“Our products just aren’t engineered for security.”
–Brian Valentine, Microsoft executive
Summary: Following the familiar pattern of FOSS FUD, wherein we see Microsoft partners badmouthing FOSS over “security” (ignoring much worse problems in proprietary software), FOSS gets widely bashed in the British media
MICROSOFT has made many back doors available for the FBI and for the NSA. We have covered this for over half a decade and given concrete examples. Our next post will give yet another new example.
So, how does Microsoft have the audacity to tell us — usually by proxy — that Free software is not secure? Yes, Free software has some bugs (not many are critical), but Microsoft software is insecure by design. There are lots of back doors in Windows XP, for example, but the British NHS, which holds medical records (highly sensitive) of tens of millions of people (including my family), continues using it based on this new report:
Many UK NHS Trusts are at risk of missing the extended cut-off deadline for Windows XP support in April 2015, according to the results of several Freedom of Information requests by software firm Citrix.
Although the government acquired a support extension, the FOI request found that the trusts have been slow to make the transition, or are simply unsure when their transition would be complete.
Why on Earth are they not migrating to GNU/Linux yet? I have been part of British migrations to GNU/Linux, both in the private sector and government, and all I can say is that it always works. Not only does it save money but it also produces more secure and more stable systems.
“Entertaining more of that nonsense about FOSS being less secure than platforms with back doors or about Microsoft loving the competition that hurts it the most is probably a waste of time.”Trend Micro littering the British press at the moment with anti-FOSS messages that promote Microsoft, not mentioning back doors. We need not link to any examples because there are many of them this afternoon, but we have confronted Trend Micro UK and publications that gave it a platform today. So has the President of the OSI. Trend Micro has a FOSS-hostile track record, so it hasn’t been too surprising.
Speaking of poor journalism that’s actually PR in disguise, watch what IDG is doing right now. A new article by Eric Knorr of InfoWorld (editor), perhaps infatuated/in love with his sponsor (ads), repeats Microsoft's lie that it loves Linux
Entertaining more of that nonsense about FOSS being less secure than platforms with back doors or about Microsoft loving the competition that hurts it the most is probably a waste of time. The next post will show another back door that Microsoft deliberately put it its common carrier. █
Send this to a friend
“Our products just aren’t engineered for security.”
–Brian Valentine, Microsoft executive
Summary: Microsoft’s insecure-by-design software is causing massive damages (possibly trillions of dollars in damages to date) and yet the corporate press does not ask the right questions, let alone suggest a ban on Microsoft software
According to the New York Times and other news sites, “Staples Is Latest Retailer Hit by Hackers” because it was using Microsoft Windows. Well, other recent examples included UPS, which basically hurt millions of people because it let crooks have lots of credit card details. The TJ Maxx heist and other credit card heists were also the fault of Microsoft Windows, not GNU Bash or OpenSSL, among other bits of software that dominate the news in the context of security. It sure looks like Microsoft Windows is the target, not FOSS. There are hardly any stories at all about an apocalypse or any great damage caused by bugs in Bash or in OpenSSL. So go figure what the press is doing, in part because the OpenSSL bug has been hyped up by Microsoft partners at a very strategic time (same day as Windows XP support ending).
As Will Hill put it the other day, “Business Week Covers Up for Microsoft In Target Hack and Misses the Big Story”. Mr. Hill adds that “The US government covering up for Microsoft is not too surprising after learning about the HACIENDA program . That’s a massive program where the US government has been cracking servers and ordinary around the world to serve as botnets. If everyone used software that was better then Microsoft’s intentionally weak garbage, GHCQ, NSA and other spooks would not be able to cover their tracks. Because of US government promotion of Microsoft and their combined incompetence, criminals around the world have it easy. NSA spying has put trillions of dollars in commerce at risk.”
Those botnets do even greater damage than what was done at Staples. They are taking down a lot of Web sites and fill the Internet with heaps of SPAM. To quote our reader, complaining about articles like these: “Somehow they manage to omit the key role of Windows yet again.” They must call out Windows.
Another new article was sent to us by a reader. It is titled “Computer users who damage national security could face jail” and it was published by a Bill Gates-sponsored newspaper. This reader of ours asked: “What about those that knowingly deploy Windows on machines connected to the Internet?”
Our sites are still under DDOS attack (for over a month ago). Tux Machines has been offline for several hours now after a DDOS attack from Windows botnets hit it.
