06.06.13
Posted in GNU/Linux, Kernel, Security at 9:10 am by Dr. Roy Schestowitz
Corporate insecurity for Insyde Software, corporate security for Microsoft
Summary: Promotion of bad ideas by Insyde Software merits another discussion about what UEFI actually means to ordinary GNU/Linux users
The main problem with UEFI is its effect on freedom. It’s not just about restricted boot but also patents and other issues covered in the criticism section in Wikipedia.
A new press release from Taiwan describes UEFI as a security mechanism, but this is utter fiction. Last month I spoke for over an hour with the president of the UEFI Forum, covering in length the aspect of security. He too was led to agreeing with me that security is hardly improved by UEFI, which can have its barriers bypassed and ignored. The press release says something like this:
Insyde Software, a leading provider of Unified Extensible Firmware Interface (UEFI) BIOS, today announced the availability of new UEFI security features including Secure Boot and secure firmware update for leading Linux distributions.
No, thanks. Linux does not need UEFI for security. Even Torvalds rejects the 'security' claim (he dislikes ‘secure’ boot in general [1, 2]). So the above is a marketing gimmick, that’s all. Insyde Software will boost flawed claims of ‘security’, so we should all be prepared to rebut.
Dr. Garrett, an expert in this field and occasional apologist, demonstrated that UEFI with Linux can brick hardware [1, 2, 3]. So much for security, eh? He is supporting it, sadly enough, based on very weak grounds. He should have antagonised it instead. Earlier this week he posted an update on the bricking issue:
Meanwhile, Samsung got back to us and let us know that their systems didn’t require more than 5KB of nvram space to be available, which meant we could get rid of the 50% value and replace it with 5KB. The hope was that any system that booted with only 5KB of space available in nvram would trigger a garbage collection run. Unfortunately, it turned out that that wasn’t true – some systems will only trigger garbage collection if the OS actually makes an attempt to write a variable that won’t otherwise fit.
So the search for a solution goes on under the false pretences that buggy, experimental UEFI sometimes adds something for GNU/Linux users to enjoy. The practical benefits of UEFI are very minor to ordinary desktop users. UEFI is good for two monopolies: the Intel/x86 monopoly and the Windows monopoly. █
Permalink
Send this to a friend
05.20.13
Posted in Microsoft, Security, Standard at 9:13 am by Dr. Roy Schestowitz
Microsoft tries to paint itself as “fighting the bad guys”
Summary: Software security ‘standard’ to be led by the company which made insecurity an acceptable engineering practice?
According to this new report (criticised heavily in this LXer thread), Microsoft is trying to lead security standards as if Microsoft is the master of security. Oh! The vanity!
“Previously, roughly half a decade ago, Microsoft fonts also enabled remote hijacking of one’s Windows-running PC.”Microsoft is not just bad at security but also at patching security flaws; many people, especially in businesses, won’t install updates from Microsoft without qualms because these tend to break the software every now and then, even weeks ago. As IDG put it: “The saga of botched patch MS13-036 takes new twists and turns — including a problem with Multiple Master fonts” (familiar story, not the first of this kind).
Go on and wonder how poor modularity must be if a security patch can impact fonts. Previously, roughly half a decade ago, Microsoft fonts also enabled remote hijacking of one’s Windows-running PC. █
“Our products just aren’t engineered for security.”
–Brian Valentine, Microsoft executive
Permalink
Send this to a friend
05.04.13
Posted in Microsoft, Security at 4:19 am by Dr. Roy Schestowitz
Summary: New Skype antifeature enables remote control of computers and Skype attracts patent lawsuits, too
The Microsoft-controlled Skype is not the same software it used to be. The architecture has been revised. Microsoft Skype is legalised malware and it abducts the computers of people, Microsoft Windows not being a prerequisite, gaining access to the connected camera, microphone, files, etc.
Based on this article, it is getting yet uglier:
After six malicious takeovers of his Skype account, a frustrated security researcher has posted his attempts to get Skype’s help. Here’s how to protect yourself.
The update says “Skype has not responded to request for comment, yet email and comments relate more instances of account hijacking with the same technique.”
