EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

11.16.14

Microsoft is Going Into the Anti-Whistleblowing Business, Dodges Criticism Over 19-Year Bug Door in Windows

Posted in Microsoft, Security, Windows at 6:47 am by Dr. Roy Schestowitz

Edward Snowden

Summary: With Aorato acquisition Microsoft helps protect the criminals (from whistleblowers) and with lies about .NET Microsoft distracts from a bug that has facilitated remote access into Windows (by those in the know) for nearly two decades

MICROSOFT IS A company of liars, centred around media manipulation. This is why not enough people know about the company’s sheer levels of malice, crimes, and disregard for people.

Microsoft keeps throwing money around for favourable publicity, so not enough criticism is published where it’s well overdue. Today we’ll tackle several stories that deserve more attention from an appropriate angle, not a promotional (marketing) angle.

A few days ago Microsoft decided to buy a military-connected (IDF/Israel) anti-whistleblowing ‘software’ company. What a lot of shallow coverage failed to mention was the real purpose of the software (not often marketed as such). To quote one report: ‘“Snowden reportedly used colleagues’ passwords to access sensitive docs,” he told me. “Even if the user activity seems legitimate, the same account would actually present suspicious or abnormal behavior behind the scenes which Aorato would detect.”’

Actually, to keep the facts in tact, the NSA leaks were made possible by GNU WGet on the leakers’ side (same as Bradley/Chelsea Manning) and that horrible Microsoft SharePoint on the leaked side (NSA). It means that Microsoft itself was the problem which it claims to be trying to solve. We mentioned the role of SharePoint several times before. The acquisition by Microsoft seems to be geared towards stopping whistleblowing and hence defending corruption (so that Microsoft, for instance, can defend the NSA). How ethical a move, eh? So much for a ‘champion’ of privacy as it purports to be.

Anyway, there is a 19-year bug door in Microsoft Windows (almost no version is exempted from remotely-invoked full capture), but the press hardly covers it. We must give some credit to the BBC for covering it (for a change) and "calling out Windows". Other British press covered other inherent issues in Windows (compromising Tor) [1] and it looks like Dan Goodin is finally covering some security problems in proprietary software [2] rather than always picking on FOSS, then hyping it up with ugly imagery and exaggeration.

A reader of ours suspects that the .NET announcement was designed to distract from horrible security-related news. The .NET announcement is nonsense because it’s false (we wrote two posts about the .NET PR nonsense) and it also predicts future events like Visual Studio going cross-platform although the latest version of Visual Studio (proprietary) already runs under GNU/Linux using Wine, i.e. the Windows build works under GNU/Linux as it’s fully compatible anyway, for those foolish enough to want it. This is not news and the same goes for Office and other well-known Microsoft software. Xamarin staff keeps trying hard to infect GNU/Linux with .NET (that’s what they do) and as this very stupid article about .NET shows, the .NET nonsense did indeed help bury the news about the bug door. This disgusting article even gives credit to Microsoft for having fixed massive 19-year-old bug (only after IBM had found it). When bash or openssl have a bug, then FOSS is all bad, apparently. When Microsoft has a bug door for 19 years, the media says well done to Microsoft (for fixing it after another company forced it to). One has to wonder if this flaw (voluntary or involuntary) is part of Microsoft’s collaboration with the NSA, which made Stuxnet and has made yet another piece of Windows malware together with Israel. Here is a new article from The Intercept:

The Digital Hunt for Duqu, a Dangerous and Cunning U.S.-Israeli Spy Virus

Boldizsár Bencsáth took a bite from his sandwich and stared at his computer screen. The software he was trying to install on his machine was taking forever to load, and he still had a dozen things to do before the Fall 2011 semester began at the Budapest University of Technology and Economics, where he taught computer science. Despite the long to-do list, however, he was feeling happy and relaxed. It was the first day of September and was one of those perfect, late-summer afternoons when the warm air and clear skies made you forget that cold autumn weather was lurking around the corner.

Bencsáth, known to his friends as Boldi, was sitting at his desk in the university’s Laboratory of Cryptography and System Security, a.k.a. CrySyS Lab, when the telephone interrupted his lunch. It was Jóska Bartos, CEO of a company for which the lab sometimes did consulting work (“Jóska Bartos” is a pseudonym).

“Boldi, do you have time to do something for us?” Bartos asked.

“Is this related to what we talked about before?” Bencsáth said, referring to a previous discussion they’d had about testing new services the company planned to offer customers.

“No, something else,” Bartos said. “Can you come now? It’s important. But don’t tell anyone where you’re going.”

Bencsáth wolfed down the rest of his lunch and told his colleagues in the lab that he had a “red alert” and had to go. “Don’t ask,” he said as he ran out the door.

A while later, he was at Bartos’ office, where a triage team had been assembled to address the problem they wanted to discuss. “We think we’ve been hacked,” Bartos said.

