EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

01.17.14

For Real Security, Use CentOS — Never RHEL — and Run Neither on Amazon’s Servers

Posted in GNU/Linux, Red Hat, Security at 9:27 am by Dr. Roy Schestowitz

Red Hat logo

Summary: Never run Red Hat’s “Enterprise Linux”, which cannot be trusted because of NSA involvement; Amazon, which pays Microsoft for RHEL and works with the CIA, should never be used for hosting

SEVERAL years ago CentOS almost died; now it’s being embraced by Red Hat and one pundit from tech tabloid ZDNet is moving to CentOS Linux on the desktop [1,2].

CentOS is still in the news [3], with the CentOS project leader (Karanbir Singh) giving an interview to the Linux Foundation [4]. We trust CentOS, whereas trusting Red Hat is hard. RHEL is binary and based on news from half a decade ago, the NSA is said to be involved in the building process, as well as SUSE’s, whereas CentOS is built from source (publicly visible). Microsoft and the NSA do the same thing with Windows and it’s now confirmed that Windows has NSA backdoors.

Earlier this month vulnerabilities in RHEL’s openssl and RHEL’s gnupg [5,6], contributed even less to trust. RHEL is so standard in the industry that it would probably be simpler than other distributions to exploit; the NSA may as well have off-the-shelf exploits for all major RHEL releases, which are deployed in many countries’ servers (even so-called ‘rogue’ countries). Based on the NSA leaks, Fedora — not RHEL — is being used by the NSA itself to run its spying operations (e.g. collecting radio signals from afar). Fedora is not truly binary-compatible and its source code makes secrets hard to keep.

Lastly, mind the latest of Red Hat’s Fog Computing hype [7,8], including the CIA’s partner Amazon that’s lumped onto Red Hat [9,10] as part of a conference [11,12]. Avoid Amazon at all costs. It’s a malicious trap for many reasons. Amazon also pays Microsoft for RHEL after a patent deal with Microsoft, as we pointed out years ago. Suffice to say, Microsoft's servers are as bad as Amazon's for privacy.

RHEL and its derivatives continue to be deployed in many large networks of systems [13], so it’s clear why the NSA would drool over the possibility of back doors in RHEL. Watch out for that. Given the way NSA infiltrated standards bodies and other institutions, it’s not impossible that there are even moles at Red Hat or Fedora. There used to be some at Microsoft (we know about those who got caught).

Red Hat’s CEO is now telling his story in a Red Hat site [14] and one needs to remember who he used to work for (close to Boeing, which is primarily an army company), not just the country he is based on (hence the rules that apply to him, especially when he wishes to appeal to government contractors, DoD/Pentagon etc. which are the most lucrative contracts).

It should be noted that my Web sites are mostly running CentOS and the same goes for the host of Techrights, who focuses on security. With CentOS you can get the source code and redistribute; with Red Hat’s RHEL you can’t (it’s sold as binary).

There is definitely a good reason to trust CentOS security more than RHEL security. As for Oracle (“Unbreakable”), well… just read Ellison’s public statements in support of the NSA (never mind the company’s roots and the CIA). That tells a lot.

The bottom line is, blind faith in binary distributions is a bad thing. Blind faith in NSA partners (Red Hat collaborates with the NSA not just in SELinux) is even worse.

Related/contextual items from the news:

  1. Taking the long view: Why I’m moving to CentOS Linux on the desktop
  2. Is CentOS ready for the Linux desktop?

    CentOS is a very interesting and different choice for a desktop distribution. I haven’t heard of many people using it that way. Whenever somebody brings it up it’s usually within the context of running a server.

  3. Fedora and CentOS Updates, Linux for Security, and Top Seven
  4. CentOS Project Leader Karanbir Singh Opens Up on Red Hat Deal

    In the 10 years since the CentOS project was launched there has been no board of directors, or legal team, or commercial backing. The developers who labored to build the community-led version of Red Hat Enterprise Linux (RHEL) worked largely unpaid (though some took a few consulting gigs on the side.) They had a few hundred dollars in their bank account to pay for event t-shirts and that was it. And the project’s direction was decided based on the developers’ immediate needs, not a grand vision of future technology.

