Summary: The vulnerabilities which Microsoft tells the NSA about (before these are patched) are significantly growing in terms of their numbers
NOT ONLY Apple should be in the headlines for its back doors, which Apple is hardly denying. Apple admits putting them in there, but is being evasive about the motives. What about Microsoft? Why is the press not covering Microsoft back doors, as confirmed last year?
The other day we found this report [via] about “Internet Explorer vulnerabilities increas[ing] 100%” (year-to-year):
Bromium Labs analyzed public vulnerabilities and exploits from the first six months of 2014. The research determined that Internet Explorer vulnerabilities have increased more than 100 percent since 2013, surpassing Java and Flash vulnerabilities.
Here is more on the subject:
The report summarises public vulnerabilities and exploit trends that the firm observed in the first six months of 2014 and found that Microsoft’s web browser set a record high for reported vulnerabilities in the first half of 2014 while also “leading in publicly reported exploits”.
Remember that Microsoft tells the NSA about these vulnerabilities before they are patched. Perhaps the media should stop focusing only on Apple’s back doors. █
Send this to a friend
Summary: The biasing strategy which continues to be used to demonise Free/Open Source software (FOSS) along with some new examples
SEVERAL days ago several people told us about this article from Matt Asay. Ignoring the issues with proprietary software (EULAs, back doors, etc.) the article makes the bizarre claim that “we’re living in a post-open source world”, as if Free/libre software does not matter anymore. One reader told us that Asay had been “trolling for Black Duck“. Well, looking at the licensing strategy of Asay’s current employer, this position is easy to explain.
Unfortunately, however, the problem is this case is what Red Hat staff called “Asayroll” (troll) and we often call Mac Asay (he does not use FOSS himself). He used to be a fan of the GPL but then turned against it. Black Duck is just one among several data points he uses to bash the GPL now. Other data points (at least two) were partly Microsoft-funded as well; they’re good at hiding it. It’s information war, striving to change perception and kill the GPL with words.
It is not a surprise that Asay attacks the GPL and this is actually IDG’s second article in just about a week which attacks the GPL, citing Microsoft-connected entities. They must be terribly afraid of copyleft, or maybe their clients (like Microsoft) are doing lip service.
In other FUD, Dan Goodin with his provocative images continues to attack FOSS security, focusing all his attention on bugs in FOSS rather than back doors in proprietary software. “Researcher uncovers “catastrophic failure” in random number generation,” he says. Well, actually, in LibreSSL there is much better randomness than in Intel’s hardware-’accelerated’ RNGs (which are likely facilitating back doors by keeping entropy low) and proprietary software, which uses weak (by design) encryption. “Dan is the Security Editor at Ars Technica,” says the site, which really says a lot about where Condé Nasty (owner of Ars Technica) stands on security. It only trash-talks FOSS and GNU/Linux. This is systematic bias, usually by omission.
In more relevant news, watch the article “Embedded Windows XP systems targeted by new Chinese malware”. It says:
“It is exceedingly hard to protect against malware when it ships pre-installed from the factory. The average business, even a large enterprise, simply isn’t set up to perform this kind of due diligence on incoming hardware with embedded systems, whether it’s Windows, Linux or another platform. If an organisation wants to ensure privacy for itself and its customers, it must bear the cost of security somewhere in the supply chain, whether that’s in increased cost of a higher assurance supplier, or in post-purchase testing,” he explained.
Why is Linux dismissed as an option? Windows has back doors, so it can never be suited/deemed suitable for financial transactions. Why insinuate that this kind of issue is inherent (to the task)?
They should call out Windows and Microsoft’s connections with the NSA. which in is in turn connected to US banks. No country other than the US can ever trust Windows for use in ATMs. That’s a fact.
We are disappointed to see incomplete, biased, vengeful ‘reporting’ with agenda tied to companies/friends/employers of the writers/publishers. This is not journalism. It’s trash talk disguised as “news”. █
Send this to a friend
No Microsoft Office in China
Summary: Developments in China reveal that security and privacy threats posed by reliance on Microsoft are so great that a ban becomes inevitable and continues to expand (Microsoft put on more and more block lists and blacklists)
Let’s face it. Microsoft is in very serious trouble. Citing security, China already bans Windows (latest version), a top cash cow of Microsoft Corporation, which has only a few profitable products. Microsoft is now trying to warp the debate and deny back doors, even though Snowden provided evidence that speaks for itself. Windows has back doors that the NSA is exploiting. The other cash cow, Office (latest version), is also being banned in China, again for security reasons. Microsoft as a whole is being banned and censored, little by little (even its surveillance proxy, Yahoo, is being censored). This will be a big gain for free/libre office suites, including some Chinese versions (IBM employed people in China to work on OpenOffice with ODF). We will write more about the FOSS angle some time tomorrow as it’s a broad (and rapidly-broadening) subject.