They found a suspicious file on a developer’s machine that had been created late at night when no one was working. The file was encrypted and compressed so they had no idea what was inside, but they suspected it was data the attackers had copied from the machine and planned to retrieve later. A search of the company’s network found a few more machines that had been infected as well. The triage team felt confident they had contained the attack but wanted Bencsáth’s help determining how the intruders had broken in and what they were after. The company had all the right protections in place—firewalls, antivirus, intrusion-detection and -prevention systems—and still the attackers got in.

The ability to keep people’s rights away and keep the population down depends on passivity and conformity, including the use of Windows. Avoiding Microsoft Windows is imperative for those not wishing to be controlled remotely. As Microsoft’s collaborations with the NSA serve to show, mass surveillance on the whole world is practically contingent upon not just innovation but sabotage and social engineering with corporate buddies. Eradication of Microsoft software isn’t about competition only; it’s about justice.

Related/contextual items from the news:

  1. Advanced persistent threats found in the TOR network

    There are suggestions that the malware code has been around for a while, and has predecessors, and F-Secure warned internet users, anonymous or otherwise, to tread carefully when they download.

    “However, it would seem that the OnionDuke family is much older, based on older compilation timestamps and on the fact that some of the embedded configuration data makes reference to an apparent version number of four, suggesting that at least three earlier versions of the family exist,” the firm added.

    “In any case, although much is still shrouded in mystery and speculation, one thing is certain: while using Tor may help you stay anonymous, it does at the same time paint a huge target on your back.

    “It’s never a good idea to download binaries via Tor (or anything else) without encryption.”

  2. For a year, gang operating rogue Tor node infected Windows executables

    Three weeks ago, a security researcher uncovered a Tor exit node that added malware to uncompressed Windows executables passing through it. Officials with the privacy service promptly shut down the Russia-based node, but according to new research, the group behind the node had likely been infecting files for more than a year by that time, causing careless users to install a backdoor that gave attackers full control of their systems.

11.13.14

Microsoft Windows is Still Designed as a Paradise of Back Doors, Intrusion, Wiretaps, and Interception

Posted in Bill Gates, Microsoft, Security, Windows at 1:26 pm by Dr. Roy Schestowitz

Combination lock

Summary: At many levels — from communication to storage and encryption — Windows is designed for the very opposite of security

TO ONE who is aware of what Microsoft has been doing with the NSA since the 1990s it can be rather shocking to see entire nations relying on Microsoft Windows. As a quick recap, aided by one of our readers, back in the 90s there was this article stating: “Rubenstein, Microsoft attorney and a top lieutenant to Bill Gates. By his own account, Rubenstein acts as a “filter” between the NSA and Microsoft’s design teams in Redmond, Wash. “Any time that you’re developing a new product, you will be working closely with the NSA,”he noted.”

There is hardly room any for excuses or misinterpretation here. “How NSA access was built into Windows” is another important article from the German press and it was published back in the 90s. These older articles are merely few among many more (some no longer accessible due to ‘Web rot’) which already made it clear that Bill Gates and Microsoft were fine with back-dooring billions of people. Gates continues to be a vocal proponent of the NSA, even to this date (after Snowden had leaked details that made the NSA exceptionally unpopular like no time before, internationally).

Anyone who still thinks that proprietary software is secure says quite a lot about his/her own intelligence (and disregard for facts). It is also widely known why it is risky to connect Free software to proprietary software, which basically compromises the trust that Free software carries with it. Germany, based on this new article from Dr. Glyn Moody, is beginning to see the light as well. Here is a portion:

You Can’t Trust Closed-Source Code – Germany Agrees

Similarly, moves by both Microsoft and Amazon, among others, to set up local data centres in the EU will not on their own protect European data unless that is encrypted by the companies themselves, and the cloud computing providers do *not* have access to the keys. Indeed, if the data is encrypted in this way, local storage is not so important, since the NSA will have an equally hard time decrypting it wherever it is held – as far as we know, that is.

Because of that recent US court judgment ordering Microsoft to hand over emails held in Ireland, many people are now aware of the dangers of cloud computing in the absence of encryption under the control of the customer. But very few seem to have woken up to the problems of backdoors in proprietary software that I mentioned at the start of this post. One important exception is the German government, which according to Sky News is working on an extremely significant law in this area…

The NSA could get back door access into every data stored in Windows and now it can get access to data stored remotely, too. It’s total surveillance. Not even encryption can help.