  5. Red Hat: 2014:0015-01: openssl: Important Advisory
  6. Red Hat: 2014:0016-01: gnupg: Moderate Advisory
  7. Red Hat Invests in Open Source IaaS, Cloud Talent
  8. Red Hat Academy Expands Training, Includes OpenStack Coursework
  9. Red Hat Launches Test Drives on AWS

    At its annual Partner conference in Scottsdale, Arizona this week Red Hat (RHT) announced new Test Drives on Amazon Web Services (AWS) with three Red Hat partners – CITYTECH, Shadow-Soft, and Vizuri. Through the AWS Test Drive program, users can quickly and easily explore and deploy ready-made solutions built on Red Hat technologies.

  10. Why Red Hat Needs OpenStack … And AWS

    OpenStack, the cloud’s community darling, desperately needs leadership, and Red Hat seems the ideal leader. But OpenStack isn’t the only needy party here. As good as Red Hat’s growth has been over the last decade, it pales in comparison to that of VMware, a later entrant that has grown much faster than Red Hat. And the open source leader still trails well behind Microsoft.

  11. Google, Amazon Clouds Invade Red Hat Partner Conference

    Google Cloud Platform and Amazon Web Services executives are set to address Red Hat Partner Conference attendees on Jan. 13 in Arizona. No doubt, the keynotes will seek to ensure Linux resellers understand how to move customer workloads into the Google and AWS public clouds, respectively.

  12. 7 Surprises At Red Hat Partner Conference 2014
  13. How to deploy OSSEC across a large network of systems from RPMs
  14. Teens and their first job: How to get on the path to a happy career

    I grew up in the 1980s in Columbus, Georgia. You needed a car to get around, so I did not work until I could drive. Within months of getting my driver’s license, I got my first job as a part-time computer programmer for a stockbroker.

01.16.14

Don’t Host GNU/Linux Under Hyper-V or Windows; There Are Back Doors

Posted in GNU/Linux, Microsoft, Security, Servers at 11:29 am by Dr. Roy Schestowitz

Azure

Summary: Reminder that Microsoft’s proprietary hosting environments have got holes in them, facilitating access even to guests (irrespective of the operating system)

ONE THING we know for sure, especially owing to Edward Snowden’s leaks, is that Microsoft and the NSA are two heads of the same hydra (one is privately-owned).

This morning we explained that Windows gets the latest back doors, whereas GNU/Linux gets endorsement from the British government (for internal use), so why would anyone want to make GNU/Linux dependent on (or a guest under) Windows hosts? Putting GNU/Linux on Azure is bad enough, but the same goes for hosting GNU/Linux as a virtual machine under Windows (a Trojan horse for the NSA), especially with Hyper-V (which is proprietary). According to [1], there are now vulnerabilities (read: back doors) in Hyper-V, so even the guests are being compromised (through the host). The same back doors that the NSA puts in Microsoft products (with Microsoft’s help) may turn out to be exploited by non-state actors [2], based on an example Bruce Schneier gave today.

There are other cases where anything from Microsoft should be strongly avoided. Cars are increasingly becoming surveillance devices [3], especially ones with Microsoft inside (instead of Linux inside) and we know this because of Microsoft's connection to Ford and Ford's own position on surveillance.

In short, those who value privacy should avoid everything from Microsoft, including the surveillance device which is Xbox (chat, camera, et cetera) and malware called Skype. When you use something from Microsoft you should assume to be under surveillance. Evidence provided by Edward Snowden should reassure you that you’re not being “paranoid”.

Related/contextual items from the news:

  1. Whodunit: A Hyper-V failure may reveal fabled ‘escape attack’
  2. Cell Phone Tracking by Non-State Actors
  3. 10 security, privacy issues you might not know about your car’s auto-location services

    As cars become more wired to the Internet and other communications services, the threat that your personal information and privacy could be exploited goes up exponentially.

    You can understand the concerns since at least one study from Frost & Sullivan found that the market for telematics services provided by auto manufacturers in North America is expected to increase from 11.8 million subscribers in 2012 to 31.6 million in 2016.