Why are ISPs still permitting customers to connect to the Internet with Windows? When will ISPs or users face liability for the damage they cause? Some people have been trying to take down my sites for well over a month now and they have used Microsoft Windows as a weapon. Windows has weaponised back doors, so it should be banned already.
Speaking of takedowns, watch the latest commentary [1,2] about Microsoft breaking the law to take material and sites (or even entire networks) offline, despite them doing nothing illegal.
The corporate media should start directing some tough questions at Microsoft, not just its victims. The company should face massive fines for the damages it causes on the Web. Ultimately, its software should be banned until security — not insecurity (weaponised back doors) — is its goal. █
Related/contextual items from the news:
Microsoft has gained immense popularity over its never-ending war on software piracy. However, this time, the company appears to have caused a bit of collateral damage. So who are the victims? A handful of prominent and highly acclaimed YouTube video bloggers.
Oh, Microsoft. The company has now admitted that it ended up sending a bunch of DMCA takedown notices on non-infringing videos, all because someone had posted product keys in comments to those videos. To its credit, Microsoft has apologized and said that it has “taken steps to reinstate legitimate video content and are working towards a better solution to targeting stolen IP while respecting legitimate content.” That’s all well and good, but this seems like the kind of thing that they should have done long before issuing obviously bad takedowns. This is the kind of thing that happens when you have a tool like the DMCA notice-and-takedown provision that makes it just so damn easy to censor content. Those issuing the takedowns do little to nothing to make sure the content being removed actually infringes. They just use either automated means or someone rushing through the process with little review, sending off takedowns willy nilly with no real concern about how they might kill off perfectly legal content. It still boggles the mind that a basic notice-and-notice regime couldn’t suffice to handle situations like this. That and making sure that those issuing bogus DMCA notices receive some sort of real punishment to give them the incentive to stop sending bogus takedowns.
Send this to a friend
Microsoft Windows is a weapon of (cyber) war
Summary: Microsoft is still breaking the Internet using completely bogus takedown requests (an abuse of DMCA) and why Microsoft Windows, which contains weaponised back doors (shared with the NSA), should be banned from the Internet, not just from the Web
So Microsoft spreads its lies in the media again and one of the lies we hear too often is that Microsoft obeys the law and Free software is “hacking” (they mean cracking) and a tool of “pirates” or whatever the bogeyman du jour may be. Well, actually, the very opposite is true. Criminals use Microsoft Windows to bombard sites (as they have been doing against several of my Web sites — including Techrights — for well over a month now) and if justice was to be upheld, Microsoft Windows would be banned by ISPs. Microsoft is claiming that it is upholding the law but actually, in reality, it breaks the law; it is not even a veiled action. It’s very blatant and a serious violation of several laws. This is a valid claim at many levels and today we’ll assemble some relevant new evidence and patiently connect it. This post is relatively long, but it covers a lot of ground, so please bear with us and keep reading.
“With its bogus takedown requests, Microsoft has turned DMCA into more of a joke. It also shows how hostile Microsoft has become towards FOSS.”Chris Pirillo, a longtime proponent of Microsoft with deep links to the company (not just his MVP title), has just had a video censored by Microsoft. Yes, Microsoft has once again issued a bogus takedown request against Google, as it did before (repeatedly). Microsoft is a criminal company because here too there is illegal action being taken by Microsoft. These bogus takedown requests, as per DMCA, are clearly a violation of the law. Microsoft does not want to obey the law (it sees itself as above the law or exempt from the law), so law itself probably isn’t much of a deterrent. Here is a new report from Wired. It is titled “Microsoft Serves Takedown Notices to Videos Not Infringing on Anything” and it says:
Microsoft’s never-ending war on software piracy caused some collateral damage this week. The victims? A handful of prominent YouTube video bloggers.
The bloggers—including LockerGnome founder Chris Pirillo and FrugalTech host Bruce Naylor—took to Twitter on Tuesday, with the hashtag #Microstopped, to complain that they had received erroneous copyright infringement notices for videos that were often several years old. The notices were filed under the Digital Millennium Copyright Act, the U.S. law that seeks to control access to copyrighted material on the net.
The funny thing here here is that Pirillo is the target. How many people without the ability to protest publicly and loudly had the same thing done to them by Microsoft? We may never know. Censorship of evidence of censorship (e.g. channel bans) and other circular scenarios often kick in and become cynically applicable.
Pirillo would not sue Microsoft for breaking the law in this case because he is in Microsoft’s pocket, but will Google finally use the law against Microsoft? Enough is enough. Microsoft has done this to Google for years!