I was contacted by a manager from Microsoft last week and after we exchanged some messages about the farce which is encryption in Windows he no longer had a counter argument. He found out, after some research, that I was in fact right. I was previously (almost a decade ago) ridiculed by top-level Microsoft staff for suggesting that encryption in Windows could easily be subverted, by design. Around that time Microsoft’s Allchin was seemingly worried about back doors and he was quoted on it (the Allchin article is hidden to many as the link has changed). Some of it is very old, but we have written about Bill Gates’ support of back doors since the early days of this Web site. Microsoft back doors in Windows go beyond just remote access and descend down to encryption, caused by a deficient-by-design (or generally bad) encryption. When we cited Cryptome's findings we received an overwhelming (and supporting) attention. The management from Microsoft tried to change our article (asking for changes) despite the article being correct. As stated in comments in Soylent News: “when my Windows 8.1 tablet recommended that I turn on encryption, as soon as I clicked “no” to handing my administrator user over to Microsoft, it disabled encryption.”

I showed it to Microsoft management, whereupon they checked and confirmed that this was true. No response since, hence we can assume there’s no counter argument.

In summary, Microsoft betrays the privacy of Windows users at many levels. No nation should deem Windows suitable for use (at any level) and ridicule is probably well deserved where one defends Windows as ‘secure’.

Forget the FUD About Bash and OpenSSL, Microsoft Windows Blamed for Massive Credit Cards Heist

Posted in Microsoft, Security, Windows at 12:56 pm by Dr. Roy Schestowitz

Knob sets

Summary: Home Depot learns its lesson from a Microsoft Windows disaster, but it stays with proprietary software rather than move to software that is actively audited by many people and is inherently better maintained (Free/libre software)

MEDIA that is owned by large corporations likes to talk about FOSS bugs that have logos and brands not because there are many known incidents where harm was done but because FOSS is an easy scapegoat. Microsoft Windows, which has had bug doors for nearly two decades (very serious and remotely exploitable), should not be used on any production environment, but some businesses are evidently foolish enough to put it on critical systems, knowing damn well (they definitely should know it by now) that the NSA collaborates with Microsoft on back doors access and uses back doors for espionage (both industrial and political).

Earlier this year we asked journalists to call out Windows and urged Home Depot to speak about the role of Microsoft Windows in its massive (existence-threatening) incident that left millions of people (with credit card details) in the hands of crackers.

Microsoft Windows — not some FOSS bug with a logo and/or a name — punished not only Home Depot but also millions of innocent customers who did not know that Home Depot relied on Microsoft Windows for storing/processing sensitive details.

“Microsoft Windows — not some FOSS bug with a logo and/or a name — punished not only Home Depot but also millions of innocent customers who did not know that Home Depot relied on Microsoft Windows for storing/processing sensitive details.”Now there is acknowledgement of this, based on the report “Home Depot blames Windows for record hack, rushes out to buy Macs and iPhones afterward”. So basically they are moving to another proprietary platform with back doors. Apple has already admitted the existence of back doors in iOS, for example, and tried to pass them off as “diagnostics”. If Home Depot is serious about security, then GNU/Linux and other Free software (even BSD) should be universally used at Home Depot.

Home Depot should generally cleanse itself of proprietary software, which is totally unsuitable for credit cards handling because it has back doors and other security issues, mostly inherent issues. Other companies should learn from Home Depot’s mistake and never again process important data using proprietary software. The bad reputation that Home Depot gets from this incident is now putting the whole business in jeopardy and based on news reports about surveillance software Skype (after the Microsoft takeover), Microsoft wants to put it at the very heart of businesses, enabling wiretapping of unprecedented proportions, even inside private businesses (not some mundane chats). Only days ago the Electronic Frontier Foundation warned that Skype is inherently insecure and so is WhatsApp, which is owned by a partly Microsoft-owned company (Facebook). Here is what Beta News wrote:

Secure communication is something we all crave online, particularly after Edward Snowden’s NSA revelations increased public interest in privacy and security. With dozens of messaging tools to choose from, many claiming to be ultra-secure, it can be difficult to know which one to choose and which one to trust. Electronic Frontier Foundation (EFF) has published its Secure Messaging Scorecard which rates a number of apps and services according to the level of security they offer.

Businesses should shun not only Microsoft but proprietary software in general (Microsoft tends to be one of the worst among them) if they wish to secure their communications, respect their customers’ safety, and ultimately assure their survival. Use of proprietary software is no joking matter; it can be lethal. The corporate press has hardly done enough — if anything at all — to highlight the real culprit in the Home Depot disaster.

Windows ‘Update’ and NSA Back Doors, Including a 19-Year Bug Door in Microsoft Windows

Posted in Microsoft, Security, Windows at 12:22 pm by Dr. Roy Schestowitz

Summary: The back doors-enabled Microsoft Windows is being revealed and portrayed as the Swiss cheese that it really is after massive holes are discovered (mostly to be buried by a .NET propaganda blitz)

Windows ‘Update’, which essentially translates into Microsoft manipulating binaries on people’s machines without any changelog (at least not in source code form), is making the news again this month. Windows ‘Update’ is happening quite often (a monthly recurrence), but this time there is a lot to say about it.

