as “PC”, not Windows. This is a crucial omission. The insecurity of Windows is not always accidental. It was designed to be easy to access (only by the “Good Guys”, of course!). “THE UK NATIONAL CRIME AGENCY (NCA) has arrested five people,” said the British press, “as part of a crackdown on hackers who hijack computers using Remote Access Trojans (RATs).” It’s a shame that they don’t point out that it’s a Windows-only problem. It doesn’t even take much in terms of skill to hijack Windows, as many hackers and crackers can attest to. To quote this report: “The NCA said on Friday that it has arrested two 33-year-old men and a 30-year-old woman from Leeds, along with a 20 year-old man from Chatham in Kent and a 40-year-old from Darlington in Yorkshire.”
This 20 year-old cracker is about as old as the latest bug door from Microsoft. With 19-year-old flaws in Windows (“critical” too) it oughtn’t be hard to hijack Windows-running PCs by the millions and even by the billions. As this article put it, the flaw is very severe and “Microsoft’s out-of-band update yesterday fixes a profoundly serious bug: Any user logged into the domain can elevate their own privilege to any other, up to and including Domain Administrator.”
Robert Pogson wrote that Microsoft “told the world they were naked and now system administrators are scurrying around to make sure every system running InActive Directory has a patch.”
As usual, no logos and brand names for this bug, not even the huge media hype that we saw when GNU Bash and OpenSSL had a bug in them. Perhaps the media learned to accept that Windows is Swiss cheese, or more likely it is unconsciously complicit in Microsoft’s PR. █
Send this to a friend
Summary: With Aorato acquisition Microsoft helps protect the criminals (from whistleblowers) and with lies about .NET Microsoft distracts from a bug that has facilitated remote access into Windows (by those in the know) for nearly two decades
MICROSOFT IS A company of liars, centred around media manipulation. This is why not enough people know about the company’s sheer levels of malice, crimes, and disregard for people.
Microsoft keeps throwing money around for favourable publicity, so not enough criticism is published where it’s well overdue. Today we’ll tackle several stories that deserve more attention from an appropriate angle, not a promotional (marketing) angle.
A few days ago Microsoft decided to buy a military-connected (IDF/Israel) anti-whistleblowing ‘software’ company. What a lot of shallow coverage failed to mention was the real purpose of the software (not often marketed as such). To quote one report: ‘“Snowden reportedly used colleagues’ passwords to access sensitive docs,” he told me. “Even if the user activity seems legitimate, the same account would actually present suspicious or abnormal behavior behind the scenes which Aorato would detect.”’
Actually, to keep the facts in tact, the NSA leaks were made possible by GNU WGet on the leakers’ side (same as Bradley/Chelsea Manning) and that horrible Microsoft SharePoint on the leaked side (NSA). It means that Microsoft itself was the problem which it claims to be trying to solve. We mentioned the role of SharePoint several times before. The acquisition by Microsoft seems to be geared towards stopping whistleblowing and hence defending corruption (so that Microsoft, for instance, can defend the NSA). How ethical a move, eh? So much for a ‘champion’ of privacy as it purports to be.
Anyway, there is a 19-year bug door in Microsoft Windows (almost no version is exempted from remotely-invoked full capture), but the press hardly covers it. We must give some credit to the BBC for covering it (for a change) and "calling out Windows". Other British press covered other inherent issues in Windows (compromising Tor)  and it looks like Dan Goodin is finally covering some security problems in proprietary software  rather than always picking on FOSS, then hyping it up with ugly imagery and exaggeration.
A reader of ours suspects that the .NET announcement was designed to distract from horrible security-related news. The .NET announcement is nonsense because it’s false (we wrote two posts about the .NET PR nonsense) and it also predicts future events like Visual Studio going cross-platform although the latest version of Visual Studio (proprietary) already runs under GNU/Linux using Wine, i.e. the Windows build works under GNU/Linux as it’s fully compatible anyway, for those foolish enough to want it. This is not news and the same goes for Office and other well-known Microsoft software. Xamarin staff keeps trying hard to infect GNU/Linux with .NET (that’s what they do) and as this very stupid article about .NET shows, the .NET nonsense did indeed help bury the news about the bug door. This disgusting article even gives credit to Microsoft for having fixed massive 19-year-old bug (only after IBM had found it). When bash or openssl have a bug, then FOSS is all bad, apparently. When Microsoft has a bug door for 19 years, the media says well done to Microsoft (for fixing it after another company forced it to). One has to wonder if this flaw (voluntary or involuntary) is part of Microsoft’s collaboration with the NSA, which made Stuxnet and has made yet another piece of Windows malware together with Israel. Here is a new article from The Intercept:
The Digital Hunt for Duqu, a Dangerous and Cunning U.S.-Israeli Spy Virus
Boldizsár Bencsáth took a bite from his sandwich and stared at his computer screen. The software he was trying to install on his machine was taking forever to load, and he still had a dozen things to do before the Fall 2011 semester began at the Budapest University of Technology and Economics, where he taught computer science. Despite the long to-do list, however, he was feeling happy and relaxed. It was the first day of September and was one of those perfect, late-summer afternoons when the warm air and clear skies made you forget that cold autumn weather was lurking around the corner.
