EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

06.03.15

Microsoft Wants to Remove (or Deprecate) PuTTY From Windows and Replace It With Proprietary Microsoft Software

Posted in Free/Libre Software, Microsoft, Security at 10:04 am by Dr. Roy Schestowitz

What would Simon Tatham say?

Simon Tatham

Summary: The most prominent NSA partner wants to ‘contribute’ to OpenSSH, one of the thorns in the side of spies all around the world

MICROSOFT has just made this bizarre “Looking Forward” announcement, with no timetable. It’s about OpenSSH.

“I haven’t read the page or even tried to load the link,” told us a reader, “but the URL if legit says a lot of bad if they are now targeting and may corrupt that community. Connecting to or from a Windows machine defeats the purpose of the program.”

PowerShell was recently mentioned in the context of Microsoft's attempt to openwash it, trying to get UNIX/Linux people addicted to it. PowerShell is proprietary software and it is using Microsoft APIs, conventions, etc. No security-conscientious person (especially computer professional) should ever use it.

A very misleading headline from IDG says that making proprietary software devour OpenSSH is “love”. IDG extended this nonsense to several sites which it owns and many people read it there first because of this spamming/repetition/googlebombing [1, 2]. There was later (due to lesser visibility, no spamming) some additional ZDNet‘s coverage from Linux-oriented journalists and some Linux-oriented sites like Softpedia‘s Linux section and Phoronix, which wrote: “In the Windows world it has been traditional to use a program such as PuTTY to remotely manage Unix boxes from Windows clients, but no more.”

“Like porting a hardened steel padlock to a paper bag.”
      –iophk
Well, so it’s more like an unnecessary move then, at the very least because of PuTTY (there are other reasons which we can name another day). What at all is Microsoft contributing here? PuTTY has worked for well over a decade (I first used it around 2001). It was adequately adapted/updated to all versions of Windows as there was market need/demand.

There was pro-Microsoft slant in Microsoft-supportive sites [1, 2] and increasingly (over time) Microsoft-leaning sites such as Slashdot (see coverage) or The Register (see coverage). These used to be pro-FOSS, but that was before Microsoft influence, boosters, money etc. got funneled in.

Our reader iophk, quoting Microsoft Peter as saying that “Microsoft is going to work with {sic} and contribute to {sic} OpenSSH, the de facto standard SSH implementation in the Unix world, to bring its SSH client and server to Windows,” criticises this worrisome move. “Like porting a hardened steel padlock to a paper bag,” to use his analogy. So a platform with back doors can compromise a network which the NSA, based on Snowden’s leak, has not been so successful penetrating (some improvements have been made since there, like deprecation of old ciphers, not deliberately-compromised ciphers like those which Microsoft uses). We have legitimate reasons to be concerned when the first PRISM company and NSA ally (Microsoft) says it wants to ‘contribute’. Even when a company like Red Hat wants to alter SSH we dread it a bit because of Red Hat’s own relationship with its big client, the Department of Defence, as we have explained before [1, 2, 3, 4]. OpenSSH is a BSD project and the licence too is different, not just the philosophy (OpenBSD is exceptionally strict).

05.31.15

McAfee Associates Free Software and Anonymity With Crime

Posted in Free/Libre Software, FUD, Security at 3:23 pm by Dr. Roy Schestowitz

Summary: Insecurity firm McAfee, whose record on Free software is appalling (it is Windows-centric for its business), continues years of tradition by slinging mud at Tor

TECHRIGHTS regards and has for many years considered McAfee to be a leading source of FUD against Free software. To give a very recent example, McAfee is connected to the "VENOM" hype (former management), just like Microsoft.

The latest McAfee FUD targets Tor [1-4]. It’s FUD which associates Tor with crime. Framing Tor as a crime tool is like framing kitchen knives as weapons for murder, but this kind of characterisation sure fits the current war against Tor (anonymity). The attack on encryption is also on the rise and much of the British media is now spreading propaganda that associates encryption with terrorism. A recent movie that I watched, The Imitation Game, shrewdly associates encryption with the Nazis.

Related/contextual items from the news:

  1. ‘Tox’ Offers Ransomware As A Service

    The ransomware is free to use but site retains 20 percent of any ransom that is collected, McAfee researcher says.

  2. Almost anyone can make ransomware with this horrifying new program

    We might be entering a whole new era of malware, one where even those who lack any semblance of deep technical expertise will be able to acquire and disseminate viruses and the like on the fly.