And later on comes a face-saving response which does not actually address the subject. Microsoft does nothing to alleviate the fears.
Speaking of Skype, VirnetX, which we covered here many times before (the context being patent litigation against Microsoft) is suing Microsoft over it, citing patent violations. To quote the Indian press:
According to research firm ISI Group, most of VirnetX’s revenue has come from a 200 million dollars patent-infrigement-related settlement reached with Microsoft in 2010.
It is unlikely that Skype will be sued out of existence, but either way, whatever weakens it will do society good. The FSF has done a lot of activism against Skype for a reason. It’s high priority on the kill list. █
Permalink
Send this to a friend
04.07.13
Posted in Antitrust, GNU/Linux, Microsoft, Security at 2:30 pm by Dr. Roy Schestowitz
As much about security as multimedia DRM
Summary: Antitrust offences with UEFI restricted boot can no longer be defended as an act of enhancing security because keys are leaking
A Fedora developer was the first to embrace Microsoft’s restricted boot, so Fedora was usually ahead of the curve when it comes to it and it shows.
Torvalds criticised Red Hat for complicity with Microsoft [1, 2] after he had slammed restricted boot as something that would not improve security. He was right. Keys were inevitably leaked, leaving UEFI restricted boot (which former Novell/SUSE developers too helped promote) in a position where it is only an antitrust issue and nothing to do with computer security, just protectionism. As one new article puts it, the “Linux Lawsuit Shines Uncomfortable Light on UEFI Standard” and a Restricted Boot proponent leads with this news about UEFI signing keys getting leaked:
A hardware vendor apparently had a copy of an AMI private key on a public FTP site. This is concerning, but it’s not immediately obvious how dangerous this is for a few reasons. The first is that this is apparently the firmware signing key, not any of the Secure Boot keys. That means it can’t be used to sign a UEFI executable or bootloader, so can’t be used to sidestep Secure Boot directly. The second is that it’s AMI’s key, not a board vendor – we don’t (yet) know if this key is used to sign any actual shipping firmware images, or whether it’s effectively a reference key. And, thirdly, the code apparently dates from early 2012 – even if it was an actual signing key, it may have been replaced before any firmware based on this code shipped.
But there’s still the worst case scenario that this key is used to sign most (or all) AMI-based vendor firmware. Can this be used to subvert Secure Boot? Plausibly. The attack would involve producing a new, signed firmware image with Secure Boot either disabled or with an additional key installed, and then to reflash that firmware. Firmware images are very board-specific, so unless you’re engaging in a very targeted attack you either need a large repository of firmware for every board you want to attack, or you need to perform in-place modification.
Now we know that UEFI restrictions had nothing to do with security and eventually became just a competition barrier. Rather than cracking we are seeing leaking as the end of UEFI restricted boot’s (or ‘secure’ boot’s) reputation. █
Permalink
Send this to a friend
03.24.13
Posted in Microsoft, Security at 9:46 am by Dr. Roy Schestowitz
Summary: Microsoft refuses to fix a DDOS risk which it knows about
Several years ago, before Microsoft acquired Skype, I had run some network monitoring tools and found out that Skype was revealing people’s IP addresses very liberally. It was quite shocking at the time, partly because it connects people in each others’ lists like they are some kind of botnet. The ISP can easily map this to show associations between people and their physical locations. Now this is characterised as a security issue in Skype — one that Microsoft refuses to address:
It’s been more than a year since the WSJ reported that Skype leaks its users’ IP addresses and locations. Microsoft has done nothing to fix this since, and as Brian Krebs reports, the past year has seen the rise of several tools that let you figure out someone’s IP address by searching for him on Skype, then automate launching denial-of-service attacks on that person’s home.