Microsoft’s censorship does not quite stop here. There is another new story which speaks about how Github will deal with takedown requests from now on. Remember that Microsoft censors GitHub this way, essentially damaging FOSS projects by altogether purging them.
GitHub explains its policy change as follows: “The first change is that from now on we will give you an opportunity, whenever possible, to modify your code before we take it down. Previously, when we blocked access to a Git repository, we had to disable the entire repository. This doesn’t make sense when the complaint is only directed at one file (or a few lines of code) in the repository, and the repository owner is perfectly happy to fix the problem.”
Mike Masnick said, “kudos to Github and its lawyers for recognizing that sometimes you have to let in a little legal risk for the good of the overall community.”
With its bogus takedown requests, Microsoft has turned DMCA into more of a joke. It also shows how hostile Microsoft has become towards FOSS.
Another new report from Wired says that “Conficker remains, six years later, the most widespread infection on the internet.” This report is titled “How Microsoft Appointed Itself Sheriff of the Internet” and it explains how in the midst of Internet chaos, caused by Microsoft Windows having back doors, Microsoft just decided to hijack a huge portion of the Internet, breaking it altogether (a lot of UNIX/Linux-based systems affected, including millions of services being down for days). This was an unbelievable and probably unprecedented abuse by Microsoft. A judge got bamboozled and Microsoft fooled the press into distracting from its serious abuses against No-IP. There ought to have been a massive lawsuit. As the author Robert McMillan explains: “For the past 15 years, Durrer has worked as the CEO of a small internet service provider called No-IP. Based on Reno, Nevada, the 16-person company offers a special kind of Domain Name System service, or DNS, for consumers and small businesses, letting them reliably connect to computers whose IP addresses happen to change from time to time. It’s used by geeks obsessed with online security, fretful parents monitoring nanny cams in their toddler’s bedrooms, and retailers who want remote access to their cash registers. But it’s also used by criminals as a way of maintaining malicious networks of hacked computers across the internet, even if the cops try to bring them down.”
It was actually Microsoft that took them down. Microsoft is a criminal company and it used its own abuses as an excuse to break other people’s network. Here we are talking about the company that cannot even patch its systems to stop zombie PCs (with back doors that enabled them becoming zombies). Here again we have Microsoft failing to patch Windows and instead breaking it:
Microsoft has withdrawn an update released this past Tuesday due to user reports of system reboots after installation.
The update released as described in Microsoft Security Advisory 2949927 added SHA-2 hash algorithm signing and verification for Windows 7 and Windows Server 2008 R2. It was one of three proactive security feature updates released on Tuesday in addition to the eight patches of Windows and Office.
Microsoft makes it impossible to close the latest back door which it already told the NSA about, so people with Windows on their PC will be unable to boot or simply stay ‘infected’ with the latest back door. It’s all binary, so there is nothing they can do; they can’t even apply their own patch. As another source put it: “Microsoft has pulled one of the updates from its most recent Patch Tuesday release and recommends anyone who downloaded the fix should uninstall it.
“The update added support for the SHA-2 signing and verification functionality to Windows 7 and Windows Server 2008 R2 machines with the intent of improving security over the more vulnerable SHA-1 hashing algorithm.”
Microsoft Windows is simply unfit for use. Techrights, for example, has been under DDOS attack for over a month now. We know the offending machines. They all are Microsoft Windows PCs that got hijacked (from many different countries). The total number of IP addresses banned in the latest DDOS purge (so far today) is nearly 2,000. That’s a lot of Microsoft Windows zombies (with over 1200 IPs banned in just half a day). When will this operating system be banned by ISPs for facilitating DDOS attacks? How many Web sites can withstand attacks from so many zombies PCs and for how long? This is indirectly Microsoft’s fault, not just the attacker’s (the botmaster’s) fault because Windows does what it was designed to do; it has back doors. It can be commandeered remotely. This is clearly incompatible with the Internet.
Free software does not have such issues, but distributions that make their source code freely available to anyone can at least be checked for back doors, perhaps with the exception of binary Red Hat distributions like RHEL, which may have some back doors since around the start of the millennium, i.e. the same time Microsoft Windows got them (reportedly 1999), based on an IDG report and one from Beta News that said at the time: “It appears that Microsoft Windows is not the only operating system on the market that has a backdoor for those users who know the magic words. While Red Hat officials downplayed its seriousness, a team at Internet Security Systems, Inc. reports the security hole allows an intruder to access and modify files on systems running the most recent version of Red Hat Linux.”
