EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS


Another French Tragedy: Only the Insane Would Put Windows in Airports

Posted in Microsoft, Security, Windows at 7:32 am by Dr. Roy Schestowitz

“If you (Senator Wellstone) vote against the war in Iraq, the Bush administration will do whatever is necessary to get you. There will be severe ramifications for you and the state of Minnesota.”Vice President Dick Cheney to Senator Paul Wellstone (D), October, 2002, just days before Wellstone’s death in an airplane accident

At airport

Summary: The involvement of Microsoft Windows in mission-critical systems (where many lives are on the line) shows extreme negligence and lack of foresight

FRANCE appears to have had problems other than terrorism. Headlines today serve to confirm, with Russia’s acceptance too, that its plane was recently taken down by terrorists, killing about twice as many people as died in Paris on Friday. Days ago the British media ran some scare stories about a French person in a British airport (a lot of misreporting about that, see our daily links for more), but how about basic technological errors? Remember what happened to a Spanair flight and also the poor judgment of British aviation. More planes crash due to technical malfunction than due to terrorism.

“Microsoft seems to be good at nothing these days, perhaps other than back doors and back room deals.”Based on a new report, France is still running mission-critical systems with Windows, even really ancient versions of it, as ancient as 3.1 (see “Windows 3.1 Is Still Alive, And It Just Killed a French Airport” in [1] below). What are they thinking? This is just nuts! It’s not from The Onion and it’s definitely no satire.

Microsoft seems to be good at nothing these days, perhaps other than back doors and back room deals. Recall Microsoft’s new body cameras partnership with TASER, which we mentioned a few times, then see [2,3] below. Conficker, a Windows virus, is now being preinstalled on body cameras. How many lives will likely be sacrificed as a result of this? Police brutality too needlessly kills a lot of people.

“Haven’t Snowden’s leaks shown enough to convince everyone that genuine security is not the goal at Microsoft but actually somewhat of a foe?”Windows is not suitable for anything that requires security because Windows is simply not designed to be secure. It’s designed for “national security” (meaning back doors and bogus encryption that the state can crack). Proprietary software in general is bad, including firmware [4], based on new reports. Microsoft is now silently modifying its patches after it bricked Outlook, which has back doors. To quote the British media: “Many IT managers and normal folks held off on last week’s patching cycle after one Microsoft fix – KB 3097877 – broke several versions of Outlook. The error came in how the software handled fonts, and resulted in the email client crashing as soon as some emails were scrolled through.”

We have already covered this here the other day, in relation to back doors in Microsoft data encryption. It is unthikable and rather unbelievable that some people still get away with putting Windows in mission-critical systems, even in governments and businesses. Haven’t Snowden’s leaks shown enough to convince everyone that genuine security is not the goal at Microsoft but actually somewhat of a foe?

Related/contextual items from the news:

  1. Windows 3.1 Is Still Alive, And It Just Killed a French Airport

    A computer glitch that brought the Paris airport of Orly to a standstill Saturday has been traced back to the airport’s “prehistoric” operating system. In an article published Wednesday, French satirical weekly Le Canard Enchaîné (which often writes serious stories, such as this one) said the computer failure had affected a system known as DECOR, which is used by air traffic controllers to communicate weather information to pilots. Pilots rely on the system when weather conditions are poor.

    DECOR, which is used in takeoff and landings, runs on Windows 3.1, an operating system that came onto the market in 1992. Hardly state-of-the-art technology. One of the highlights of Windows 3.1 when it came out was the inclusion of Minesweeper — a single-player video game that was responsible for wasting hours of PC owners’ time in the early ’90s.

  2. Police Body Cameras Shipped with Pre-Installed Conficker Virus

    US-based iPower Technologies has discovered that body cameras sold by Martel Electronics come pre-infected with the Conficker worm (Win32/Conficker.B!inf).

  3. Who controls the cop cam?

    At the end of October this year, 14,000 police officials from around the world gathered in a Chicago conference center for the International Association of Chiefs of Police conference. It was equal parts political convention and trade show, with panels on crisis response splitting time with hundreds of small companies selling bomb-disposal robots and guns.