CESG (UK Government): GNU/Linux the Most Secure Operating System; New Backdoors Released for Windows

Posted in GNU/Linux, Microsoft, Security, Windows at 7:55 am by Dr. Roy Schestowitz

Summary: Entity associated with British spies says that for real security it is best to use GNU/Linux

YESTERDAY we posted some links about Ubuntu, including important news about CESG endorsing Ubuntu for security. There are not many reports about it, but there are some [1]. This is particularly important because although it’s unlikely that CESG and GCHQ don’t know about Windows being in bed with the NSA, it does in some way acknowledge GNU/Linux as the operating system of choice.

Just days ago it turned out that Microsoft reported serious flaws again [2] and the last batch of patches for Windows XP might be the last [3]. All that Windows XP will do from now on is phone home [4], potentially with very personal details. The latest patches themselves can contain new, specially-crafted (easy-to-exploit) back doors; nobody knows for sure, but it’s likely. Now is a good time for every nation to move to GNU/Linux, especially in the public sector.

Related/contextual items from the news:

  1. UK Govt report says Ubuntu 12.04 LTS is the most secure OS

    CESG, the Information Security Arm of GCHQ (Govt. of UK), conducted a series of tests in the last few months to review a set of 11 operating systems which currently run on various devices such as desktops, laptops, servers, mobile phones and tablets. The security assessment included the following categories:

  2. Critical Microsoft, Adobe, and Oracle updates: Like dental floss for your PC

    Fed up with productivity-killing patches? Welcome to the club. Now install them.

  3. Microsoft Patches Windows XP for Possibly Last Time
  4. Windows XP Will Still Require Activation After Retirement

    Windows XP will be officially retired on April 8, but even though Microsoft is planning to stop releasing updates and security patches for the operating system, it doesn’t mean that you can use it free of charge.

01.15.14

Mozilla Should Denounce Microsoft Windows, Not Just Proprietary Web Browsers

Posted in GNU/Linux, Google, Microsoft, Security, Windows at 5:54 am by Dr. Roy Schestowitz

Summary: Mozilla raises an important point by alluding to the fact that non-free (proprietary) software should be assumed to have back doors

SECURITY and privacy require freedom and control (by the user) from bottom to top, starting from the bootloader (NSA backdoors in bootloaders are now rumoured [1]). A British blogger in ZDNet, one whom UEFI Forum tried to silence or appease less than a couple of years back (as they did with other UEFI critics), continues to criticise UEFI, the Microsoft (notoriously strong NSA ally) promoted and Intel (as in intelligence) managed back doors-friendly BIOS replacement (UEFI facilitates remote bricking of computers, over the Internet).

Several months ago Tor was compromised through Firefox on Microsoft Windows. Firefox itself did not have back doors, but Windows has plenty of back doors (this month Microsoft already revealed several [2], which the NSA already knows about) and Mozilla’s own platform uses Linux, not Windows.

Yesterday there were quite a few headlines quoting Mozilla’s Brendan Eich, CTO and SVP of Engineering, for his warning about back doors [3-5], which are destroying any notion of information security in proprietary software [6].

With Mozilla diverging away from Windows (Firefox OS brings back memories of Netscape [7]) and signing major deals to bring this Linux-powered operating system to a lot of devices (not just phones [8-12]) we can hope that the whole stack, from bottom to top (hardware, operating system, applications) will be void of back doors. Let’s wish Mozilla good luck. Chrome, which has just had another major release [13,14] is proprietary (never mind the Chromium marketing) and it cannot be seen as a back doors-free substitute to Firefox and Firefox OS (the same goes for Chrome OS). As for Android, recall what company is behind it. There are already reports (in corporate press) about it being remotely hijacked by the FBI. Ubuntu, Tizen, and Sailfish OS (Jolla) might be other decent options, but we don’t know enough about them, at least not yet. WebOS is controlled by a very surveillance-happy company (LG), so we can assume, as the name suggests, that it transmits personal data over the Web/Internet.

Related/contextual items from the news:

  1. NSA’s backdoors are real — but prove nothing about BadBIOS

    Recent revelations about NSA hardware and firmware backdoors gives all the evidence that those who believe BadBIOS Trojans exist need to see. The spying technology has arrived. The only question is if the BadBIOS incident truly happened.