Watch the Microsoft propaganda and vengeance in Microsoft media. For instance, says a Microsoft MVP and longtime booster (without mentioning Microsoft’s strong connection with the NSA), there is “malicious intent” here. It is actually a matter of national security because the NSA breaks into networks of companies like Huawei. Who is really malicious then? Here is a better and newer article about the ban of Microsoft Office 360 (5 days downtime). “Microsoft is working very hard to change the way that people see them,” says one article (part of this latest propaganda campaign [1, 2, 3, 4]) and the key word is “see”. No changed behaviour is part of the plan, especially when it comes to security and privacy. It is about perception. Some influential publishers who were paid by Microsoft are helping this perception management campaign right now, which proves that to Microsoft it’s all about marketing, not policy. The article “Microsoft Office Banned by China” generalises to make it seem like Office on the desktop too is banned and since it is written by a Microsoft MVP in a Microsoft sites we can expect the usual ridicule of China. Here is part of the full article from the Microsoft booster:
In April of this year, Microsoft made Office 365 available in China through a partnership with 21Vianet. Office 365, of course, is Microsoft’s online, Cloud edition of the industry leading office productivity software.
China represents a huge potential market for Microsoft. In addition to the launch of Office 365 in the country, Microsoft cut the ribbon on a new Azure datacenter in March.
But, Microsoft’s march to China dominance has been severely hampered as of late, and it seems with malicious intent by the country’s leadership.
This is great news, but a lot of the Western media has not picked this up. Interesting. Maybe there’s fear that this might inspire other governments. █
Send this to a friend
Summary: Observations and analysis of some recent deception in corporate news sites (like Condé Nasty), trying to pretend that Microsoft is secure, that Microsoft is pursuing security, and that FOSS and Android security or privacy are inherently poor
THE KARMA (or blowback) that Microsoft is meeting right now is a result of it sucking up (for government subsidies) to the NSA et al. for a decade and a half. Putting back doors in one’s software is not a safe bet for a business.
As longtime Internet saboteur (most recently Microsoft broke No-IP and offered no real apology, knowing perhaps it would fuel lawsuits by admission) Microsoft should never be trusted for anything Web-based. This is perhaps why China has put Microsoft’s latest Office push on the blacklist. “Yesterday,” said one article “Microsoft convinced a judge to let it take over No-IP’s DNS service, shutting down name service for many websites, in order to stop a malware attack. Today, the company fake-pologized.”
Never mind the fact that, as we explained before, the malware was partly Microsoft’s fault, for making a piece of software that’s insecure by design (and with back doors). “Microsoft’s PR mailout says that “some customers” experienced “temporary” loss of service but that everything was fine now; shortly after, the company’s PR emailed journalists again to say that things were still massively screwed up. It blamed the whole mess on a “technical error,” but when you look at what the judge believed about No-IP when the order came down, it’s clear that the “technical error” was a gross overstatement of both No-IP’s involvement in Microsoft’s woes, and the best way to sort them out.”
Notice how Microsoft is rallying so-called journalists. It is a company of liars and cover-ups. Why would anyone believe a single word?
The very fact that Microsoft was able to shut down millions of legitimate services shows just how much Microsoft corrupted its government. It used the Court for powers like hijacking a whole network. The No-IP story turned out to be far more outrageous than most people realised, as the press had been deceiving them at Microsoft’s behest. People should be fuming and Microsoft sued out of existence, but we just don’t know if this is actually going to happen. If Tux Machines was still on No-IP (as it had been for year, until recently), then it would have been one among millions of victims, potentially down for days.