    There were more than a dozen body camera companies on the show floor, but Taser made the biggest splash, constructing a Disney-style amphitheater called the USS Axon Enterprise. The show began with a white-jacketed captain, who announced he had traveled back in time from the year 2055, where lethal force has been eliminated and police are respected and loved by their communities. To explain how to get there, he ran through a history of policing tech. Approaching the present moment, he fell into a kind of disappointed sadness.

  4. Badware in the firmware all over the place

    This is really no surprise: embedded system vendors aren’t good at carrying out quality assurance on their firmware images, and their embedded Web server software is what you’d expect from something written in the last 20 minutes of Friday afternoon.


Microsoft BitLocker Has Bug/Back Doors, Windows Laptop/Desktop Encryption Just a Farce

Posted in Microsoft, Security at 9:58 am by Dr. Roy Schestowitz

It doesn’t even look tough

Unlocked door

Summary: Unlocking the bogus encryption of the proprietary (secret code) BitLocker is surprisingly trivial, as Ian Haken has just revealed and demonstrated at Black Hat Europe

WE previously showed that BitLocker was not designed for security because of government intervention. Microsoft ‘encryption’ and ‘security’ patches are basically intended for an illusion of security — not real security – because Microsoft sits on zero-day flaws with the NSA. In simple terms, Microsoft ensures that the NSA and its affiliates have ways by which to remotely exploit Microsoft-made software and there is nothing that people can do to protect themselves from this, except deletion of Microsoft-made software.

“There is no patch for this and all BitLocker instances to date are affected.”Microsoft encryption continues to be an utter joke if one takes this article seriously. “A researcher” — one who is not from Microsoft — is said to have “disclosed a trivial Windows authentication bypass that puts data on BitLocker-encrypted laptops at risk.” There is no patch for this and all BitLocker instances to date are affected. Remember COFEE? Microsoft basically assumes that all people are criminals and it shows.

For those who think about relying on patches, caution is advised. Microsoft patches are broken again and users are advised not to apply them. This includes last Tuesday’s security patches, which helped reveal Microsoft’s ‘enterprise’ ‘professional’ ‘quality’:

The El Reg inbox has been flooded with reports of a serious cock-up by Microsoft’s patching squad, with one of Tuesday’s fixes causing killer problems for Outlook.

“We are looking into reports from some customers who are experiencing difficulties with Outlook after installing Windows KB 3097877. An immediate review is under way,” a Microsoft spokesperson told us.

The problem is with software in one of the four critical patches issued in yesterday’s Patch Tuesday bundle – MS15-115. This was supposed to fix a flaw in the way Windows handles fonts, but has had some unexpected side effects for some Outlook users.

“Today I’ve deployed latest Outlook patch to all of my clients, and now Outlook is crashing every 10 minutes and then restarting itself. I tried on fresh Win10, no AV with latest patches applied and here we go, Outlook crashing there too,” complained one TechNet user.

“Come on guys, do you EVER do proper QA before releasing anything Office 2013 related? This is the worst version of Outlook ever. Sorry for negative attitude but this is how things are.”

People should remember that Outlook (Webmail) itself has back doors, so for anything that requires a level of privacy (not just legal work and journalism) Windows must be avoided. Microsoft is a foe of privacy and it’s not an accident. Vista 10 takes privacy violations to a whole new level.

“Two security researchers have developed a new technique that essentially bypasses all of the memory protection safeguards in the Windows Vista operating system…”

Dennis Fisher, August 7th, 2008


SourceClear: Yet Another Microsoft-Connected (Coming From Microsoft) FOSS FUD Firm

Posted in Free/Libre Software, FUD, Microsoft, Security, Vista 10 at 6:33 pm by Dr. Roy Schestowitz

SourceClearAnother Black Duck in the making? Security FUD from a firm established by champions of back doors.

Summary: Another company whose business model is monetising (and thus often enhancing) fear, uncertainty and doubt (FUD) over Free/Open Source software (FOSS) and this one too comes from Microsoft

THIS trend has grown rather tiresome. Every now and then we see Microsoft’s tentacles reaching out for areas in FOSS where there is an opportunity to badmouth FOSS. They turn Microsoft’s anti-FOSS rhetoric into their business model. They institutionalise it.