  2. Microsoft Starts 2014 With Four Security Advisories
  3. Mozilla Calls on World to Protect Firefox Browser From the NSA

    Brendan Eich is the chief technology officer of the Mozilla Foundation, the non-profit behind the Firefox web browser. Among many other things, he oversees the Firefox security team — the software engineers who work to steel the browser against online attacks from hackers, phishers, and other miscreants — and that team is about to get bigger. Much, much bigger.

  4. Mozilla: Firefox Has No Government Backdoors

    Andreas Gal, Mozilla’s vice president of mobile and R&D, and Brendan Eich, CTO and SVP of Engineering, have updated Gal’s blog with a long entry about how Firefox users can trust Mozilla when it comes to government backdoors and user privacy.

    In the blog, they point out that due to laws in the U.S. and elsewhere, Web surfers must interact with Internet services knowing full well that even though cloud service companies want to protect user privacy, eventually one day those companies will be required to comply with laws. The government may acquire information that seems to violate privacy and could even force surveillance. Even more, the government can do so while enforcing gag orders on the service, leaving the consumer unaware.

  5. Mozilla CTO Eich: If your browser isn’t open source (ahem, ahem, IE, Chrome, Safari), DON’T TRUST IT

    Mozilla CTO Brendan Eich has cautioned netizens not to blindly trust software vendors, arguing that only open-source software can be assured to be free from government-mandated surveillance code.

    “Every major browser today is distributed by an organization within reach of surveillance laws,” Eich wrote in a joint blog post with Mozilla research and development VP Andreas Gal on Saturday.

    Under those laws, Eich argued, governments could compel software companies to include surveillance code in their products. Worse, the vendors may not be able to admit to the public that such code exists when asked, because of gag orders.

    The Mozilla man argued that open-source software can help alleviate this risk because customers have the opportunity to review its source code and spot any potential backdoors.

  6. RIP, information security, done in by backdoors and secret deals

    It seems that the very tools we use to secure our networks represent the greatest insider threat of all

  7. Firefox OS: The Return of Microsoft’s Netscape Fears

    Back in the days before the release of Windows 95, just as the public was discovering the Internet as an alternative to private networks such as Prodigy and CompuServe, Netscape was the bomb. In those days, Microsoft didn’t supply any method for surfing the Internet, so people visited their local Egghead store, or other software outlets, to buy a shrink wrapped version of Netscape on floppy disks, which opened up a whole new world to computer users.

  8. Linux-based Platform Coming to Low-cost Smartphones, Tablets, Smart TVs
  9. Firefox Developers Continue Tuning ASM.js Performance

    ASM.js is the subset of JavaScript that is aimed for performance, easy to optimize, and is suitable for EmScripten to target in its converting of C/C++ code through LLVM and into this optimized JavaScript. EmScripten itself has been an incredibly interesting project.

  10. Mozilla Reveals Plans to Take Firefox OS and HTML 5 to New Devices
  11. Mozilla Expands Its Firefox OS Partners, Platforms
  12. Firefox OS Tablets, TVs and More to Arrive This Year
  13. Google Releases Chrome 32 Web Browser for Windows, Mac, Linux
  14. Chrome 32 Has New Tab Indicators, Better Performance

    Google Chrome 32 features new tab indicators for sound / webcam / casting, automatic blocking of known malware files, a number of new apps and extension APIs, and numerous “under the hood” changes that promise to provide better stability and performance.

01.10.14

In Proprietary Software, Back Doors Should be Assumed by Default

Posted in GNU/Linux, OpenSUSE, Security, Ubuntu at 5:01 am by Dr. Roy Schestowitz

Summary: GNU/Linux hypocrites and their addiction to proprietary software like vBulletin leads to password leakages

Ubuntu and SUSE are too rather dumb projects (in their management) because they let Microsoft spy on their users and they use proprietary software like vBulletin in their forums, showing just how apathetic they are towards software freedom.

Last year Ubuntu Forums got cracked (no surprise, as it was proprietary software) and now it’s OpenSUSE Forums [1]. What do they have in common? Yes, proprietary software. It’s like Canonical’s mistake (leaking out passwords of users) did nothing to teach SUSE a lesson. vBulletin is a mess and it does almost nothing to guard passwords (which many people reuse across sites). In OpenSUSE’s case they say that only E-mails got leaked, but who knows if they’re honest…

What’s hard to grasp is why some companies continue to trust secret code and systems which earned no respect through independent audits.