Bencsáth, known to his friends as Boldi, was sitting at his desk in the university’s Laboratory of Cryptography and System Security, a.k.a. CrySyS Lab, when the telephone interrupted his lunch. It was Jóska Bartos, CEO of a company for which the lab sometimes did consulting work (“Jóska Bartos” is a pseudonym).
“Boldi, do you have time to do something for us?” Bartos asked.
“Is this related to what we talked about before?” Bencsáth said, referring to a previous discussion they’d had about testing new services the company planned to offer customers.
“No, something else,” Bartos said. “Can you come now? It’s important. But don’t tell anyone where you’re going.”
Bencsáth wolfed down the rest of his lunch and told his colleagues in the lab that he had a “red alert” and had to go. “Don’t ask,” he said as he ran out the door.
A while later, he was at Bartos’ office, where a triage team had been assembled to address the problem they wanted to discuss. “We think we’ve been hacked,” Bartos said.
They found a suspicious file on a developer’s machine that had been created late at night when no one was working. The file was encrypted and compressed so they had no idea what was inside, but they suspected it was data the attackers had copied from the machine and planned to retrieve later. A search of the company’s network found a few more machines that had been infected as well. The triage team felt confident they had contained the attack but wanted Bencsáth’s help determining how the intruders had broken in and what they were after. The company had all the right protections in place—firewalls, antivirus, intrusion-detection and -prevention systems—and still the attackers got in.
The ability to keep people’s rights away and keep the population down depends on passivity and conformity, including the use of Windows. Avoiding Microsoft Windows is imperative for those not wishing to be controlled remotely. As Microsoft’s collaborations with the NSA serve to show, mass surveillance on the whole world is practically contingent upon not just innovation but sabotage and social engineering with corporate buddies. Eradication of Microsoft software isn’t about competition only; it’s about justice. █
Related/contextual items from the news:
There are suggestions that the malware code has been around for a while, and has predecessors, and F-Secure warned internet users, anonymous or otherwise, to tread carefully when they download.
“However, it would seem that the OnionDuke family is much older, based on older compilation timestamps and on the fact that some of the embedded configuration data makes reference to an apparent version number of four, suggesting that at least three earlier versions of the family exist,” the firm added.
“In any case, although much is still shrouded in mystery and speculation, one thing is certain: while using Tor may help you stay anonymous, it does at the same time paint a huge target on your back.
“It’s never a good idea to download binaries via Tor (or anything else) without encryption.”
Three weeks ago, a security researcher uncovered a Tor exit node that added malware to uncompressed Windows executables passing through it. Officials with the privacy service promptly shut down the Russia-based node, but according to new research, the group behind the node had likely been infecting files for more than a year by that time, causing careless users to install a backdoor that gave attackers full control of their systems.
Send this to a friend
Summary: At many levels — from communication to storage and encryption — Windows is designed for the very opposite of security
TO ONE who is aware of what Microsoft has been doing with the NSA since the 1990s it can be rather shocking to see entire nations relying on Microsoft Windows. As a quick recap, aided by one of our readers, back in the 90s there was this article stating: “Rubenstein, Microsoft attorney and a top lieutenant to Bill Gates. By his own account, Rubenstein acts as a “filter” between the NSA and Microsoft’s design teams in Redmond, Wash. “Any time that you’re developing a new product, you will be working closely with the NSA,”he noted.”
There is hardly room any for excuses or misinterpretation here. “How NSA access was built into Windows” is another important article from the German press and it was published back in the 90s. These older articles are merely few among many more (some no longer accessible due to ‘Web rot’) which already made it clear that Bill Gates and Microsoft were fine with back-dooring billions of people. Gates continues to be a vocal proponent of the NSA, even to this date (after Snowden had leaked details that made the NSA exceptionally unpopular like no time before, internationally).