Speaking of Red Hat, we are saddened to see it taking a stance of silence on the whole
systemd issue. Red Hat is very much complicit in it, but it refuses to say anything. In fact, criticism of
systemd is now being treated almost as taboo in Debian mailing lists because
systemd‘s creator has shrewdly personified the issue and made it political, eliminating any chance to have truly technical debates about
systemd. Personally, I worry the most about the number of bugs it would introduce, opening the door for exploitation. It replaces too many mature components. Microsoft’s propaganda network 1105 Media keeps spreading negative articles about FOSS because of such feuds (the
systemd fued), so we don’t wish to feed this fire right here. Well, at least not right now.
Incidentally, also on the subject of security, here is a good new article titled “Enough! Stop hyping every new security threat” (especially against FOSS).
The author explains that “now it has reached a fever pitch, with proactive marketing of individual exploits with supercool names — Shellshock, Heartbleed, Sandworm — some of which even have logos.”
“Logos for malware,” he asks, “Really?” Microsoft partners did the logo work to help demonise FOSS and stir up a debate about FOSS security as a whole (because of one single bug!). There have hardly been any stories (i.e. evidence) that the Bash bug and OpenSSL bug resulted in some disaster or meltdown.
The bottom line is, proprietary software such as Windows has back doors and causes stormy weather on the Web (DDOS attacks). It’s Microsoft Windows that should be taken down as part of takedown requests, not innocent videos, whole networks (like No-IP) and FOSS code (GitHub) that Microsoft maliciously and deceivingly (against the law) calls offending and tries to take down. █
Send this to a friend
Summary: News reports circulate showing that Home Depot was knowingly careless with its Windows dependency while Microsoft lays off staff focused on security
Microsoft is not a company that cares about security. It seems to care about the security state (i.e. surveillance), which is why it makes its products so easy to infiltrate (by the “Good Guys”). As we showed before, Microsoft’s layoffs focus in part on security-related staff, or staff that’s associated with security state type of stuff (restricting operation of computers, back doors, etc.).
Microsoft uses secrecy as a weapon against fear-induced exodus because layoffs are company-wide and it's not about Nokia but about parts of the company which Microsoft would rather keep secret. To quote one source:
In a statement sent to Channelnomics sister-site CRN UK, Microsoft said the staff reductions in the latest round have been “spread across many business units and many different countries”, but did not go into specifics as to where it is swinging the ax.
“Trustworthy Computing group” is one of the affected units, based on Seattle-based press. Reportedly, according to this press (heavily biased in Microsoft’s favour), the group was “folding into other units”. It’s a clever and rather classic way to disguise layoffs (like the term “reorg”). “A spokesman confirmed that an unspecified number of jobs are being eliminated from the Trustworthy Computing group as part of the changes,” said the report that we cited last week. So by “folding into other units” he basically meant “layoffs”.
It is rather amazing that given all that is known, some businesses and even governments continue to procure and/or purchase more stuff from Microsoft. It’s worse than irresponsible, it’s suicidal. Ask Home Depot why it should not be using Windows anymore. According to reports such as , this retailer faces a massive security breach and it’s all the fault of Windows. Staff knew about it and also ignored the issues. It makes it both
irresponsible and suicidal. The company’s name is now tarnished.
Increasingly here in the UK I see businesses that move to Free software and GNU/Linux, usually for security reasons, not just cost savings (the migration itself can be pricey). Some months ago staff at Ryman (a large UK chain) told me that they had moved from Windows to Ubuntu GNU/Linux due to virus infections.
Now that Microsoft is eliminating security jobs people will hopefully realise that Windows security is not improving. It’s only going to get worse. Time to move to GNU/Linux… █
Related/contextual items from the news:
Former information technology employees at Home Depot claim that the retailer’s management had been warned for years that its retail systems were vulnerable to attack, according to a report by the New York Times. Resistance to advice on fixing systems reportedly led several members of Home Depot’s computer security team to quit, and one who remained warned friends to use cash when shopping at the retailer’s stores.
Send this to a friend
Summary: In the age of widespread fraud due to Microsoft Windows with its back doors there is an attempt to shift focus to already-fixed flaws/deficiencies in competitors of Microsoft
A Microsoft Windows (exclusively) infection is having a colossal impact on businesses right now, but corporate press coverage fails to name Windows [1, 2, 3], not to mention any possibility of blaming it. The name of an operating system is only mentioned for negative news when it’s not Windows. This is typical and it matches a pattern we have covered her under the “call out Windows” banner. IDG, the liars’ den, put it like this:
The Target data breach was one of the largest in recent memory, resulting in tens of millions of credit and debit cards being compromised. In the last couple of weeks, SuperValu said that at least 180 of its stores had been hit by a data breach and earlier this week UPS said 51 of it UPS Store locations had been hit.