“Another Microsoft guy creates a company that says Free software is not secure and needs some proprietary software ‘medicine’.”Based on a new press release in its various forms/variations [1, 2, 3], we may have yet another OpenLogic or Black Duck in our hands. Another Microsoft guy creates a company that says Free software is not secure and needs some proprietary software ‘medicine’.

SourceClear is not even known (we never heard of it, it seemingly came out of nowhere), it’s a very young firm, and immediately it receives a lot of money and even promotional coverage from the News Corp.-owned Wall Street Journal, which is a Microsoft-friendly publication. The first sentence provides the background one needs to be aware of:

Mark Curphey worked to stamp out software bugs for about a decade as head of the security tools team at Microsoft Corp. and in several other jobs before he realized that the problem was getting worse instead of better.

To quote Gordon B-P: ‘”Worked at MS bugs for a decade” – didn’t do a very good job there then. What makes him think he’ll be able to “secure” OSS?’

Jordan Novet, who is a promoter of Microsoft as we noted the other day, covered this as well, using bug branding such as "Heartbleed", coined by a company which is strongly connected to Microsoft. “It turns out that lots of other [FOSS] libraries have exactly the same issues but have not been reported,” Novet quotes Curphey, whom he describes as “previously a former principal group program manager inside Microsoft’s developer division. [...] SourceClear started in Seattle in 2013…”

“SourceClear started in Seattle in 2013…”
      –Jordan Novet
With OpenLogic, Black Duck, Codenomicon and various other Microsoft-connected (often created by Microsoft people and/or managed by Microsoft people) firms that badmouth FOSS we sure expect SourceClear to be no exception. They serve to distract from the built-in and intentional insecurities of proprietary software such as Windows, including quite famously Vista 10 where back doors are an understatement because everything is recorded and broadcast (total remote surveillance), even without a breach or an access through the back doors.

Microsoft cannot produce secure code because ‘national security’, i.e. many back doors, are a design goal. It helps Microsoft establish a ‘special relationship’ with the state and in fact it just got a contract from a highly notorious company, Taser [1].

Here we are in 2013 onwards — a time when simple bugs in FOSS (a defect affecting one line or two) get all the limelight and receive names, logos etc. whereas Microsoft’s critical zero-day flaws hardly make the headlines. There are many high-impact headlines that make a huge deal of fuss every time a security bug is found in Android (again, just in recent years). We suppose it’s part of a PR campaign in which Microsoft and its partners evidently participate. They are often the ones who come up with the names, logos, and much of the accompanying negative publicity.

Related/contextual items from the news:

  1. Microsoft Helping to Store Police Video From Taser Body Cameras

    Microsoft has joined forces with Taser to combine the Azure cloud platform with law enforcement management tools.


    In order to ensure Taser maintains a monopoly on police body cameras, the corporation acquired contracts with police departments all across the nation for the purchase of body cameras through dubious ties to certain chiefs of police.


Microsoft is Already at ‘Extend’ Phase in E.E.E. Against Free/Libre Software, Security at Jeopardy

Posted in BSD, Free/Libre Software, GNU/Linux, Microsoft, Mono, Patents, Security, Servers, Standard at 7:26 am by Dr. Roy Schestowitz

“What we are trying to do is use our server control to do new protocols and lock out Sun and Oracle specifically”

Bill Gates

Manchester studies

Summary: Microsoft’s war against POSIX/UNIX/Linux APIs culminates with the .NET push and the ‘bastardisation’ of OpenSSH, a Swiss army knife in BSD/UNIX and GNU/Linux secure channels

MICROSOFT will not rest until it regains its once dominant position in computing. It’s not just because of pressure from shareholders but also because of clevery-marketed sociopaths, such as Bill Gates, who are back at the helm and are very thirsty for power.

Microsoft is now pushing .NET into GNU/Linux, having failed to do so with Mono and Xamarin because regular people (end users) and sometimes developers pushed back. How can Microsoft still convince people to embrace the Microsoft APIs (which are heavily patented and not secure)? Openwashing and propaganda.