The British NHS, which holds full medical records of very many individuals, recently received a lot of flack for sticking with an unsupported operating system that was released when I was a teenager instead of upgrading to recently-built Free software like GNU/Linux. Guess what happened to the NHS? “NHS XP patch scratch leaves patient records wide open to HACKERS” says the British press, meaning that not only the NSA gets access to NHS data:

Thousands of patient records could be left exposed to hackers, as up to 20 NHS trusts have failed to put an agreement in place with Microsoft to extend security support for Windows XP via a patch, The Register can reveal.

Another story of a botched update of Windows says that “Crypto attack that hijacked Windows Update goes mainstream in Amazon Cloud”:

Underscoring just how broken the widely used MD5 hashing algorithm is, a software engineer racked up just 65 cents in computing fees to replicate the type of attack a powerful nation-state used in 2012 to hijack Microsoft’s Windows Update mechanism.

That’s what one gets when using weak ciphers that the NSA promotes and Microsoft willingly spreads. Windows Update is a dangerous tool for many reasons not just because it is bricking Linux devices these days but because it’s a tool that gives the NSA a lot of power. Before an update kicks in the NSA is given information that allows it to take full control of PCs with Windows, remotely even (this is done every month). This may sound benign until one learns about Stuxnet (weaponised malware of the NSA) and considers this latest Patch Tuesday:

Microsoft is issuing the largest number of monthly security advisories since June 2011, five of them critical and affecting all supported versions of Windows. And applying the patches will be time consuming, experts say.

“Next week will tell us how many CVEs are involved but suffice to say, this patch load will be a big impact to the enterprise,” says Russ Ernst, the director of product management for Lumension.

CBS, being not just a proponent of espionage, mass surveillance, assassination and violent wars but also a proponent of back doors, had its site ZDNet downplay the above. “So far in calendar year 2014,” it said, “Microsoft has fixed 215 vulnerabilities in Internet Explorer” (lots of potential NSA back doors). Then come some lame excuses and damage control from Microsoft in the update, trying to make its bad record look like a positive, neglecting that fact that Microsoft has been secretly patching holes to yield fake numbers and give a false sense of security. Here is the full summary:

So far in calendar year 2014, Microsoft has fixed 215 vulnerabilities in Internet Explorer, with more coming out today. There have been security updates to Internet Explorer every month this year except for January.

This other report, titled “Potentially catastrophic bug bites all versions of Windows. Patch now”, does not entertain the possibility of back/bug doors in Microsoft Windows being exploited, despite that fact that Microsoft already told the NSA (prodifing exploit knowledge), which undoubtedly engages in illegal intrusions/cracking. A report from IDG notes that this bug is nearly two decades old and add that only “[w]ith help from IBM, Microsoft has patched a critical Windows vulnerability that flew under the radar for nearly two decades. ”

“How many times might this flaw have been exploited by now?”So IBM, despite having no access to source code (as far as we can tell), was perhaps the only reason why Microsoft addressed this issue two decades late, eh? How many times might this flaw have been exploited by now? A reader of us, alluding to that nonsense .NET PR, explains: “Perhaps a big reason for the PR teams trumpeting the open-core or freemium model?”

It sure serves as a good distraction. When Windows XP support (patches) came to an end a Microsoft-connected firm immediately (on the very same day) started throwing brands and logos in relation to an OpenSSL bug, stealing the show and spreading FUD for many months, generalising it so as to appear like a serious, inherent issue in FOSS.

Watch this critical remote code execution flaw in Windows. It is extremely serious, but there is no logo or brand for it (unlike FOSS FUD like “Heartbleed” or “Shellshock” — with a brand that was even perpetuated by the Russia-based Mandriva the other day).

11.04.14

Cryptome Reveals How Microsoft Gives the FBI and the NSA Back Doors to Crack Encryption

Posted in Microsoft, Security at 3:06 pm by Dr. Roy Schestowitz

Cryptome

Summary: Cryptome has an article, comprised/composed of hard evidence, revealing ways in which Microsoft enables aggressive spies to break encryption

The FBI does not even pretend not to be pursuing back doors; quite the contrary! It demands them and now insists on legislation that would make them mandatory. The same goes for the NSA, Microsoft’s very special partner. Anyone who still thinks that back doors in encryption are within the realm of “conspiracy theory” must not have paid attention. We wrote about such issues more than half a decade ago. At this stage, judging by thousands of articles on the topic, these factual observations are very commonplace in the press, even in the corporate media.

“Anyone who still thinks that back doors in encryption are within the realm of “conspiracy theory” must not have paid attention.”“Microsoft backdoor bitlocker key escrow for the FBI & NSA,” writes to us David Sugar ‏from GNU Telephony. “From the OS that loves to spy on you,” he added.

Some months ago we showed that a former Microsoft engineer working on Windows BitLocker confirmed that the US government asks Microsoft for back doors and now we have more details on how this is done, courtesy of cryptology enthusiasts in Cryptome:

Microsoft OneDrive in NSA PRISM

A sends:

1) Bitlocker keys are uploaded to OneDrive by ‘device encryption’.