Anyone who still thinks that proprietary software is secure says quite a lot about his/her own intelligence (and disregard for facts). It is also widely known why it is risky to connect Free software to proprietary software, which basically compromises the trust that Free software carries with it. Germany, based on this new article from Dr. Glyn Moody, is beginning to see the light as well. Here is a portion:
You Can’t Trust Closed-Source Code – Germany Agrees
Similarly, moves by both Microsoft and Amazon, among others, to set up local data centres in the EU will not on their own protect European data unless that is encrypted by the companies themselves, and the cloud computing providers do *not* have access to the keys. Indeed, if the data is encrypted in this way, local storage is not so important, since the NSA will have an equally hard time decrypting it wherever it is held – as far as we know, that is.
Because of that recent US court judgment ordering Microsoft to hand over emails held in Ireland, many people are now aware of the dangers of cloud computing in the absence of encryption under the control of the customer. But very few seem to have woken up to the problems of backdoors in proprietary software that I mentioned at the start of this post. One important exception is the German government, which according to Sky News is working on an extremely significant law in this area…
The NSA could get back door access into every data stored in Windows and now it can get access to data stored remotely, too. It’s total surveillance. Not even encryption can help.
I was contacted by a manager from Microsoft last week and after we exchanged some messages about the farce which is encryption in Windows he no longer had a counter argument. He found out, after some research, that I was in fact right. I was previously (almost a decade ago) ridiculed by top-level Microsoft staff for suggesting that encryption in Windows could easily be subverted, by design. Around that time Microsoft’s Allchin was seemingly worried about back doors and he was quoted on it (the Allchin article is hidden to many as the link has changed). Some of it is very old, but we have written about Bill Gates’ support of back doors since the early days of this Web site. Microsoft back doors in Windows go beyond just remote access and descend down to encryption, caused by a deficient-by-design (or generally bad) encryption. When we cited Cryptome's findings we received an overwhelming (and supporting) attention. The management from Microsoft tried to change our article (asking for changes) despite the article being correct. As stated in comments in Soylent News: “when my Windows 8.1 tablet recommended that I turn on encryption, as soon as I clicked “no” to handing my administrator user over to Microsoft, it disabled encryption.”
I showed it to Microsoft management, whereupon they checked and confirmed that this was true. No response since, hence we can assume there’s no counter argument.
In summary, Microsoft betrays the privacy of Windows users at many levels. No nation should deem Windows suitable for use (at any level) and ridicule is probably well deserved where one defends Windows as ‘secure’. █
Send this to a friend
Summary: Home Depot learns its lesson from a Microsoft Windows disaster, but it stays with proprietary software rather than move to software that is actively audited by many people and is inherently better maintained (Free/libre software)
MEDIA that is owned by large corporations likes to talk about FOSS bugs that have logos and brands not because there are many known incidents where harm was done but because FOSS is an easy scapegoat. Microsoft Windows, which has had bug doors for nearly two decades (very serious and remotely exploitable), should not be used on any production environment, but some businesses are evidently foolish enough to put it on critical systems, knowing damn well (they definitely should know it by now) that the NSA collaborates with Microsoft on back doors access and uses back doors for espionage (both industrial and political).
Earlier this year we asked journalists to call out Windows and urged Home Depot to speak about the role of Microsoft Windows in its massive (existence-threatening) incident that left millions of people (with credit card details) in the hands of crackers.
Microsoft Windows — not some FOSS bug with a logo and/or a name — punished not only Home Depot but also millions of innocent customers who did not know that Home Depot relied on Microsoft Windows for storing/processing sensitive details.
“Microsoft Windows — not some FOSS bug with a logo and/or a name — punished not only Home Depot but also millions of innocent customers who did not know that Home Depot relied on Microsoft Windows for storing/processing sensitive details.”Now there is acknowledgement of this, based on the report “Home Depot blames Windows for record hack, rushes out to buy Macs and iPhones afterward”. So basically they are moving to another proprietary platform with back doors. Apple has already admitted the existence of back doors in iOS, for example, and tried to pass them off as “diagnostics”. If Home Depot is serious about security, then GNU/Linux and other Free software (even BSD) should be universally used at Home Depot.