In the next post we are going to share some of the latest revelations about the NSA. It is clear that back doors are often there by design, so it’s not a matter of whether or not a piece of proprietary software is secure, it’s a question of where there is a back door. See [2-5] below. The FBI requests that US companies make back doors and the NSA even bribes for it.

Related/contextual items from the news:

  1. openSUSE Forum Hacked, Everyday Linux, and Mageia RC Delay
  2. More Security Experts Cancel Speech for RSA Conference
  3. Infosec experts boycott RSA conflab over alleged ‘secret’ NSA contract
  4. What It’s Like When The FBI Asks You To Backdoor Your Software

    At a recent RSA Security Conference, Nico Sell was on stage announcing that her company—Wickr—was making drastic changes to ensure its users’ security. She said that the company would switch from RSA encryption to elliptic curve encryption, and that the service wouldn’t have a backdoor for anyone.

    As she left the stage, before she’d even had a chance to take her microphone off, a man approached her and introduced himself as an agent with the Federal Bureau of Investigation. He then proceeded to “casually” ask if she’d be willing to install a backdoor into Wickr that would allow the FBI to retrieve information.

  5. What The Intelligence Community Doesn’t Get: Backdoor For ‘The Good Guys’ Is Always A Backdoor For The ‘Bad Guys’ As Well

    Bruce Schneier, over at the Atlantic, recently made nearly the same point in talking about the massive costs of all of this NSA surveillance (as well as talking about the near total lack of benefits). There’s the cost of running these programs that are massive. There is the fact that these programs will be abused (they always are). There are the costs of destroying trust in various tech businesses (especially from foreign users and customers). But just as important is the fact that the NSA, FBI and others in the intelligence community are flat out weakening our national security by installing backdoors that malicious users can and will find and exploit:

12.31.13

When GNU/Linux on Desktops/Laptops Starts to Outsell Apple

Posted in GNU/Linux, Security at 9:40 am by Dr. Roy Schestowitz

Summary: The allure of GNU/Linux and its constant growth is likely to increase the threat of back doors

THE NSA must be worried that Google is gaining ground in operating systems, unless Google is already part of the backdoors conspiracy (which is very much real). Now that Chromebooks are beating MacBooks or “Chromebooks’ success punches Microsoft in the gut” [1] (Microsoft Nick too acknowledges this [2]) the NSA is going to have to start working hard on compromising Android, ChromeOS, and GNU/Linux distributions from the inside (they all have Linux in common and the NSA has already tried to compromise Linux [1, 2, 3, 4] and perhaps succeeded). Well, Apple is compromised by the NSA and so is Microsoft (complicity). Most phones and tablets already use Linux (through Android) and according to yesterday’s talk by Jacon Appelbaum, there is more spying in Android than just through carriers (Appelbaum shows that even Solaris is being targeted by the NSA).

GNU/Linux predictions for 2014 are mostly positive [3] because with Linux in particular we’re talking about majority market share (taking smartphones into account). Some Windows machines are now being turned to dual-boot machines with Android [4] (Android entering desktops, not Microsoft entering mobile) and GNU/Linux is being recognised as roughly on par with the proprietary operating systems [5,6], having gained a lot of share [7]. SJVN has just argued [8] that GNU/Linux “quietly grew stronger over all areas of computing during 2013,” but let’s ensure it stays freedom-respecting and free of backdoors; the NSA uses Fedora to spy on Windows users (Appelbaum has shown this), demonstrating that for secure computing the NSA recognises GNU/Linux. Unless we reject all proprietary code/blobs (including proprietary graphics drivers) we can never protect ourselves — let alone see — back doors. The campaign for GNU/Linux world domination has been a success, but we now need to pursue freedom and security, too.