“Unlike a standard BitLocker implementation, device encryption is enabled automatically so that the device is always protected.

If the device is not domain-joined a Microsoft Account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to online Microsoft account and TPM protector is created.”

http://technet.microsoft.com/en-us/library/dn306081.aspx

2) Device encryption is supported by Bitlocker for all SKUs that support connected standby. This would include Windows phones.

“BitLocker provides support for device encryption on x86 and x64-based computers with a TPM that supports connected stand-by. Previously this form of encryption was only available on Windows RT devices.”

http://technet.microsoft.com/en-us/library/dn306081.aspx#BKM…

3) The tech media and feature articles recognise this.

“… because the recovery key is automatically stored in SkyDrive for you.”

http://www.zdnet.com/surface-bitlocker-and-the-future-of-encryption-7000024613/

4) Here’s how to recover your key from Sky/OneDrive.

“Your Microsoft account online. This option is only available on non-domain-joined PCs. To get your recovery key, go to …onedrive.com…”

http://windows.microsoft.com/en-us/windows-8/bitlocker-recovery-keys-faq

5) SkyDrive (now named OneDrive) is onboarded to PRISM. (pg 26/27)

http://hbpub.vo.llnwd.net/o16/video/olmk/holt/greenwald/NoPlaceToHide-

Documents-Uncompressed.pdf

When Microsoft speaks about security it usually means “national security”, i.e. the ability of the state to break security of software. It’s about interception, not security. When Microsoft speaks about ‘secure boot’ it speaks about an antifeature in UEFI that enables the state to remotely brick computers, too.

The sad thing is that amid many BSD milestones as of recently (FreeBSD, OpenBSD, PC-BSD and others) there are those who fall for the false promise of UEFI, which does more harm than good to security. OpenBSD, which takes security very seriously, has already blasted UEFI 'secure boot' and blasted those who support it (including Red Hat), whereas FreeBSD got bamboozled into UEFI 'secure boot' and with it, the FreeBSD-derived PC-BSD gets bamboozled too:

Marking the twenty-first birthday of FreeBSD was the release of FreeBSD 10.1-RC4 and separately was the FreeBSD-derived PC-BSD 10.1 RC2 release.

FreeBSD 10.1-RC4 is expected to be the final RC build of FreeBSD 10.1 and brought fixes for ATA CF ERASE breakage and a race fix that could cause an EPT misconfiguration VM-exit.

More details on FreeBSD 10.1-RC4 can be found via its Sunday release announcement. The official release of FreeBSD 10.1 is now hopefully a few days out with its many new features and changes.

This is not a good idea at all. PC-BSD needs to follow the example set by OpenBSD, not FreeBSD (with its codebase). It sure starts looking like not only Microsoft but Red Hat too is bending over to its lucrative clients and contracts with the Deep State. Based on established observations from one decade ago, including more recent developments that Red Hat refuses to comment on, it seems possible that back doors in encryption (by default) is the de facto standard among large corporations. When they speak about “security” there must be fine prints and they’re omitted from the advertising. At risk of breaking the silence about systemd (because we don’t want to inflame ‘civil wars’), systemd replaces/obviates so much highly mature software that it certainly increases the likelihood of bug doors being introduced in RHEL/Red Hat (systemd‘s patron) and by extension/inheritance many other distributions of GNU/Linux.

Claiming That Free Software is Not Secure is Microsoft’s Last Resort

Posted in Deception, Free/Libre Software, FUD, Security at 2:35 pm by Dr. Roy Schestowitz

“Our products just aren’t engineered for security.”

Brian Valentine, Microsoft executive

Summary: Following the familiar pattern of FOSS FUD, wherein we see Microsoft partners badmouthing FOSS over “security” (ignoring much worse problems in proprietary software), FOSS gets widely bashed in the British media

MICROSOFT has made many back doors available for the FBI and for the NSA. We have covered this for over half a decade and given concrete examples. Our next post will give yet another new example.

So, how does Microsoft have the audacity to tell us — usually by proxy — that Free software is not secure? Yes, Free software has some bugs (not many are critical), but Microsoft software is insecure by design. There are lots of back doors in Windows XP, for example, but the British NHS, which holds medical records (highly sensitive) of tens of millions of people (including my family), continues using it based on this new report:

Many UK NHS Trusts are at risk of missing the extended cut-off deadline for Windows XP support in April 2015, according to the results of several Freedom of Information requests by software firm Citrix.

Although the government acquired a support extension, the FOI request found that the trusts have been slow to make the transition, or are simply unsure when their transition would be complete.

Why on Earth are they not migrating to GNU/Linux yet? I have been part of British migrations to GNU/Linux, both in the private sector and government, and all I can say is that it always works. Not only does it save money but it also produces more secure and more stable systems.