I had noticed this well before the WSJ wrote about it and these days I use Linphone on the desktop, tablet, and phone. There are other SIP clients which are good and do not infringe people’s rights to privacy, among other human rights. █
Permalink
Send this to a friend
03.08.13
Posted in FUD, GNU/Linux, Microsoft, Red Hat, Security at 11:04 am by Dr. Roy Schestowitz
Wave of GNU/Linux scare-mongering
Summary: Percoco chooses to chastise Linux over security issues, even though upon pressure he admits that he is not aware of any particular issues
Recently we saw some remarkable GNU/Linux FUD coming from Trustwave [1, 2, 3], which is a Microsoft pal. Watch this new article which says: “eSecurity Planet met up with Nicholas Percoco, senior VP at Trustwave SpiderlLabs, during the RSA conference last week to discuss the state of PaaS security. Percoco specifically took aim at the Red Hat OpenShift PaaS in his demo, though he cautioned that OpenShift is not necessarily vulnerable.”
Why did he pick Red hat as his target? Sounds like deliberate FUD. The author is the article is a Linux proponent, so with the above interview he helped show what we consider to be selective criticism. Trustwave works with Microsoft, so it would not be smart for it to say negative things about Windows. THis is not a sole example of such FUD patterns. █
Permalink
Send this to a friend
03.05.13
Posted in Deception, Microsoft, Security at 12:48 pm by Dr. Roy Schestowitz
Armchair reseachers fall right into the trap
Summary: Microsoft’s “patch Tuesday” is being rebranded and studies that are based on it continue to make GNU/Linux look bad
The game of counting vulnerabilities is a dirty game which Microsoft knows how to cheat in.
“Microsoft renames “patch Tuesday”,” said a reader of this site, pointing to this article. “What those updates would contain remained a mystery to the experts,” says the article. Yes, because when you patch proprietary software nobody really knows what is going on.
This comes amid some security PR from Microsoft partners like Trustwave [1, 2] (it got to LWN) and Sourcefire, which seems to think that Linux has existed since 1988 in its so-called analysis which neglects to take account of Microsoft's hidden patches. Be wary and sceptical of so-called ‘security’ reports that compare platforms on particular criteria that they score based on public knowledge alone. Microsoft has already admitted hiding security-related patches.█
Permalink
Send this to a friend
02.18.13
Posted in GNU/Linux, Google, Microsoft, Search, Security at 6:07 am by Dr. Roy Schestowitz
Summary: Microsoft is searching for new fear-mongering ideas as it loses online (services and servers)
The decline of Bing has been rapid and I now see it accounting for no more than 5% of search engine referrals in my sites (I manage about a dozen). Bing is dying, so Microsoft resorts to pathetic FUD. It resorts to FUD such as this Scroogled [1, 2] nonsense we covered here before while it is also lying and cheating with secret belated patches to daemonise Google’s server platform of choice. We still see Microsoft's partner Trustwave seeding Red Hat and Linux FUD, not noting that Microsoft even admits not disclosing patches. Steven J. Vaughan-Nichol has just written about this too:
Linux, Windows, and security FUD
It’s 2013. but the Linux FUD just keeps coming. In the most recent example, security firm Trustwave claimed that Linux kernel vulnerabilities went unpatched more than twice as long as it took to fix unpatched flaws in Windows. This assertion would be a lot more believable if it wasn’t coming from a Microsoft partner.
[...]
What no one seems to have bothered to do when they reported that Linux was far more lax about taking care of so-called zero-day flaws was to see where Trustwave was coming from. Had they bothered with even a simple Google search they would have found that the company had partnered with Microsoft to bring their application firewall to Internet Information Server (IIS). In particular, Trustwave made a point of boasting how they’d collaborated with the Microsoft Security Response Center (MSRC).
[...]
In the meantime, Linux, which I freely admit isn’t completely secure—no operating system on the planet ever will be—continues to be be trusted by the world’s biggest Web sites, such as Google, Facebook, and Wikipedia and by such mission-critical sites as the New York Stock Exchange and the London Stock Exchange. Now, as it has been for decades, Linux remains more secure than Windows, and no FUD can refute this.
Watch out for Microsoft spin because a lot of it exists right now and we haven’t the capacity to track all of it anymore. Full-time job and family limit my ability to do this like I used to. █
Permalink
Send this to a friend
« Previous entries Next Page » Next Page »
Content is available under CC-BY-SA