Related/contextual items from the news:

  1. Chromebooks’ success punches Microsoft in the gut
  2. Chromebooks Seize Big Chunk of Commercial PC Market
  3. Linux Predictions for 2014? Let’s Talk Direction…
  4. ‘PC Plus’ Machines Being Prepped For CES To Run Android On Windows In Retaliation Against MSFT

    How desperate are OEMs to make lemonade out of the Windows 8.1 RT lemon? They’re going to be pushing something called a “PC Plus” initiative at CES this year, which in a nutshell is simply the ability for Windows tablets and laptops to run Android apps or dual-boot Windows and Android.

  5. Windows vs Mac vs Linux: The Pros And Cons
  6. Is Linux Better Than Windows and Mac?
  7. Global Triumph Of */Linux In 2013

    It’s not as if */Linux dominated everything in every way. */Linux did dominate everything but the desktop in every way. The big thing that happened in 2013 is that */Linux took huge share of retail shelf-space at last and has begun to eat up the web stats.

  8. 5 top Linux and open source stories in 2013

    Linux, open source software, and the open source method quietly grew stronger over all areas of computing during 2013.

12.22.13

More Details Revealed About How the NSA Infiltrates Windows and Other Proprietary Software, Governments Should Now Ban Microsoft

Posted in Europe, Microsoft, Security, Windows at 2:46 pm by Dr. Roy Schestowitz

RSA Conference

Summary: RSA is the latest (known) entity to have received bribes from the NSA in exchange for back doors; Germany may move towards banning software from companies that share data with the NSA

A COUPLE of nights ago Reuters published an explosive report about RSA, basically showing that Windows does not have back doors, it is a back door and so is a lot of the software that’s proprietary. Free/libre software does not suffer from the trap [1]. This is a serious wakeup call to any government that still relies on proprietary software and US companies that collect data.

Munich moved to GNU/Linux owing to political determination to do so [2], but what about other cities? Their politicians are in serious trouble and a constant threat of espionage.

“This is a serious wakeup call to any government that still relies on proprietary software and US companies that collect data.”As the Reuters report revealed [3] (and there was a lot of journalism linking to it [4,5]), “RSA Weakened Encryption For $10M From NSA,” to quote Slashdot, which consequently also published the item “Microsoft Security Essentials Misses 39% of Malware” (especially NSA malware that enables system compromise). Remember that Windows XP will soon receive no patches, so not just the NSA will get easy access through back doors. IDG’s advice on this matter is misguided as it basically offers continued use of Windows XP rather than runaway to a secure platform like GNU/Linux. As the author put it, “Microsoft’s support for Windows XP ends in less than four months, and the company has warned users repeatedly that it’s time to move on. But a lot of them are sticking with the aged OS. And for Microsoft, that’s a problem.”

Security is not really a problem here because there was never really any security to begin with. As we showed in our articles about the NSA, Windows is just a Trojan horse. It is obviously not secure and the only variable is, how many people can seize control of it?

The latest news makes almost all proprietary software suspect, even fake ‘open source’ like TrueCrypt (it is proprietary). As one tweet put it, “Check all on this list who use Dual_EC_DRBG as possible recipients of NSA bribes [...] Note Blackberry, Cisco, Juniper [...] Blast from the past: Call tracking Dual_EC_DRBG “Bribe Finder”: Any use by default post 2007 required either an implicit or explicit bribe.”

This is another good reason to avoid all proprietary software, including widely-used GNU/Linux programs like Skype. One tweet said that “Dual EC_DRBG was suspiciously absent from Wednesday’s report by President Obama’s NSA advisory panel.”

Going back to Microsoft’s flawed detection of malware, MinceR wrote that “their alleged “anti-malware” efforts started with stopping detecting claria as malware just as they were about to buy it, so i don’t know why anyone trusts them with such … [it] manages to out-sleaze even the other “antivirus” companies.”

” With Microsoft, NSA gets video/audio surveillance, not just through Skype but also through people’s webcams on computers that have Windows installed (and are idle).”Sosumi said that “they don’t detect NSA backdoors as malware, so why trust them?”

Nobody can trust Microsoft. The above report says that “latest tests from Dennis Publishing’s security labs saw Microsoft Security Essentials fail to detect 39% of the real-world malware thrown at it.”

It’s not just a case of access to one’s files by the way. See the new post titled “Windows users: Your webcam lights aren’t safe from the FBI either” (we wrote about CIPAV almost 5 years ago).