Now, watch the audacity of Microsoft. With help from Gates’ fan press it pretends to be “against the NSA” and “transparent”. A lie bigger than that is hard to imagine, but this is marketing. This is part of a propaganda campaign which is going on at the moment (in many countries) and would have the gullible believe that Microsoft ‘fights back’ against the NSA, or something along those lines. One piece of propaganda was titled “Microsoft mocks NSA” and another doubts that it is “NSA-proof” (it is not, as with PRISM Microsoft can provide direct access, never mind NSLs).
Corporate media is meanwhile trying hard to push FOSS as “insecure” back into the debate. Gates’ fan press recently did this (citing familiar FOSS-hostile firms) and ‘Information’ Age conflates “proprietary” with “enterprise”, insinuating that FOSS is inherently not for enterprises (this is another type of FUD). Apparently, in addition to all that, a few lines of code (one bug) are the beginning of a new world. It’s that “Heartbleed” nonsense — a word coined by a Microsoft-linked firm for greater impact in an already-FOSS-hostile media (here is Adrian Bridgwater’s cheeky attacks on FOSS, using/exploiting news from 3 months ago, and here is another example). What corporate press rarely tells reader about “Heartbleed” is the insidious connection to Microsoft. There are those who look for bugs in old versions of Android which can leak location data because of the Wi-Fi stack, but these are not critical. “Android phones running 3.1 and newer versions of Google’s mobile operating system are leaking Wi-Fi connection histories, the Electronic Frontier Foundation has discovered,” says one source. Furthermore, says The Mukt, “Android seems to be the center of attention when it comes to mobile security concerns. In the latest, Electronic Frontier Foundation (EFF) has made claims that if you are an Android smartphones user, there is a high risk that your location history is being broadcasted to those within your Wi-Fi range.”
So basically, when it comes to FOSS there is nothing to really complain about except privacy bugs and some security bug from three months ago. As Ryan pointed out some days ago in IRC (citing IDG): “UPDATE: IBM on Monday corrected its report to say that the problem is not as widespread as originally thought. “The vulnerability affects Android 4.3 only. Thanks for the Android Security Team for correcting our advisory,” IBM said. About 10.3 percent of Android devices run Android 4.3.”
“That’s some sloppy reporting,” Ryan wrote. “First they reported that 86% of Android devices were affected by a critical security hole. Then they issued a correction, that it was only one version of Android that represents 10% of devices, and not even the latest version. We also don’t know that all Android 4.3 devices are affected, because OEMs can backport patches to their current firmware even when they don’t want to do a major Android upgrade at the moment. Archos kept backporting patches to Android 4.0 for a long time.
The original report, as far as we can tell, came from Android and Linux basher Dan Goodin. He led the way for writers, including in his former employer, to hide up an Android vulnerability. “It’s hard to exploit,” said his former employer, but in Condé Nasty it is called “serious”. This, in our view, is part of the hype which seeks to paint FOSS as ” insecure”, never mind the many back doors we now know of in proprietary software like Microsoft’s.
Just remember that Condé Nasty, and especially its writer Dan Goodin, has been on some kind of villainous Jihad against GNU/Linux for months now, distorting facts to make it seem as thought FOSS cannot be trusted.
To us it seems clear why all this FUD is being disseminated. Citing security concerns, large governments are moving away from pricey proprietary software with back doors, notably Microsoft’s. Watch Microsoft lying to governments of the world:
No backdoors in our code: Microsoft bid to convince governments
In yet another sign that the revelations about blanket NSA spying are biting into business revenue, Microsoft is offering to open up its source code to governments so they can satisfy themselves that there are no backdoors implanted.
There appears to be a fear among technology companies that if Microsoft is forced to do the government’s bidding, then American cloud businesses which operate in other countries could stand to lose a lot of business.
Snowden’s revelations have led to a drop in overseas business for at least two technology firms – Cisco and IBM. Additionally, the Boeing company lost an order from Brazil, which opted to go with Sweden’s Saab for $US4.5 billion worth of aircraft.