  3. Yay for Tor! It’s given us RANSOMWARE-as-a-service
  4. Open Source Malware Lets Anyone Hold Computer Users to Ransom

    A free collection of files has been discovered that aids in the creation of ransomware; the process of encrypting the contents of someone’s computer until they pay to have it unlocked. Set your price and away you go.

05.30.15

The Lessons of Stuxnet: Never Use Microsoft Windows

Posted in Microsoft, Security, Windows at 4:26 pm by Dr. Roy Schestowitz

The NSA is playing with nukes

Missiles

Summary: Windows is sufficiently ‘NSA-compatible’ for remote compromise and physical damage (sabotage) to highly sensitive, high-risk equipment

MANY news reports from around Friday [1-13] made it abundantly clear that Stuxnet, an Israel- and US-made virus that targets Microsoft Windows, was deployed not only in Iran (which uses Windows and Microsoft Linux) but also deployed (albeit unsuccessfully) in North Korea.

It is worth noting that Stuxnet was developed not only in the US but also in Israel and much of Microsoft’s software development for ‘security’ is also done in Israel, so it might not detect Stuxnet (by design).

“Imagine the media reaction if some nation’s government tried to install viruses in nuclear facilities in the US…”News from North Korea should remind any nation with military facilities (that’s about every nation on Earth) to dodge Microsoft Windows. Turkey, for instance, reportedly moved its army to GNU/Linux and several other nations make similar moves for security reasons. In order to explain North Korea’s resistance to the infection some corporation media likes to highlight “near-complete isolation” (see below) rather than reliance on GNU/Linux. The ToryGraph (see below) calls Stuxnet a “computer virus” even through it is uniquely a Microsoft Windows virus. Imagine the media reaction if some nation’s government tried to install viruses in nuclear facilities in the US…

This is by no means defence of North Korea; it’s just that the story makes is abundantly clear that, Microsoft’s special relationship with the NSA aside, Windows is a target. Even Western governments target it. The NSA habitually said that it worried about attacks on its electric grid while hypocritically enough it is attacking nuclear facilities in other countries, never mind the risk of “blowback” or the “fallout” (pun intended) such aggressive actions may consequently bring. Pentagon would label this an “act of [cyber] war”.

Related/contextual items from the news:

  1. NSA eggheads tried to bork Nork nukes with Stuxnet. It failed – report

    The NSA tried to wreck North Korea’s nuclear weapons lab using the centrifuge-knackering malware Stuxnet, and ultimately failed, multiple intelligence sources claim.

  2. Pyongyang 1, NSA 0: U.S. Tried and Failed to Hack North Korea’s Nuclear Infrastructure

    By almost completely shutting itself off from the rest of the world, the North Korean government has denied its people and society access to the fruits of the digital communications revolution. It has also reportedly helped stymie a U.S. cyberattack on the country’s nuclear infrastructure modeled on the so-called Stuxnet virus the United States and Israel used against Iranian centrifuges.

  3. The NSA reportedly tried — but failed — to use a Stuxnet variant against North Korea

    Right around the time that the Stuxnet attack so famously sabotaged Iran’s nuclear program in 2009 and 2010, the U.S. National Security Agency reportedly was trying something similar against North Korea.

    The NSA-led U.S. effort used a version of the Stuxnet virus designed to be activated by Korean-language computer settings, but it ultimately failed to sabotage North Korea’s nuclear weapons program, according to a Friday Reuters report, which attributed the information to people familiar with the campaign.

  4. NSA tried Stuxnet cyber-attack on North Korea five years ago but failed

    The US tried to deploy a version of the Stuxnet computer virus to attack North Korea’s nuclear weapons programme five years ago but ultimately failed, according to people familiar with the covert campaign.