“Entertaining more of that nonsense about FOSS being less secure than platforms with back doors or about Microsoft loving the competition that hurts it the most is probably a waste of time.”Trend Micro littering the British press at the moment with anti-FOSS messages that promote Microsoft, not mentioning back doors. We need not link to any examples because there are many of them this afternoon, but we have confronted Trend Micro UK and publications that gave it a platform today. So has the President of the OSI. Trend Micro has a FOSS-hostile track record, so it hasn’t been too surprising.

Speaking of poor journalism that’s actually PR in disguise, watch what IDG is doing right now. A new article by Eric Knorr of InfoWorld (editor), perhaps infatuated/in love with his sponsor (ads), repeats Microsoft's lie that it loves Linux

Entertaining more of that nonsense about FOSS being less secure than platforms with back doors or about Microsoft loving the competition that hurts it the most is probably a waste of time. The next post will show another back door that Microsoft deliberately put it its common carrier.

10.25.14

Taking Microsoft Windows Off the Grid for Damage to Businesses, the Internet, and Banking Systems

Posted in Microsoft, Security, Windows at 4:20 pm by Dr. Roy Schestowitz

“Our products just aren’t engineered for security.”

Brian Valentine, Microsoft executive

Summary: Microsoft’s insecure-by-design software is causing massive damages (possibly trillions of dollars in damages to date) and yet the corporate press does not ask the right questions, let alone suggest a ban on Microsoft software

According to the New York Times and other news sites, “Staples Is Latest Retailer Hit by Hackers” because it was using Microsoft Windows. Well, other recent examples included UPS, which basically hurt millions of people because it let crooks have lots of credit card details. The TJ Maxx heist and other credit card heists were also the fault of Microsoft Windows, not GNU Bash or OpenSSL, among other bits of software that dominate the news in the context of security. It sure looks like Microsoft Windows is the target, not FOSS. There are hardly any stories at all about an apocalypse or any great damage caused by bugs in Bash or in OpenSSL. So go figure what the press is doing, in part because the OpenSSL bug has been hyped up by Microsoft partners at a very strategic time (same day as Windows XP support ending).

As Will Hill put it the other day, “Business Week Covers Up for Microsoft In Target Hack and Misses the Big Story”. Mr. Hill adds that “The US government covering up for Microsoft is not too surprising after learning about the HACIENDA program [2]. That’s a massive program where the US government has been cracking servers and ordinary around the world to serve as botnets. If everyone used software that was better then Microsoft’s intentionally weak garbage, GHCQ, NSA and other spooks would not be able to cover their tracks. Because of US government promotion of Microsoft and their combined incompetence, criminals around the world have it easy. NSA spying has put trillions of dollars in commerce at risk.”

Those botnets do even greater damage than what was done at Staples. They are taking down a lot of Web sites and fill the Internet with heaps of SPAM. To quote our reader, complaining about articles like these: “Somehow they manage to omit the key role of Windows yet again.” They must call out Windows.

Another new article was sent to us by a reader. It is titled “Computer users who damage national security could face jail” and it was published by a Bill Gates-sponsored newspaper. This reader of ours asked: “What about those that knowingly deploy Windows on machines connected to the Internet?”

Our sites are still under DDOS attack (for over a month ago). Tux Machines has been offline for several hours now after a DDOS attack from Windows botnets hit it.

Why are ISPs still permitting customers to connect to the Internet with Windows? When will ISPs or users face liability for the damage they cause? Some people have been trying to take down my sites for well over a month now and they have used Microsoft Windows as a weapon. Windows has weaponised back doors, so it should be banned already.

Speaking of takedowns, watch the latest commentary [1,2] about Microsoft breaking the law to take material and sites (or even entire networks) offline, despite them doing nothing illegal.

The corporate media should start directing some tough questions at Microsoft, not just its victims. The company should face massive fines for the damages it causes on the Web. Ultimately, its software should be banned until security — not insecurity (weaponised back doors) — is its goal.

Related/contextual items from the news:

  1. Takedown notices served by Microsoft to videos that ‘DO NOT’ infringe on anything

    Microsoft has gained immense popularity over its never-ending war on software piracy. However, this time, the company appears to have caused a bit of collateral damage. So who are the victims? A handful of prominent and highly acclaimed YouTube video bloggers.

  2. Microsoft Takes Down A Bunch Of Non-Infringing YouTube Videos Over People Posting Product Keys In Comments

    Oh, Microsoft. The company has now admitted that it ended up sending a bunch of DMCA takedown notices on non-infringing videos, all because someone had posted product keys in comments to those videos. To its credit, Microsoft has apologized and said that it has “taken steps to reinstate legitimate video content and are working towards a better solution to targeting stolen IP while respecting legitimate content.” That’s all well and good, but this seems like the kind of thing that they should have done long before issuing obviously bad takedowns. This is the kind of thing that happens when you have a tool like the DMCA notice-and-takedown provision that makes it just so damn easy to censor content. Those issuing the takedowns do little to nothing to make sure the content being removed actually infringes. They just use either automated means or someone rushing through the process with little review, sending off takedowns willy nilly with no real concern about how they might kill off perfectly legal content. It still boggles the mind that a basic notice-and-notice regime couldn’t suffice to handle situations like this. That and making sure that those issuing bogus DMCA notices receive some sort of real punishment to give them the incentive to stop sending bogus takedowns.