These are lies and Snowden’s revelations provided enough hard evidence to prove this. Expect many more attacks on FOSS from a security angle. Microsoft will try to save its cash cows, using a new ‘flavour’ of disinformation, as usual. █
Send this to a friend
Condé Nasty’s building, located near Wall Street
Summary: Articles about security issues at Condé Nasty (owner of Ars Technica) fail to focus on inherent flaws in software that is secret (and has back doors baked in), instead amplifying alarms over FOSS bugs
We recently saw some reports about Android vulnerabilities which actually count for something, e.g. privilege escalation put in proper context (user needs to actually install the software). But some people, and especially Goodin , would rather hype up non-issues and post them under “Risk Assessment / Security & Hacktivism” (an anti-Linux and now anti-Android section at Condé Nasty). They ignore the real security issues such as back doors, instead focusing on this kind of nonsense, saying that a designed change could heighten security risks for users. This is a continuation of very incomplete, one-side coverage, where only FOSS is ever characterised as insecure. It is propaganda by omission and Goodin is exaggerating the severity of flaws while adding provocative images to further increase the magnitude of fear. There is an agenda there; Irresponsible to say the least, as we recently showed. Maybe Goodin should highlight automatic updates of whole operating systems such as Windows. Why is he only picking on Android/Linux? Based on some reports, the FBI is listening to Android devices remotely. Maybe this is the kind of thing Goodin should cover, but he never does. Spooks may be hijacking automatic updates (such as Windows automatic updates) using back doors and collusion like PRISM, but Goodin is not interested in these matters. He would rather overlook the big issues like proprietary software which declines to obey settings that block automatic updates (Windows does this). Windows is the Swiss army knife of spooks, some of whom went on from agencies like the FBI to top positions inside Microsoft (and later to the firm which created hype/FUD about ‘Heartbleed’ [1, 2, 3]). People who only cover issues in FOSS instead of back doors in Windows cannot be taken seriously. It’s just so Condé Nasty (owner of Ars Technica since a few years ago). When Microsoft employees who reveal secrets of Windows get jailed and deported we should clearly divert scrutiny in that direction, but it is not happening. This site should be capable of better journalism on software issues, such as this very detailed new article about Android. Only balanced journalism will make this site look like real journalism. █
Send this to a friend
Summary: Microsoft’s software must be so malicious if revealing its “secrets” gets people who work for Microsoft jailed for several months and then deported
A LOT of the press continues to ignore the real threats to our (digitised/digital) liberties online. The corporate press barely writes about back doors in proprietary software like Windows (the back doors are there by design) and instead props up the whole “Heartbleed” hype [1, 2, 3]. Here for example is an article where 2 months (yes, 8+ weeks) after some lines of code were shown to have an error in them (dubbed “Heartbleed” by a Microsoft-linked firm and then marketed like classic FUD) IDG is conveniently deducing that all of FOSS is not secure. This is disgraceful FUD and it’s part of a pattern we have been seeing. Sure, there is lots of business in such generalisations, including for insecurity firms like Symantec, which maliciously gets closer to Linux groups (surely to sell some snake oil and claim that FOSS needs proprietary “anti-viral” software add-ons to be secure).
It should be noted that months ago there were many articles about how insecurity firms like Symantec (with odious Microsoft links in the management) needed to intentionally overlook government-developed malware (like Stuxnet) and back doors. It all adds up to one thing: the least secure practice in IT is one that involves introducing secret code into complex systems. One proprietary program is enough to compromise a larger system.
According to this article, allowing the public to see Microsoft secrets is a serious crime that gets you imprisoned and deported. “The Government timed its Complaint and Arrest Warrant to coincide with Mr. Kibkalo’s pre-arranged attendance at a technology conference in Bellevue,” says one article. Another says:
Kibkalo’s circumstances are somewhat different than most employees that get on the “outs” with their tech companies: in his case, Microsoft sifted through the emails and documents of the French blogger in order to detect the source of the leaked information – and then discovered that it was Kibkalo. Microsoft says that it regrets its actions, despite the fact that it doesn’t need a warrant to search the emails of its own customers. At the same time, there was an issue with Microsoft’s violation of customer privacy – and privacy advocates find the company violation to be more than an issue of subjective preference. They view it more as an “improper search and seizure.” What grounds did Microsoft have to do this?