Home Depot should generally cleanse itself of proprietary software, which is totally unsuitable for credit cards handling because it has back doors and other security issues, mostly inherent issues. Other companies should learn from Home Depot’s mistake and never again process important data using proprietary software. The bad reputation that Home Depot gets from this incident is now putting the whole business in jeopardy and based on news reports about surveillance software Skype (after the Microsoft takeover), Microsoft wants to put it at the very heart of businesses, enabling wiretapping of unprecedented proportions, even inside private businesses (not some mundane chats). Only days ago the Electronic Frontier Foundation warned that Skype is inherently insecure and so is WhatsApp, which is owned by a partly Microsoft-owned company (Facebook). Here is what Beta News wrote:
Secure communication is something we all crave online, particularly after Edward Snowden’s NSA revelations increased public interest in privacy and security. With dozens of messaging tools to choose from, many claiming to be ultra-secure, it can be difficult to know which one to choose and which one to trust. Electronic Frontier Foundation (EFF) has published its Secure Messaging Scorecard which rates a number of apps and services according to the level of security they offer.
Businesses should shun not only Microsoft but proprietary software in general (Microsoft tends to be one of the worst among them) if they wish to secure their communications, respect their customers’ safety, and ultimately assure their survival. Use of proprietary software is no joking matter; it can be lethal. The corporate press has hardly done enough — if anything at all — to highlight the real culprit in the Home Depot disaster. █
Send this to a friend
Summary: The back doors-enabled Microsoft Windows is being revealed and portrayed as the Swiss cheese that it really is after massive holes are discovered (mostly to be buried by a .NET propaganda blitz)
Windows ‘Update’, which essentially translates into Microsoft manipulating binaries on people’s machines without any changelog (at least not in source code form), is making the news again this month. Windows ‘Update’ is happening quite often (a monthly recurrence), but this time there is a lot to say about it.
The British NHS, which holds full medical records of very many individuals, recently received a lot of flack for sticking with an unsupported operating system that was released when I was a teenager instead of upgrading to recently-built Free software like GNU/Linux. Guess what happened to the NHS? “NHS XP patch scratch leaves patient records wide open to HACKERS” says the British press, meaning that not only the NSA gets access to NHS data:
Thousands of patient records could be left exposed to hackers, as up to 20 NHS trusts have failed to put an agreement in place with Microsoft to extend security support for Windows XP via a patch, The Register can reveal.
Another story of a botched update of Windows says that “Crypto attack that hijacked Windows Update goes mainstream in Amazon Cloud”:
Underscoring just how broken the widely used MD5 hashing algorithm is, a software engineer racked up just 65 cents in computing fees to replicate the type of attack a powerful nation-state used in 2012 to hijack Microsoft’s Windows Update mechanism.
That’s what one gets when using weak ciphers that the NSA promotes and Microsoft willingly spreads. Windows Update is a dangerous tool for many reasons not just because it is bricking Linux devices these days but because it’s a tool that gives the NSA a lot of power. Before an update kicks in the NSA is given information that allows it to take full control of PCs with Windows, remotely even (this is done every month). This may sound benign until one learns about Stuxnet (weaponised malware of the NSA) and considers this latest Patch Tuesday:
Microsoft is issuing the largest number of monthly security advisories since June 2011, five of them critical and affecting all supported versions of Windows. And applying the patches will be time consuming, experts say.
“Next week will tell us how many CVEs are involved but suffice to say, this patch load will be a big impact to the enterprise,” says Russ Ernst, the director of product management for Lumension.
CBS, being not just a proponent of espionage, mass surveillance, assassination and violent wars but also a proponent of back doors, had its site ZDNet downplay the above. “So far in calendar year 2014,” it said, “Microsoft has fixed 215 vulnerabilities in Internet Explorer” (lots of potential NSA back doors). Then come some lame excuses and damage control from Microsoft in the update, trying to make its bad record look like a positive, neglecting that fact that Microsoft has been secretly patching holes to yield fake numbers and give a false sense of security. Here is the full summary:
So far in calendar year 2014, Microsoft has fixed 215 vulnerabilities in Internet Explorer, with more coming out today. There have been security updates to Internet Explorer every month this year except for January.
This other report, titled “Potentially catastrophic bug bites all versions of Windows. Patch now”, does not entertain the possibility of back/bug doors in Microsoft Windows being exploited, despite that fact that Microsoft already told the NSA (prodifing exploit knowledge), which undoubtedly engages in illegal intrusions/cracking. A report from IDG notes that this bug is nearly two decades old and add that only “[w]ith help from IBM, Microsoft has patched a critical Windows vulnerability that flew under the radar for nearly two decades. ”
“How many times might this flaw have been exploited by now?”So IBM, despite having no access to source code (as far as we can tell), was perhaps the only reason why Microsoft addressed this issue two decades late, eh? How many times might this flaw have been exploited by now? A reader of us, alluding to that nonsense .NET PR, explains: “Perhaps a big reason for the PR teams trumpeting the open-core or freemium model?”