“In recent news,” says the post, “it was revealed the FBI has a “virus” that will record a suspect through the webcam secretly, without turning on the LED light. Some researchers showed this working on an older Macbook. In this post, we do it on Windows.”

“The more you know about how the NSA gets along with RSA & Microsoft,” writes one Twitter user, “the more perspective you have on their handling of Lavabit.” With Microsoft, NSA gets video/audio surveillance, not just through Skype but also through people’s webcams on computers that have Windows installed (and are idle). This is a good enough reason to immediately abandon Microsoft and some politicians in Germany already think about moving in this direction. See [6,7] below for details of the latest news and pay attention to the explosive new article “Snowden ally Appelbaum claims his Berlin apartment was invaded” [8]; clearly it’s not about terrorism but about cracking down on activists [9].

Following the revelations above there is some new effort [10] — including from GNU/Linux developers [11] — to sack with prejudice potential NSA moles.

Related/contextual items from the news:

  1. Worried OpenSSL uses NSA-tainted crypto? This BUG has got your back

    As fears grow that US and UK spies have deliberately hamstrung key components in today’s encryption systems, users of OpenSSL can certainly relax about one thing.

    It has been revealed that the cryptography toolkit – used by reams of software from web browsers for HTTPS to SSH for secure terminals – is not using the discredited random number generator Dual EC DRBG.

    And that’s due to a bug that’s now firmly a WONTFIX.

    A coding flaw uncovered in the library prevents “all use” of the dual elliptic curve (Dual EC) deterministic random bit generator (DRBG) algorithm, a cryptographically weak algorithm championed by none other than the NSA.

    No other DRBGs used by OpenSSL are affected, we’re told.

  2. Moving a city to Linux needs political backing, says Munich project leader

    This year saw the completion of the city of Munich’s switch to Linux, a move that began about ten years ago. “One of the biggest lessons learned was that you can’t do such a project without continued political backing,” said Peter Hofmann, the leader of the LiMux project, summing up the experience.

    The Munich city authority migrated around 14,800 of the 15,000 or so PCs on its network to LiMux, its own Linux distribution based on Ubuntu, exceeding its initial goal of migrating 12,000 desktops.

  3. Exclusive: Secret contract tied NSA and security industry pioneer

    As a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry, Reuters has learned.

  4. NSA Gave RSA $10 Million To Promote Crypto It Had Purposely Weakened

    Earlier this year, the Snowden leaks revealed how the NSA was effectively infiltrating crypto standards efforts to take control of them and make sure that backdoors or other weaknesses were installed. Many in the crypto community reacted angrily to this, and began to rethink how they interact with the feds. However, Reuters has just dropped a bombshell into all of this, as it has revealed that not only did the NSA purposefully weaken crypto, it then paid famed crypto provider RSA $10 million to push the weakened crypto, making it a de facto standard.

  5. How much did NSA pay to put a backdoor in RSA crypto? Try $10m – report

    Latest Snowden claims: Flawed encryption tech switched on by default in exchange for cash

  6. Germany should ban U.S. contracting companies passing data to NSA – report

    U.S. contracting companies such as Cisco, which manages much of the German armed forces’ data, should be contractually barred from passing sensitive information to the U.S. security services, a spokesman for Chancellor Angela Merkel’s conservatives was quoted saying.

  7. German government buildings and charities were targets of GCHQ and NSA, says Edward Snowden

    Humanitarian organisations and German government buildings are among the targets of UK and US surveillance agencies, documents leaked by Edward Snowden are said to show.

    The latest disclosures from the Snowden archive also highlight the key role in national security played by the small Cornish holiday resort town of Bude.

    A government listening facility on the Cornish coast had a unit that was used to analyse samples of electronic date to assess whether surveillance targets were worth the effort of listening in on their communications more frequently.

    A significant amount of the Bude listening post’s funding comes from the National Security Agency (NSA), the US surveillance body, because of shared operational projects.

  8. Snowden ally Appelbaum claims his Berlin apartment was invaded

    Jacob Appelbaum, a US Internet activist and one of the people with access to Edward Snowden’s documents, has told a Berlin paper that his apartment was broken into, saying he suspected US involvement.