Here we have two issues: the first if that Microsoft illegally spies on E-mails (we covered this before) and the second is that the very notion of being allowed to see Microsoft source code (e.g. to find the back door) or some “secrets” is now a serious crime with serious punishment. For a ‘transparent’ and ‘open’ “new Microsoft” (marketing nonsene) this sure doesn’t bode too well. █
Send this to a friend
Attempts to belittle the “eyeballs on the code” motto
Summary: Another week brings another set of bugfixes, which some choose to characterise as a very big deal despite evidence to the contrary
WHEN one has an agenda one can accentuate a particular side by covering it excessively. To be frank, not only FOSS-hostile circles are to be blamed for security hype; even some FOSS-friendly sites are releasing articles like “Linux Malware And Antivirus” or cover every security fix as though it’s major news. Consider just the past few days in Softpedia: A Steam OS bugfix is news and the same goes for Ubuntu because these projects make attractive headlines, especially after the whole “Heartbleed” hype [1, 2, 3]. Guess who was behind it: the firm of Microsoft’s ‘Former’ Security Chief. GnuTLS was subjected to the same treatment by the same Microsoft-connected firm because like any project it has bugfixes [1, 2], never mind the real security issues (back doors in proprietary software like Windows).
Amid some of the latest reports from Microsoft-friendly sources and FOSS-friendly sources like SJVN (we cited two of these articles before) we should keep in mind that not all bugs are created equal and if we let every bugfix in a project like Linux or OpenSSL become major news, then we will lose sight of the real issue, which is proprietary software having bugs by design, to facilitate intrusion.
Kevin Poulsen, who did some Wikileaks-hostile coverage back in the days, correctly points out that “After Heartbleed, We’re Overreacting to Bugs That Aren’t a Big Deal”. Here is how his article begins:
Here’s something else to blame on last April’s Heartbleed security bug: It smeared the line between security holes that users can do something about, and those we can’t. Getting that distinction right is going to be crucial as we weather a storm of vulnerabilities and hacks that shows no sign of abating.
Last week the OpenSSL Foundation announced it was patching six newly discovered vulnerabilities in the same software that Heartbleed lived in. The first reaction from many of us was a groan–here we go again. Heartbleed triggered what was probably the single largest mass-password change in history: In response to the bug, some 86 million internet users in the U.S. alone changed at least one password or deleted an internet account. The thought of a repeat was (and is) shudder-inducing.
Be aware that there’s a disturbing trend right now, where so-called ‘security’ firms (opportunists/attention whores) or media companies try to exploit general security paranoia (or privacy concerns) to ‘sell’ us stories about ‘gaping holes’; the reality is usually just some routine bugfixes, wrapped up by those who have agenda. Dan Goodin and the Microsoft-connected firm (which even branded a bug) are some of the worst in this regard. █
Send this to a friend
Bugs inside blobs are also serious bugs, and sometimes there by design
Summary: The increased media coverage of bugs in security-sensitive FOSS projects reveals lack of desire to cover much bigger threats, including back doors in proprietary software such as Windows
OpenSSL has been somewhat of a whipping boy of the technology press. One reason is, OpenSSL is widely used, but another is that it’s known what the issues are (transparency) and the corporate media sure has agenda. We already gave the example of Dan Goodin, to whom security bugs are only news is they affect FOSS (here is his latest go at it) and now that GnuTLS bugs become public knowledge (after a public release with full source code) there is some more coverage that resembles what we found amid “Heartbleed” hype [1, 2, 3] (in both cases a firm with Microsoft connections claimed credit for other people’s discoveries and trumpeted FUD in the press). One can expect the same from Microsoft-funded ‘news’ networks like IDG and ZDNet, which merely covers an already fixed bug. To quote the summary:
The security team behind the Debian distro are urging users to upgrade their Linux packages after patching a newly-found flaw in the Linux kernel.
This is not an unusual thing. Why it this suddenly front page news?
Notice the pattern. In all cases the bugs are already fixed (users just need to apply updates, unless they have already been applied automatically). This shows a strength of FOSS, not a weakness. The latest OpenSSL patches that we covered a couple of days ago (in daily links) don’t relate to or amount to huge risk  and these are already patched . The same goes for kernel bugs .
What we found highly disturbing here is that despite discoveries that companies like Apple and Microsoft facilitate the NSA with back doors (in secret code) we see an improportionate focus on every small bugfix in projects such as GnuTLS, OpenSSL, and Linux. Someone might be trying very hard to make the point that FOSS is the issue, not back doors which are very much included by design (and hidden in blobs). Reporters who cover bugs in FOSS but are never covering back doors in proprietary software ought to be challenged. Their bias (by omission) should be pointed out to them. █
Related/contextual items from the news:
Send this to a friend
« Previous entries Next Page » Next Page »