Jordan Novet, who writes a lot of pro-Microsoft or marketing pieces for Microsoft (for many months now), is formerly a writer of Gigaom, which had received money from Microsoft to embed Microsoft marketing inside articles (without disclosure, i.e. corrupted journalism). Now he acts as a courier of Microsoft marketing, repeating a delusion which we spent a lot of time debunking here (.NET is NOT “Open Source” [1, 2, 3]). To quote Novet:

Microsoft today announced the beginning of a new bug bounty to pay researchers to find security holes in some of the tech giant’s recently open-sourced web development tools.

“How can Microsoft still convince people to embrace the Microsoft APIs (which are heavily patented and not secure)? Openwashing and propaganda.”When Microsoft alludedwto “Open Source” in relation to .NET it sometimes merely piggybacks the reputation of projects it exploits. See the article “Microsoft’s .NET Team Continues Making Progress On An LLVM Compiler” (not GPL). To quote Phoronix: “Earlier this year Microsoft announced an LLVM-based .NET compiler was entering development, LLILC. Six months later, LLILC continues making progress.

“The .NET team has published a six month retrospective of LLILC. It’s a very lengthy read for those interested in low-level compiler details.”

“Microsoft is still working on implementing support for Windows’ crypto APIs rather than OpenSSL/LibreSSL and to address POSIX compatibility concerns along with other issues.”
      –Michael Larabel, Phoronix
This is a potential example of the infamous “embrace, extend, extinguish” approach. As we have shown here before, platform discrimination remains and it is even being extended to existing Free software projects, such as OpenSSH, as we explained yesterday (expect Windows-only ‘features’ and antifeatures). Microsoft APIs are already being phased in — the “extend” phase in E.E.E. (embrace, extend, extinguish). We warned about this months ago [1, 2] and we are now proven right. Even Michael Larabel noticed this and wrote: “Microsoft is still working on implementing support for Windows’ crypto APIs rather than OpenSSL/LibreSSL and to address POSIX compatibility concerns along with other issues.”

So now we have Windows- and Microsoft-specific code right there inside OpenSSH, in spite of Microsoft support of back doors for the NSA et al. Does this inspire much confidence? Repelling Microsoft isn’t about intolerance but about self defence.

“I once preached peaceful coexistence with Windows. You may laugh at my expense — I deserve it.”

Be’s CEO Jean-Louis Gassée


Microsoft’s Insecure-by-Design (Sometimes With Back Doors) ‘Contributions’ to OpenSSH

Posted in BSD, Microsoft, Security, Windows at 7:15 am by Dr. Roy Schestowitz

Making a mockery out of the spirit of OpenBSD, having given money to OpenBSD

Manchester church
Vulnerability (need for money) found in the Church of BSD

Summary: Microsoft is seemingly disrupting the high standards of the OpenSSH project (and by extension OpenBSD and Free/libre software), as its focus on security is ludicrous at best

LAST week, in our daily links, over a dozen links were included about a new revelations of flaws in a hugely popular encryption method. A paper presented by award-winning academics demonstrated a serious weakness. OpenSSH was among the alleged targets, potentially allowing spies to infiltrate, intercept and decrypt communications/data relayed over SSH. The philosophy and principles (UNIX) of OpenSSH had kept it strong for a very long time.

“Knowing the role that social engineering plays in weakening encryption, the last thing one needs right now is PRISM pioneer (first company) and a back doors proponent like Microsoft inside the OpenSSH community.”Those who keep abreast of privacy news (including NSA leaks) will know that there is an aggressive effort to crack SSH. Some ciphers were recently phased out or deprecated as a result. Knowing the role that social engineering plays in weakening encryption, the last thing one needs right now is PRISM pioneer (first company) and a back doors proponent like Microsoft inside the OpenSSH community. As we pointed out earlier this year, OpenSSH is being subjected to E.E.E. (embrace, extend, extinguish) treatment from Microsoft [1, 2] because money talks. Microsoft has a lot of money (despite losses in the billions) and OpenBSD is underfunded, hence desperate for money.

Secure channels and Microsoft Windows are incompatible concepts. It cannot be done because Windows itself has back doors, allowing penetration at root (Administrator) level. Microsoft is now pushing its back-doored, insecure-by-design APIs into the SSH project and also puts people’s keys on boxes with such inherent insecurities. How terrible a recipe is that? Is OpenBSD willing to compromise its credibility and reputation just because Microsoft gave it a ‘generous’ payment (some would call it a bribe)?