We wrote about this last week because Windows was not being named, despite it being a critical part of this scenario. Instead, there was deflection to FOSS. It helped distract from Windows, which is insecure by design. It is an architectural problem because since 15 years ago, by some estimates, Windows has been a back doors carrier (for the NSA). Here is one British writer complaining about the approach Microsoft takes to composition as well:
In August last year, one-time-sysadmin and now SciFi author Charles Stross declared Microsoft Word ”a tyrant of the imagination” and bemoaned its use in the publishing world.
“Major publishers have been browbeaten into believing that Word is the sine qua non of document production systems,” he wrote. “And they expect me to integrate myself into a Word-centric workflow, even though it’s an inappropriate, damaging, and laborious tool for the job. It is, quite simply, unavoidable.”
To make matters worse, it facilitates surveillance and sabotage, as more stories from last years served to show (Snowden Files at the Guardian for instance). For security reasons Germany and Russia have moved back to typewriters; we can assume they were using Office and Windows beforehand.
Trust the spinners of Microsoft to create and disseminate some “Heartbleed” FUD, an OpenSSL bug that Microsoft likes to hype up and use to generalise so as to create an illusion that FOSS is inherently less secure. This has become Microsoft’s main propaganda against FOSS, based on just one single bug. The FUD started on the day that XP support (patches) came to an end; this timing is unlikely to be a coincidence for reasons we outlined before.
Jason Thompson writes an offensive piece titled “After Heartbleed, Is Open Source More Trouble Than It’s Worth?”
It starts with the following important disclosure:
Jason Thompson, formerly of Q1 Labs, is the vice president of worldwide marketing at SSH Communications Security.
Marketing for proprietary software (for Windows)? This is the type of thing we saw last week when issues in proprietary VPN software were unfairly blamed on OpenSSL. As we pointed out last week, there is also an attack on Android security (usually rogue apps at to blame) and then there is the recent security FUD against Android from former employees of Microsoft. Mind this new article which highlights Microsoft’s hypocrisy:
The Biggest Problem with the Windows Store: Scams Everywhere
Windows 8′s “Windows Store” is a great idea, but unfortunately, it’s a disaster. It’s full of scam apps, designed to trick you into buying an app you don’t need.
Our friends over at the How-To Geek recently wrote a great piece about the biggest problem with the Windows Store, and how Microsoft has apparently done nothing to address it (despite claiming they would over a year ago). For example, here’s what happens if you search for VLC, a popular free video player
Microsoft is creating some new FUD against Google at the moment and Google has responded as follows:
In Worldwide Partner Conference 2014, Microsoft Corporation (NASDAQ:MSFT) claimed that more than seven hundred and eighty five customers have switched to Microsoft Corporation (NASDAQ:MSFT)’s Office 365 from Google Inc (NASDAQ:GOOGL)’s Apps. Microsoft didn’t give any proofs for this claim, but shown a slide having the names of the pronounced customers who made the switch. Google Inc (NASDAQ:GOOGL) immediately started investigating this claim and has recently come up with a response. According to Google Inc (NASDAQ:GOOGL), 5,000+ companies sign up for Google Apps on a daily basis and thousands of these companies switch from Microsoft. In a Forbes article, Ben Kepes mentioned Google’s response and said that it was already expected that Google will come up with a befitting response on Microsoft’s claims.
Microsoft is a malicious, criminal company. Its ability to manipulate the press into writing negative stories about the competition is quite flabbergasting. Microsoft’s key strategy right now is badmouthing the competition. AstroTurf and press manipulation is how that's done, as we showed in the previous post. █
Send this to a friend
TJ Maxx all over again?