  5. Report: US tried Stuxnet variant on N. Korean nuke program, failed
  6. US tried to bring down North Korean missile programme with computer virus
  7. Report: U.S. failed to sabotage North Korean nuclear program with Stuxnet-twin
  8. Report: US cyberattack on North Korea was ineffective
  9. Why Did a US Cyber Attack on North Korea Fail?
  10. US Tried, Failed To Sabotage North Korea Nuclear Weapons Program With Stuxnet-Style Cyber Attack
  11. US Reportedly Launched Stuxnet Attack Against North Korea
  12. US Failed at Planting Stuxnet-Style Computer Bug in N. Korea Nuke Program
  13. US reportedly tried to destroy North Korea’s nuclear program with a Stuxnet-type virus

05.27.15

Yet Another Major Security Deficiency in UEFI

Posted in Microsoft, Security at 6:03 am by Dr. Roy Schestowitz

Another reason to reject UEFI: system compromise before boot sequence starts (e.g. GNU/Linux)

UEFI

Summary: UEFI is inherently insecure, more so than the alternatives which it strives to replace, including Free/libre ones

INTEL’S UEFI has been marketed as ‘security’ because of “Restricted Boot”, which basically gives a bunch of companies like Microsoft control over one’s computer. Microsoft works closely with the NSA and the NSA already spoke about compromise at boot time. UEFI enables remote bricking of PCs — a subject that we covered here before, e.g. in:

There is a post titled “UEFI backdoor allows root exploit in Linux” which UEFI apologist and developer Matthew Garrettresponded to not exactly with refutation, only the insistence that it is not the “backdoor you are looking for”. To quote: “And that’s what Dmytro has done – he’s written code that sits in that hidden area of RAM and can be triggered to modify the state of the running OS. But he’s modified his own firmware in order to do that, which isn’t something that’s possible without finding an existing vulnerability in either the OS or (or more recently, and) the firmware. It’s an excellent demonstration that what we knew to be theoretically possible is practically possible, but it’s not evidence of such a backdoor being widely deployed.”

Maybe not yet. We’re talking about and dealing with imperialistic espionage agencies that go as far as putting back doors in the firmware of just about every hard drive.

We really need to stop referring to UEFI as a security enhancement. This is far from the first time security issues are found in UEFI, which is complicated, proprietary, patents-encumbered and relatively immature.

Computers with UEFI should be appropriately labeled (warning labels), just like foods with genetically-modified ingredients or packets of cigarettes.

05.18.15

Microsoft’s ‘Former’ Staff Continues With His Anti-Google Rhetoric at CBS

Posted in Deception, Google, Microsoft, Security at 7:16 am by Dr. Roy Schestowitz

Zack Whittaker
From Twitpic

Summary: A Microsoft intern, who has moved on to journalism, is still showing his affinity for Microsoft with apologetics and spin

Zack Whittaker, formerly Microsoft staff in the UK who is now writing for ZDNet (a CBS-owned technology tabloid), keeps attacking Microsoft's rivals. It’s an habitual thing.

The other day he tossed some FUD at Android (yet again) and repeated Microsoft’s classic talking points (which its boosters had all uniformly spread several months ago). “This year alone,” he wrote, “Google disclosed two security flaws in Microsoft’s software, leaving the software giant fuming. The security team gave Microsoft three months to fix the flaw, or face public shaming.” The article is titled “Google has an Android security problem” and it’s trying to portray Google — not Microsoft — as the problem.

Microsoft was trying to blame Google, so here again we have Whittaker defending Microsoft (his former employer) and shaming Google for revealing how Microsoft exposed users. It’s not hard to find Microsoft bias in sites like ZDNet. All one has to check is where CBS is hiring from. This is a widespread problem as many people from Microsoft (some still working for Microsoft) are writers at ZDNet.

05.14.15

“VENOM” FUD Attack — Like “Heartbleed” FUD Attack — Linked to Microsoft

Posted in Microsoft, Security at 7:48 pm by Dr. Roy Schestowitz

VENOM™ and Heartbleed™ do have something in common

Mike Convertino
From Microsoft management to CrowdStrike™ management

Summary: Why CrowdStrike™ is motivated to smear Free software and establish a stigma of insecurity in Free software-based virtual machines/’clouds’

The word/brand “Heartbleed” was made up by a Microsoft-connected firm — a firm that is headed by Microsoft’s former security chief. It basically took credit for a 2-year-old flaw that a Google engineer had found, publishing (along with a logo and a catchy brand name) dangerous details well before a patch could be made available and widely deployed/applied, i.e. it was an irresponsible disclosure.

CrowdStrike™ 'pulled a "Heartbleed"' in the sense that it followed some similar patterns (reminiscent of the above). XFaCE, a regular from our IRC channels, diverted our attention to the press release “CrowdStrike™ Appoints Amol Kulkarni as Vice President Engineering”, dated Dec 9, 2014 (less than half a year ago).