10.21.14

Criminal Microsoft is Censoring the Web and Breaks Laws to Do So; the Web Should Censor (Remove) Microsoft

Posted in Free/Libre Software, Microsoft, Security at 1:08 pm by Dr. Roy Schestowitz

Microsoft Windows is a weapon of (cyber) war

Land mine

Summary: Microsoft is still breaking the Internet using completely bogus takedown requests (an abuse of DMCA) and why Microsoft Windows, which contains weaponised back doors (shared with the NSA), should be banned from the Internet, not just from the Web

So Microsoft spreads its lies in the media again and one of the lies we hear too often is that Microsoft obeys the law and Free software is “hacking” (they mean cracking) and a tool of “pirates” or whatever the bogeyman du jour may be. Well, actually, the very opposite is true. Criminals use Microsoft Windows to bombard sites (as they have been doing against several of my Web sites — including Techrights — for well over a month now) and if justice was to be upheld, Microsoft Windows would be banned by ISPs. Microsoft is claiming that it is upholding the law but actually, in reality, it breaks the law; it is not even a veiled action. It’s very blatant and a serious violation of several laws. This is a valid claim at many levels and today we’ll assemble some relevant new evidence and patiently connect it. This post is relatively long, but it covers a lot of ground, so please bear with us and keep reading.

“With its bogus takedown requests, Microsoft has turned DMCA into more of a joke. It also shows how hostile Microsoft has become towards FOSS.”Chris Pirillo, a longtime proponent of Microsoft with deep links to the company (not just his MVP title), has just had a video censored by Microsoft. Yes, Microsoft has once again issued a bogus takedown request against Google, as it did before (repeatedly). Microsoft is a criminal company because here too there is illegal action being taken by Microsoft. These bogus takedown requests, as per DMCA, are clearly a violation of the law. Microsoft does not want to obey the law (it sees itself as above the law or exempt from the law), so law itself probably isn’t much of a deterrent. Here is a new report from Wired. It is titled “Microsoft Serves Takedown Notices to Videos Not Infringing on Anything” and it says:

Microsoft’s never-ending war on software piracy caused some collateral damage this week. The victims? A handful of prominent YouTube video bloggers.

The bloggers—including LockerGnome founder Chris Pirillo and FrugalTech host Bruce Naylor—took to Twitter on Tuesday, with the hashtag #Microstopped, to complain that they had received erroneous copyright infringement notices for videos that were often several years old. The notices were filed under the Digital Millennium Copyright Act, the U.S. law that seeks to control access to copyrighted material on the net.

The funny thing here here is that Pirillo is the target. How many people without the ability to protest publicly and loudly had the same thing done to them by Microsoft? We may never know. Censorship of evidence of censorship (e.g. channel bans) and other circular scenarios often kick in and become cynically applicable.

Pirillo would not sue Microsoft for breaking the law in this case because he is in Microsoft’s pocket, but will Google finally use the law against Microsoft? Enough is enough. Microsoft has done this to Google for years!

Microsoft’s censorship does not quite stop here. There is another new story which speaks about how Github will deal with takedown requests from now on. Remember that Microsoft censors GitHub this way, essentially damaging FOSS projects by altogether purging them.

GitHub explains its policy change as follows: “The first change is that from now on we will give you an opportunity, whenever possible, to modify your code before we take it down. Previously, when we blocked access to a Git repository, we had to disable the entire repository. This doesn’t make sense when the complaint is only directed at one file (or a few lines of code) in the repository, and the repository owner is perfectly happy to fix the problem.”

Mike Masnick said, “kudos to Github and its lawyers for recognizing that sometimes you have to let in a little legal risk for the good of the overall community.”

With its bogus takedown requests, Microsoft has turned DMCA into more of a joke. It also shows how hostile Microsoft has become towards FOSS.

Another new report from Wired says that “Conficker remains, six years later, the most widespread infection on the internet.” This report is titled “How Microsoft Appointed Itself Sheriff of the Internet” and it explains how in the midst of Internet chaos, caused by Microsoft Windows having back doors, Microsoft just decided to hijack a huge portion of the Internet, breaking it altogether (a lot of UNIX/Linux-based systems affected, including millions of services being down for days). This was an unbelievable and probably unprecedented abuse by Microsoft. A judge got bamboozled and Microsoft fooled the press into distracting from its serious abuses against No-IP. There ought to have been a massive lawsuit. As the author Robert McMillan explains: “For the past 15 years, Durrer has worked as the CEO of a small internet service provider called No-IP. Based on Reno, Nevada, the 16-person company offers a special kind of Domain Name System service, or DNS, for consumers and small businesses, letting them reliably connect to computers whose IP addresses happen to change from time to time. It’s used by geeks obsessed with online security, fretful parents monitoring nanny cams in their toddler’s bedrooms, and retailers who want remote access to their cash registers. But it’s also used by criminals as a way of maintaining malicious networks of hacked computers across the internet, even if the cops try to bring them down.”