It sure serves as a good distraction. When Windows XP support (patches) came to an end a Microsoft-connected firm immediately (on the very same day) started throwing brands and logos in relation to an OpenSSL bug, stealing the show and spreading FUD for many months, generalising it so as to appear like a serious, inherent issue in FOSS.
Watch this critical remote code execution flaw in Windows. It is extremely serious, but there is no logo or brand for it (unlike FOSS FUD like “Heartbleed” or “Shellshock” — with a brand that was even perpetuated by the Russia-based Mandriva the other day). █
Send this to a friend
Summary: Cryptome has an article, comprised/composed of hard evidence, revealing ways in which Microsoft enables aggressive spies to break encryption
The FBI does not even pretend not to be pursuing back doors; quite the contrary! It demands them and now insists on legislation that would make them mandatory. The same goes for the NSA, Microsoft’s very special partner. Anyone who still thinks that back doors in encryption are within the realm of “conspiracy theory” must not have paid attention. We wrote about such issues more than half a decade ago. At this stage, judging by thousands of articles on the topic, these factual observations are very commonplace in the press, even in the corporate media.
“Anyone who still thinks that back doors in encryption are within the realm of “conspiracy theory” must not have paid attention.”“Microsoft backdoor bitlocker key escrow for the FBI & NSA,” writes to us David Sugar from GNU Telephony. “From the OS that loves to spy on you,” he added.
Some months ago we showed that a former Microsoft engineer working on Windows BitLocker confirmed that the US government asks Microsoft for back doors and now we have more details on how this is done, courtesy of cryptology enthusiasts in Cryptome:
Microsoft OneDrive in NSA PRISM
1) Bitlocker keys are uploaded to OneDrive by ‘device encryption’.
“Unlike a standard BitLocker implementation, device encryption is enabled automatically so that the device is always protected.
If the device is not domain-joined a Microsoft Account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to online Microsoft account and TPM protector is created.”
2) Device encryption is supported by Bitlocker for all SKUs that support connected standby. This would include Windows phones.
“BitLocker provides support for device encryption on x86 and x64-based computers with a TPM that supports connected stand-by. Previously this form of encryption was only available on Windows RT devices.”
3) The tech media and feature articles recognise this.
“… because the recovery key is automatically stored in SkyDrive for you.”
4) Here’s how to recover your key from Sky/OneDrive.
“Your Microsoft account online. This option is only available on non-domain-joined PCs. To get your recovery key, go to …onedrive.com…”
5) SkyDrive (now named OneDrive) is onboarded to PRISM. (pg 26/27)
When Microsoft speaks about security it usually means “national security”, i.e. the ability of the state to break security of software. It’s about interception, not security. When Microsoft speaks about ‘secure boot’ it speaks about an antifeature in UEFI that enables the state to remotely brick computers, too.
The sad thing is that amid many BSD milestones as of recently (FreeBSD, OpenBSD, PC-BSD and others) there are those who fall for the false promise of UEFI, which does more harm than good to security. OpenBSD, which takes security very seriously, has already blasted UEFI 'secure boot' and blasted those who support it (including Red Hat), whereas FreeBSD got bamboozled into UEFI 'secure boot' and with it, the FreeBSD-derived PC-BSD gets bamboozled too:
Marking the twenty-first birthday of FreeBSD was the release of FreeBSD 10.1-RC4 and separately was the FreeBSD-derived PC-BSD 10.1 RC2 release.
FreeBSD 10.1-RC4 is expected to be the final RC build of FreeBSD 10.1 and brought fixes for ATA CF ERASE breakage and a race fix that could cause an EPT misconfiguration VM-exit.
More details on FreeBSD 10.1-RC4 can be found via its Sunday release announcement. The official release of FreeBSD 10.1 is now hopefully a few days out with its many new features and changes.
This is not a good idea at all. PC-BSD needs to follow the example set by OpenBSD, not FreeBSD (with its codebase). It sure starts looking like not only Microsoft but Red Hat too is bending over to its lucrative clients and contracts with the Deep State. Based on established observations from one decade ago, including more recent developments that Red Hat refuses to comment on, it seems possible that back doors in encryption (by default) is the de facto standard among large corporations. When they speak about “security” there must be fine prints and they’re omitted from the advertising. At risk of breaking the silence about
systemd (because we don’t want to inflame ‘civil wars’),
systemd replaces/obviates so much highly mature software that it certainly increases the likelihood of bug doors being introduced in RHEL/Red Hat (
systemd‘s patron) and by extension/inheritance many other distributions of GNU/Linux. █
Send this to a friend
« Previous entries Next Page » Next Page »