“Former Microsoft Bing Engineering Leader [leaving a dead/dying effort] joins Executive Team at CrowdStrike,” says the press release.

“Why is it that we so often find out-of-proportion scare (or FUD) against Free software linked to Microsoft and its ‘former’ staff or close partners?”More important a find, however, is the background of Mike Convertino from the company’s leadership team. The introduction is very telling; rather than hide his background it is noting: “Prior to his work at CrowdStrike, Convertino was the Senior Director of Network Security at Microsoft where he was responsible for protecting all of the company’s networks from intrusion and exploitation.”

So the apple doesn’t fall too far from the tree.

“They also use Microsoft Office extensively, given their job ads,” XFaCE added.

“Adam Meyers, “VP of Intelligence” at CrowdStrike™, used to work for SRA International,” XFaCE says. According to Wikipedia, “SRA provides information technology services to clients in national security, civil government, and health care and public health. Its largest market, national security, includes the Department of Defense, Homeland Security, US Army, US Air Force, and intelligence agencies.”

“Microsoft is a partner,” says XFaCE. George Kurtz, the CEO and co-founder of CrowdStrike, comes from McAfee, a common and frequent source of anti-Linux and anti-Android FUD. The famed Scottish-American founder of McAfee is now a fugitive.

Why is it that we so often find out-of-proportion scare (or FUD) against Free software linked to Microsoft and its ‘former’ staff or close partners?

New Windows Ransomware: No Branding, Not Even a Mention of Windows

Posted in Microsoft, Security at 11:15 am by Dr. Roy Schestowitz

Summary: New example of media bias which completely omits Windows and spares Microsoft as that may lead to bad publicity

The VENOM® hype campaign is still occupying headlines, serving to distract from Microsoft’s ~50 vulnerabilities which were disclosed on Tuesday and hardly received any media attention.

We recently complained that the ToryGraph advertised Microsoft and deleted Netscape from history, thereby hiding Microsoft's criminal shame.

A reader has just told us that the ToryGraph fails to call out Windows when there is negative news. There is Windows ransomware again, but Windows not even named. There is no brand, no name, no logo, etc.

Microsoft Windows does not need to be infected to demand ransom, Microsoft does the job itself and has done exactly that (demanded ransom) since the first of the Vista series (before 7, 8, and 10). Microsoft no longer thinks it can convince people to pay for Windows, so this strategy is seemingly being dropped.

VENOM® is Not a Serious Bug, It’s Just a Marketing Campaign From CrowdStrike

Posted in Security at 10:47 am by Dr. Roy Schestowitz

Bugs
Image courtesy of Red Hat, demonstrating lack of correlation between severity and logos/brands

Summary: Many journalists bamboozled into becoming couriers of CrowdStrike, an insecurity firm which tries to market itself using a name and logo for a very old bug

THERE is a disproportionate level of coverage not of Free software but of bugs in Free software. We last wrote about it only days ago

A firm called CrowdStrike (who? Exactly!) is trying to emulate the ‘success’ of previous FUD campaigns. Now is the time to check who’s a real journalist (fact-checking) and who’s just serving PR campaigns like “VENOM”, a shameless FUD campaign from CrowdStrike.

The whole “VENOM” nonsense was covered in a good article titled “VENOM hype and pre-planned marketing campaign panned by experts”. To quote: “On Wednesday, CrowdStrike released details on CVE-2015-3456, also known as Venom. Venom is a vulnerability in the floppy drive emulation code used by many virtualization platforms.

“However, while it’s possible that a large number of systems are impacted by this flaw, it isn’t something that can be passively exploited.

“Several security experts discussed the flaw online, focusing on the marketing and the media attention that it generated – including some over-hyped headlines. Most media organizations were briefed ahead of time about the discovery and gagged by embargo until the Venom website launched, so they had plenty of time to write.

“Many media articles compared Venom to Heartbleed, which is an apples to oranges comparison. If anything, the only commonality is the fact that both flaws had a pre-planned marketing campaign.”

Here comes the “Heartbleed” brand. Yet again. They’re using names that are scary (even all caps, like “GHOST”) because it’s so much easier to sell than “CVE-2015-3456″. Journalists rarely have the technical knowledge to analyse a bug or a flaw, so they assume bugs and logos are indicative of severity.

This patch Tuesday Microsoft revealed 40+ vulnerabilities. Not a single one had a brand name, logo, etc. Here is how IDG covered 46 flaws publicly disclosed by Microsoft just for this Tuesday (Microsoft hides even more flaws). So many flaws were collectively covered in one article and yet there are no logos; none has any branding.