  9. The Real Purpose of Oakland’s Surveillance Center

    City leaders have argued that Oakland needs a massive surveillance system to combat violent crime, but internal documents reveal that city staffers are also focused on tracking political protesters.

  10. Critics: NSA agent co-chairing key crypto standards body should be removed (updated)

    Security experts are calling for the removal of a National Security Agency employee who co-chairs an influential cryptography panel, which advises a host of groups that forge widely used standards for the Internet Engineering Task Force (IETF).

    Kevin Igoe, who in a 2011 e-mail announcing his appointment was listed as a senior cryptographer with the NSA’s Commercial Solutions Center, is one of two co-chairs of the IETF’s Crypto Forum Research Group (CFRG). The CFRG provides cryptographic guidance to IETF working groups that develop standards for a variety of crucial technologies that run and help secure the Internet. The transport layer security (TLS) protocol that underpins Web encryption and standards for secure shell connections used to securely access servers are two examples. Igoe has been CFRG co-chair for about two years, along with David A. McGrew of Cisco Systems.

  11. Kevin M. Igoe should step down from CFRG Co-chair

    I’ve said recently that pervasive surveillance is wrong. I don’t think anyone from the NSA should have a leadership position in the development or deployment of Internet communications, because their interests are at odds with the interest of the rest of the Internet. But someone at the NSA is in exactly such a position. They ought to step down.

12.16.13

NSA Confirms Remote Computer Bricking by BIOS (or UEFI) as a Real Strategy

Posted in GNU/Linux, Hardware, Security at 3:26 pm by Dr. Roy Schestowitz

UEFI Forum operated by companies in bed with the NSA

UEFI logo with monopoly

Summary: NSA officials say that bricking a large number of PCs by tinkering with the boot process not just an imaginary plot

THE back doors in Windows are more than evident now, but Linux developers have just rewritten the random number generator, meaning perhaps that the NSA subverted the security of Linux by reducing entropy (e.g. via Red Hat staff, which is making requests for inclusion of NSA code in the core). This is troubling. As Phoronix put it (this debate has been going on for months now), “While /dev/random was made faster and more random in Linux 3.13, in light of the NSA controversies and that Intel/VIA hardware encryption and random generators may not even be trustworthy, there’s been a rework in how reseeding happens for the Linux kernel’s random component.”

We previously pointed out that using back doors the NSA can completely brick hardware, especially if it uses UEFI. Surely that’s a good reason to boycott UEFI, no?

Anyway, as part of a CBS puff piece (or propaganda piece where NSA gets the carte blanche and critics do not exist), there was an attempt to brick PCs using BIOS (causing irreversible destruction by sending packets). As the British press put it: “Senior National Security Agency (NSA) officials have told US news magazine program “60 Minutes” that a foreign nation tried to infect computers with a BIOS-based virus that would have enabled them to be remotely destroyed.”

We already know, based on a lot of evidence, that the NSA is in every way worse than other such agencies; in fact, there is nothing China or Russia, for example, can be accused of that the NSA/CIA cannot be accused of (not anymore anyway). The accusations from the NSA seem to be directed at China (popular scapegoat for NSA hypocrites as it is the biggest computer manufacturer), but given what we have seen when it comes to chip development at the design level (e.g. backdoor by useless encryption at hardware level), it is the US, especially criminal companies like Intel, that we should be concerned about. The government of the US has been compelling and at times bribing companies for back doors (the bribes come through the CIA though, not the NSA). Google is reportedly moving further away from Intel [1, 2], but will it also abandon the second processor in mobile devices (the Trojan horse that turns mobile phones into non-stop listening devices)?

For those who fail to grasp how criminal and void of ethics the NSA has become, in the next post we shall summarise some of the latest news. Don’t believe for a second the popular myth/fiction that China is worse when it comes to surveillance.

« Previous Page« Previous entries « Previous Page · Next Page » Next entries »Next Page »

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channels: Come and chat with us in real time

New to This Site? Here Are Some Introductory Resources

No

Mono

ODF

Samba logo






We support

End software patents

GPLv3

GNU project

BLAG

EFF bloggers

Comcast is Blocktastic? SavetheInternet.com



Recent Posts