It was actually Microsoft that took them down. Microsoft is a criminal company and it used its own abuses as an excuse to break other people’s network. Here we are talking about the company that cannot even patch its systems to stop zombie PCs (with back doors that enabled them becoming zombies). Here again we have Microsoft failing to patch Windows and instead breaking it:

Microsoft has withdrawn an update released this past Tuesday due to user reports of system reboots after installation.

The update released as described in Microsoft Security Advisory 2949927 added SHA-2 hash algorithm signing and verification for Windows 7 and Windows Server 2008 R2. It was one of three proactive security feature updates released on Tuesday in addition to the eight patches of Windows and Office.

Microsoft makes it impossible to close the latest back door which it already told the NSA about, so people with Windows on their PC will be unable to boot or simply stay ‘infected’ with the latest back door. It’s all binary, so there is nothing they can do; they can’t even apply their own patch. As another source put it: “Microsoft has pulled one of the updates from its most recent Patch Tuesday release and recommends anyone who downloaded the fix should uninstall it.

“The update added support for the SHA-2 signing and verification functionality to Windows 7 and Windows Server 2008 R2 machines with the intent of improving security over the more vulnerable SHA-1 hashing algorithm.”

Microsoft Windows is simply unfit for use. Techrights, for example, has been under DDOS attack for over a month now. We know the offending machines. They all are Microsoft Windows PCs that got hijacked (from many different countries). The total number of IP addresses banned in the latest DDOS purge (so far today) is nearly 2,000. That’s a lot of Microsoft Windows zombies (with over 1200 IPs banned in just half a day). When will this operating system be banned by ISPs for facilitating DDOS attacks? How many Web sites can withstand attacks from so many zombies PCs and for how long? This is indirectly Microsoft’s fault, not just the attacker’s (the botmaster’s) fault because Windows does what it was designed to do; it has back doors. It can be commandeered remotely. This is clearly incompatible with the Internet.

Free software does not have such issues, but distributions that make their source code freely available to anyone can at least be checked for back doors, perhaps with the exception of binary Red Hat distributions like RHEL, which may have some back doors since around the start of the millennium, i.e. the same time Microsoft Windows got them (reportedly 1999), based on an IDG report and one from Beta News that said at the time: “It appears that Microsoft Windows is not the only operating system on the market that has a backdoor for those users who know the magic words. While Red Hat officials downplayed its seriousness, a team at Internet Security Systems, Inc. reports the security hole allows an intruder to access and modify files on systems running the most recent version of Red Hat Linux.”

Speaking of Red Hat, we are saddened to see it taking a stance of silence on the whole systemd issue. Red Hat is very much complicit in it, but it refuses to say anything. In fact, criticism of systemd is now being treated almost as taboo in Debian mailing lists because systemd‘s creator has shrewdly personified the issue and made it political, eliminating any chance to have truly technical debates about systemd. Personally, I worry the most about the number of bugs it would introduce, opening the door for exploitation. It replaces too many mature components. Microsoft’s propaganda network 1105 Media keeps spreading negative articles about FOSS because of such feuds (the systemd fued), so we don’t wish to feed this fire right here. Well, at least not right now.

Incidentally, also on the subject of security, here is a good new article titled “Enough! Stop hyping every new security threat” (especially against FOSS).

The author explains that “now it has reached a fever pitch, with proactive marketing of individual exploits with supercool names — Shellshock, Heartbleed, Sandworm — some of which even have logos.”

“Logos for malware,” he asks, “Really?” Microsoft partners did the logo work to help demonise FOSS and stir up a debate about FOSS security as a whole (because of one single bug!). There have hardly been any stories (i.e. evidence) that the Bash bug and OpenSSL bug resulted in some disaster or meltdown.

The bottom line is, proprietary software such as Windows has back doors and causes stormy weather on the Web (DDOS attacks). It’s Microsoft Windows that should be taken down as part of takedown requests, not innocent videos, whole networks (like No-IP) and FOSS code (GitHub) that Microsoft maliciously and deceivingly (against the law) calls offending and tries to take down.

« Previous entries Next Page » Next Page »

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channels: Come and chat with us in real time

New to This Site? Here Are Some Introductory Resources

No

Mono

ODF

Samba logo






We support

End software patents

GPLv3

GNU project

BLAG

EFF bloggers

Comcast is Blocktastic? SavetheInternet.com



Recent Posts