According to this update from Microsoft, they now intend to:

Leverage Windows crypto api’s instead of OpenSSL/LibreSSL and run as Windows Service…

People in the comments (not deleted, at least not yet) rightly post complaints. One said: “I don’t think I like that your replacing an open source SSL with a closed source Windows crypto api.”

Another commenter said: “Do I see a trap here?! If the Windows port uses the closed source crypto api is the whole OpenSource OpenSSH-idea then still intact?”

“Microsoft takes something that’s not its own and then ‘bastardises’ it, making it an inferior ‘Windows thing’ which spreads only because of the network effect or illegal bundling.”iophk told us: “How much key code can they replace with dodgy homebrew and still be allowed to use the same name? Without the crypto, it is not the same software and merely a derivative.”

Well, that’s just how E.E.E. has historically worked. Microsoft takes something that’s not its own and then ‘bastardises’ it, making it an inferior ‘Windows thing’ which spreads only because of the network effect or illegal bundling.

iophk has also pointed out to us that Roger A. Grimes, who works for Microsoft and IDG (news publisher) at the same time (clearly a conflict of interests), presents a false dichotomy, “freedom or security” (right there in the headline). Computer security is never the goal at Microsoft; they want back doors for so-called ‘national security’ (i.e. state power with remote access to citizens’ PCs).

“The first rule of zero-days is no one talks about zero-days,” reads this new headline (remember that Microsoft wilfully enables NSA access through zero-days).

“If Microsoft cannot honour Free software and respect the APIs of OpenBSD, OpenSSH, OpenSSL etc. then maybe it’s time to tell Microsoft to take back its ‘bribe’ money and go away, leaving OpenSSH alone (and secure).”Microsoft’s E.E.E. tactics are becoming a big threat not just to GNU/Linux but also to BSD and Free software as a whole. Microsoft now tries to become a GNU/Linux host, despite its known record of scanning every single file (claiming to do so because of child pornography) and colluding with the government for warrantless access to data stored on servers.

The E.E.E. against GNU/Linux is perhaps best demonstrated by this new article about how Microsoft tries to take over Big Data (a lot of data, sometimes incredibly sensitive) on GNU/Linux servers. “Last month Microsoft did something extraordinary,” says the author, “something which demonstrates how completely the company has changed since its third CEO, Satya Nadella, took over.”

Satya Nadella just turned the company into more of a surveillance company, as Vista 10 serves to remind us. He continues to attack GNU/Linux in many ways (including patent extortion) while saying that Microsoft "loves Linux' (a lie as big as a lie can get).

If Microsoft cannot honour Free software and respect the APIs of OpenBSD, OpenSSH, OpenSSL etc. then maybe it’s time to tell Microsoft to take back its ‘bribe’ money and go away, leaving OpenSSH alone (and secure). Almost every distribution of GNU/Linux comes with OpenSSH. Microsoft is a wolf in sheep’s clothing and it has no room inside FOSS until it quits attacking FOSS and collaborating with abusive espionage agencies like GCHQ and the NSA.

Red Hat Makes an Error by Liaising With Proprietary Software Firm and Source of FUD, Supposedly for ‘Security’

Posted in FUD, Red Hat, Security at 6:25 am by Dr. Roy Schestowitz

Don’t feed black ducks

Feeding ducks
Yours truly feeding the ducks
near home earlier this year (summer)

Summary: Red Hat’s cooperation with Black Duck serves to legitimise a terrible business model, wherein fear of FOSS is being accentuated and proprietary software ‘solutions’ are being offered

YESTERDAY we became aware of Red Hat turning to Microsoft’s friend, Black Duck. It happened with little prior warning and announced with the press release calling it a “[c]ollaboration to help developers, customers and partners build and run trusted, secure applications with Red Hat container technologies” (as if these are inherently less secure than some proprietary software).

What the articles fail to mention is that Black Duck’s former top manager is from Red Hat and he came back to Red Hat after his stint at this FUD firm (see the old press release titled “Black Duck Software CEO Tim Yeaton Rejoins Red Hat to Lead Newly-Formed Infrastructure Group”). Well, the doors basically revolved, twice even. Maybe that’s why Red Hat came to Black Duck, legitimising what is effectively a parasite inside the FOSS world.