“VENOM” has become the latest example of what we call bugs with branding. This has got to stop because it corrupts journalism and makes the field of computer security almost synonymous with marketing or advertising. CrowdStrike used ALL CAPS (for emphasis rather than acronym) and connotation with poison to market itself, an insecurity firm, after finding a floppy drive bug from over a decade ago. There is a logo too (the first example we found of it), not just branding for this bug, dubbed “VENOM”.

Bug branding (turning number into branding-friendly FUD) seems to have adopted the ALL CAPS convention from “GHOST”, only for extra scare. This FUD has surfaced even in Linux-centric sites, which played along with the marketing campaign. Red Hat [1] and SJVN [2], even Phoronix [3] and Softpedia [4], have covered it by now, despite no focus on security news there.

Branding for bugs leads to stupid headlines that are more poetic than factual and are very light on facts. There is little substance there. This whole recipe (bug+brand name+logo=lots of publicity without much merit) has been repeatedly exploited to give a bad name to FOSS security. A lot of headlines try to connect this to the “Heartbleed” brand. Headlines that we have found so far (links below) include “New Venom bug hits data centers, but it’s hardly Heartbleed”, “Venom bug could allow hackers to take over cloud servers – and experts say it could be worse than Heartbleed”, “New Venom flaw may be worse than Heartbleed, researchers warn”, and “Venom vulnerability more dangerous than Heartbleed, targets most virtual machines”.

Zack Whittaker (former Microsoft staff) covered it like this in the CBS-owned tech tabloid, ZDNet: “Bigger than Heartbleed, ‘Venom’ security vulnerability threatens most datacenters”

Here is that “Heartbleed” brand again. “Please Stop Comparing Every Security Flaw to Heartbleed,” said one good headline from Gizmodo (that’s just how they covered this marketing campaign).

The word/brand “Heartbleed” was made up by a Microsoft-connected firm. Watch coverage from Microsoft-friendly sites and you will find headlines like: “Heartbleed, eat your heart out: VENOM vuln poisons countless VMs”

Dan Goodin, a foe of FOSS (from a security angle), brings in the NSA and Bitcoin to add FUD amid this branded bug/buzz. He wrote about the latest branded bug not once but twice (see links below). He is squeezing the most FOSS FUD out of it (opportunism). Kim Komando chose the headline “New bug taking over the Internet”. No sensationalism here? One press release said “Better Business Bureau Says Most Don’t Need to Worry” [about the branded bug], so there is some objectivity out there too, or an effort to calm people down.

Watch carefully how the bug is marketed in the media: Logo with SVG-like transparency; for a bug! Looks like it was prepared by graphics/marketing professionals. Are insecurity firms now liaising with marketing firms to professionally draw SVG logos for bugs? More logos for simple bugs (we found several, but one main logo) are circulating, usually with photos of snakes. See the complete list [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36] as of this morning. How much more of this FUD is going to circulate before journalists realise that they make a mountain out of a molehill?

Related/contextual items from the news:

  1. VENOM, don’t get bitten.

    CVE-2015-3456 (aka VENOM) is a security flaw in the QEMU’s Floppy Disk Controller (FDC) emulation. It can be exploited by a malicious guest user with access to the FDC I/O ports by issuing specially crafted FDC commands to the controller. It can result in guest controlled execution of arbitrary code in, and with privileges of, the corresponding QEMU process on the host. Worst case scenario this can be guest to host exit with the root privileges.

  2. For Venom security flaw, the fix is in: Patch your VM today

    The QEMU fix itself is now available in source code. Red Hat has been working on the fix since last week.

  3. VENOM Bug In QEMU Escapes VM Security
  4. 11-Year-Old Bug in Virtual Floppy Drive Code Allows Escape from Virtual Machines

    Popular virtualization platforms relying on the virtual Floppy Disk Controller code from QEMU (Quick Emulator) are susceptible to a vulnerability that allows executing code outside the guest machine.

« Previous entries Next Page » Next Page »

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channels: Come and chat with us in real time

New to This Site? Here Are Some Introductory Resources

No

Mono

ODF

Samba logo






We support

End software patents

GPLv3

GNU project

BLAG

EFF bloggers

Comcast is Blocktastic? SavetheInternet.com



Recent Posts