“What the articles fail to mention is that Black Duck’s former top manager is from Red Hat and he came back to Red Hat after his stint at this FUD firm…”We have already found some puff pieces about, saying little more than the press release. One of them says that “Red Hat has collaborated with Black Duck Software to establish a secure and trusted model for containerized application delivery by providing verification that application containers are free from known vulnerabilities and include only certified content. This validation is a major step forward in enabling enterprise-ready application containers, and builds upon the strengths of each company – Red Hat’s position in container technologies and solutions, including its platform and certification strategy, and Black Duck’s position as the provider of comprehensive identification and earliest notification technologies of open source vulnerabilities.”

In its marketing, Black Duck would have us believe that FOSS is terrible at security, even though proprietary software has back doors ‘baked in’ intentionally. NSA et al don’t ‘break into’ Windows any more than Microsoft does; they’re allowed access, by design, intent, and agenda. Days ago we showed how marketers from Black Duck had claimed that it can cost $25,000 to fix a bug in FOSS.

As of early this morning, this new relationship received press coverage from Serdar Yegulalp (writing for IDG), Sean Michael Kerner for QuinStreet and Steven J. Vaughan-Nichols for CBS. The way Vaughan-Nichols put it, “Red Hat and Black Duck want to make sure that when you run a container, it’s really the container you want to run and not a rogue package.”

“In many ways, Black Duck is successful as a marketing company, much like polygraph merchants (among other popular scams like homeopathy).”It sounds good on the surface, but is a proprietary dependence healthy in the long term? Based on Vaughan-Nichols, this isn’t a short-term engagement. “In the long run,” he explains (writing from Red Hat’s town), “the companies plan to include Black Duck technologies as a component of Red Hat’s container certification.”

There are some lazy publications that ended up throwing the self-promotional promotional press release around. The Indian English-speaking press sort of rewrote the press release to make it look more original. Where are the sceptics? Where is the genuine reporting? All we see are puff pieces that relay claims made in a press release.

In many ways, Black Duck is successful as a marketing company, much like polygraph merchants (among other popular scams like homeopathy).


The Insecurity of Windows Made Ever More Apparent as Even Microsoft Infects Its Own Operating System

Posted in Microsoft, Security, Windows at 9:27 am by Dr. Roy Schestowitz

Windows doesn’t have bugs, it is a bug (mass bugging without a warrant)

Lady bug
Personal Computer (PC)? Microsoft software acts more like an impersonal covert listening device.

Summary: Why any remnant of the perception of Windows security is simply misguided and unjustified, as recent stories serve to demonstrate

IT IS WIDELY known by now that Microsoft and the NSA collude or secretly cooperate so as to enable remote access into Windows and other Microsoft software/services, such as Skype. Microsoft appeases its government not just by lobbying but also by habitual snitching that helps preserve (sometimes enhance) power. Some say that this is how (and when) the antitrust case got scuttled and those who pardoned Microsoft moved on to secretive FISC/FISA courts (see the curious judges overlap). When they talk about security they mean “national security” and when they utter the word trust they mean “the government [or a corporation] trusting computer users.” It’s all in reverse. Back doors are “security” and “trust” is distrust. Windows is a digital surveillance apparatus on computers with cameras, microphone, etc. (no need for anything sophisticated and expensive like laser microphones).

“Windows is a digital surveillance apparatus on computers with cameras, microphone, etc. (no need for anything sophisticated and expensive like laser microphones).”Malvertising, or Windows malware for financial gain [1], made it into the news earlier this week. “Microsoft Infects Windows Computers With Malvertising” [2] was the headline from FOSS Force and it turned out that Outlook, which sports back doors, remains defective without remedy even on UNIX platforms [3]. The problem isn’t just Windows but Microsoft’s proprietary software as a whole. Who does this whole chaos serve if not an imperial espionage operations? Some are rushing to spin this and they are blaming computers as a whole [4], but obviously there is something to be said about Microsoft making its software deliberately NOT secure. Even file formats are still acting as back door enablers [5] (“In 2015, your Windows PC can be owned by opening a spreadsheet”). We already know, based on many news reports, about FBI (or equivalents) sending malicious files to surveillance targets who foolishly use Windows.

Come on, let’s not pretend that Windows can even be made secure. The objective of the operating system is not security. “Our products just aren’t engineered for security,” a Windows manager once stated publicly. That was before the NSA leaks and after Microsoft and the NSA had reportedly colluded to put back doors inside Windows (1999).

Related/contextual items from the news:

  1. Daily Mail readers should be worried about the Angler exploit kit

    MY, HASN’T THE ANGLER EXPLOIT GROWN? The overseas malware security threat has been caught flashing its side boob at the Daily Mail and affecting UK citizens with a foreign security threat.


    “Malvertising has been one of the main infection vectors and continues to affect large publishers and ad networks through very distinct campaigns, very much like a whack-a-mole game,” Malwarebytes said.

    “In addition to spreading via compromised websites, Angler leverages malvertising thanks to several different threat actors who use clever ways to go undetected as long as possible or are able to quickly adapt and get back on their feet if one of their schemes gets too much attention and is disrupted.”

  2. Microsoft Infects Windows Computers With Malvertising

    I thought about ignoring this one and letting it slide, but it’s too priceless, too typically Microsoft, not to pass on. It seems that Redmond has been inadvertently infecting Windows computers with ransomware through its MSN website. Not to worry, however. The company is happy to hand you a tool to remove the malware, which is akin to locking the door after the horse is gone, as your files will by then be locked up tighter than a waterproof safe.

    The news came yesterday, via ZDNet, that Microsoft has “upgraded its malicious software removal tool to tackle TeslaCrypt, or Tescrypt as it calls it.”

    TeslaCrypt, a ransomware trojan, became big news early this year when it was found to be targeting computers with a variety of computer games installed. The malware evidently looks for file extensions associated with 40 or so games and encrypts them. The list of games infected includes such popular titles as Call of Duty, World of Warcraft, Minecraft and World of Tanks. From there, the scenario is all too familiar. To unencrypt, users must pay up — the going price is the equivalent of $500 in Bitcoins — to receive the decrypt key.

    While media mainly focused on the gaming aspect of TeslaCrypt, lulling non-gaming Windows users in to a false sense of security, it appears that the trojan also targets financial and tax software.

    Ho hum. Life as usual in the Windows world, eh?

    Trouble is, Microsoft began to notice a major uptick in detections of TelsaCrypt in late August, with the numbers rising from less than 1,000 detections daily to more than 3,500. This coincided with a report from the security company Malwarebytes, which detailed on August 27 a major ad based malware campaign using major news websites — including MSN.com — as drive-by delivery platforms.

  3. Microsoft update for Outlook 2011 on El Capitan doesn’t fix problems

    APPLE ROLLED OUT the latest official version of its Mac operating system last week, but the update crashes Microsoft Outlook. Microsoft has since rolled out an update designed to fix the problem, but it does not appear to have worked.

    Microsoft released the Office for Mac 2011 14.5.6 update in response to hundreds of complaints that its email software constantly crashes on the latest Mac OS X El Capitan.

    “This update provides the following fixes to improve Mac OS X El Capitan compatibility. The hang situation that occurs during an account sync operation in Microsoft Outlook for Mac 2011 is fixed,” Microsoft claimed.

  4. Cybercrime costs us dearly:study
  5. In 2015, your Windows PC can be owned by opening a spreadsheet

    Microsoft and Adobe have pushed out their scheduled monthly security updates, with familiar names like IE and Flash once again getting critical fixes.

    For Redmond, the October update brings fixes for 33 CVE-listed security vulnerabilities. The updates include a cumulative fix for Internet Explorer and patches to address critical flaws in Windows VBScript/Jscript for Windows Vista/Server 2008 and Windows Shell. Office, the Windows kernel, and Windows Edge also received fixes.


The Microsoft Botnet Goes Bonkers and ATMs Running Windows Spew Out Cash

Posted in GNU/Linux, Security, Vista 10, Vista 7, Windows at 5:06 am by Dr. Roy Schestowitz

“Mission-critical” and “Windows” are not possible to mention in the same sentence

Manchester Airport

Summary: The terrible security (by design) of Microsoft Windows is causing all sorts of very serious and collectively expensive issues

NOW that Rianne and I are back from vacation (Manchester Airport is shown above) we are amused to see even Dan Goodin, a selective basher of Free software, covering this latest blunder from Microsoft (affecting Vista 7). Sosumi dropped this pointer last night in the #techrights IRC channel and since then the word has been spreading rather quickly. Dan Goodin finally writes about the Microsoft Windows botnet (Windows Update, for a change) and Microsoft rushes to do ‘damage control’ by going after journalists. To quote Goodin:

“Microsoft said a highly suspicious Windows update that was delivered to customers around the world was the result of a test that wasn’t correctly implemented.

“We incorrectly published a test update and are in the process of removing it,” a Microsoft spokesperson wrote in an e-mail to Ars. The message included no other information.”

Yeah, whatever. It’s hard to refute something like that, but it may as well be a lie. It would be hard to prove what actually happened unless someone from the inside (like a whistleblower) got contacted. It’s all secretive and proprietary. Here is what the British media (Goodin’s former employer) wrote: “The Register poked Microsoft about the issue, and a spokesman told us: “We incorrectly published a test update and are in the process of removing it.”

“How that sort of thing happens, though, we’re not totally clear on. The bizarre update has certainly confused a load of Windows users, who hit the support forums in search of answers.

“Beginning with Windows 10, Microsoft has begun touting a new strategy of “Windows as a service,” where updates are continuous and automatic, and only enterprise customers are given the option of refusing them.”

When the Microsoft botnet (commandeered by the NSA and not just Microsoft, which grants the NSA access) goes awry we should all be reminded of the importance of software freedom. Windows Update, with automatic invocation in particular, is a truly terrible thing (even in Free software). Not only state-sanction spies but crackers too can exploit it, through back doors for example.

The monopolist knows that people are increasingly worried about all this remote control-like functionality. Microsoft Peter now comments [1] on mass surveillance (even on keystrokes) in Vista 10 after Microsoft admitted that mass surveillance is very much intentional, not a glitch. People inside Microsoft told me that it’s only getting worse (at development stages) and bound to get worse by the next release of Windows.

In other news, proprietary Windows and proprietary RAR now facilitate remote access by secret agencies (see this discussion). To quote Net Security: “A critical vulnerability has been found in the latest version of WinRAR, the popular file archiver and compressor utility for Windows, and can be exploited by remote attackers to compromise a machine on which the software is installed.”

The press hardly covered this. Instead it got obsessed with “XOR DDOS”. Weak passwords are to blame, not GNU/Linux, but all the headlines name “Linux”. There are finally some decent articles about it, not FUD from Microsoft boosters and insecurity firms (looking to sell their services).

Another bit of FUD came from The Inquirer last week (mentioned in our daily links). The Inquirer changed the headline after falsely accusing/blaming Linux, merely because the acronym XFS was mentioned (purely Windows in this case, not related to the Linux file system). Here are some articles about it [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14]. In short, lots of ATMs are being exploited not because of Linux but because they don’t use Linux. This is because of Windows. What kind of company STILL uses Windows in ATMs and banking in general? This is a platform of botnets and back doors, it’s simply unfit for purpose. Guess who pays the price for clueless technologists who put Windows in banks (which can receive bailout from taxpayers)? Just imagine where we would be if airplanes ran Windows…

Related/contextual items from the news:

  1. Microsoft reaffirms privacy commitment, but Windows will keep collecting data

    The second category is personalization data, the things Windows—and especially Cortana—knows regarding what your handwriting looks like, what your voice sounds like, which sports teams you follow, and so on. Nothing is changing here. Microsoft says that users are in control, but our own testing suggests that the situation is murkier. Even when set to use the most private settings, there is unexpected communication between Windows 10 and Microsoft. We continue to advocate settings that are both clearer and stricter in their effect.

« Previous entries Next Page » Next Page »

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channels: Come and chat with us in real time

New to This Site? Here Are Some Introductory Resources




Samba logo

We support

End software patents


GNU project


EFF bloggers

Comcast is Blocktastic? SavetheInternet.com

Recent Posts