Summary: UPS is the latest victim of Microsoft’s shoddy back door with software on top of it (Windows); attempts to blame FOSS for data compromise actually divert attention from the real culprit, which is proprietary software
A boycott against UPS, based on my bitter experiences, is nothing too prejudiced. Their system does not work well. That’s an understatement actually. It’s dysfunctional. In fact, it’s an utter mess. I wasn’t the only one who was utterly screwed, reputedly, and made deeply upset by them. I tried to accomplish something so simple and spent a huge amount of time achieving nearly nothing. They are badly coordinated and their system is crap. They’re using an utterly flawed system, especially when it comes to exchanges with clients, including financial exchanges. Last year I was upset enough to produce some memes like the following:
Now it turns out that UPS was foolish enough to be using Microsoft Windows. Consequently, in many countries (not just one) it got “infected with credit card stealing malware” and customers are going to pay dearly (customers, not UPS):
Grocery shoppers nationwide probably had credit card data stolen
Coast-to-coast: Albertsons, Acme Markets, Jewel-Osco and more were hit.
Dozens of UPS stores across 24 states, including California, Georgia, New York, and Nebraska, have been hit by malware designed to suck up credit card details. The UPS Store, Inc., is a subsidiary of UPS, but each store is independently owned and operated as a licensed franchisee.
“Windows, again,” says our reader. “See the annotations in the update…”
Notice how the Microsoft-friendly Condé Nast fails to even name Microsoft. Total cover-up, maybe misreporting. Disgusting. It’s like naming an issue in some car model, stating that it is chronic, dangerous and widespread, but still not naming the car maker or the model. Recall also the biggest credit card-stealing incidents in recent history; it is almost always due to Microsoft and Windows.
There is a bunch of reports circulating right now which blame an OpenSSL bug (that Microsoft likes to hype up) for patients’ data compromise.
A reader of ours who lectures on computer security explains: “The real problem was that, as seen in other articles, they used a VPN in place of real security. Oh, and the VPN was closed source, not OpenVPN.”
“This is no surprise as when given internal access to any computer network, it is virtually a 100% success rate at breaking into systems and furthering access,” says one report.
“They admit to having no security for their services and relying on a VPN to provide the illusion of security,” our reader explains. “They also misuse the marketing term ’0-day’.”
Anything to keep the term “Heartbleed” in headlines, creating a FOSS scare…
You can count on the likes of Condé Nast covering Microsoft-induced disaster without mentioning Mirosoft at all while at the same time shouting “Heartbleed” from the rooftops, as Condé Nast so regularly does. █
Send this to a friend
Summary: Despite strong evidence that Microsoft has been complicit in illegal surveillance, Gartner continues to recommend the use of Windows and other espionage-ready Microsoft software
One might think that the Gartner Group paid attention to revelations about Microsoft complicity and active collaboration with the NSA’s crimes. Apparently, however, being a rogue marketing operation (disguised PR), Gartner is seemingly unable to learn what a lot of the public (and CIOs, CTOs etc.) already know. Let’s face it. Bill Gates’ ‘investments’ in Gartner and Microsoft’s payments to this marketing (‘analyst’) firm did not fail to cloud its judgment. In world of Gartner, even though Vista 8 is a total disaster and the future of Windows is quite uncertain, the only choice one has is between versions of Windows, not between operating systems. To Gartner, anything other than Windows is not even an option. Back doors are here to stay and defects too are “necessary evil”, apparently.
Why is it that so many people continue to treat Gartner with respect? Any morsel of credibility should have been long gone, even by checking who subsidises this firm. It’s like a think tank or a collective lobbying group (for its corporate client who seek to sell, not to buy); that’s not what analysts are supposed to do.
John C. Dvorak published this column the other day, highlighting the fact that Windows is defective and remains defective even decades down the line. He wrote: “You would think that after 30 years of Windows, many of the obvious and consistent flaws would be fixed. Are they unfixable? Or are the people at Microsoft who can fix them uninterested?
“There is a belief within the tech community that Microsoft lost control of Windows years ago as the company turned over personnel—including the programmers who actually knew the base code of Windows itself. It has long since become what people call spaghetti code—a tangle impossible to unravel. Every patch has to be run through a regimen of tests to see if anything breaks. One thing is fixed and soon something else does not work right.”
Incidentally, see this new report about Microsoft bricking Windows with the latest patches. To quote:
Since Patch Tuesday this past week, Microsoft has been receiving reports of severe system errors caused by one or more of the updates.
Yes, that’s Microsoft ‘quality’. This spaghetti code is impossible to manage, apparently. Simon Phipps, the OSI’s President, also wrote quite recently for “Linux Voice“. He wrote about Microsoft’s inherently defective software, inadvertently echoing some of Dvorak’s observations:
The action law enforcement services have taken against the GameOver-Zeus malware syndicate is great news for a change. In the UK, this was communicated with typical tabloid alarmism, framed as “two weeks to save the world” instead of “unusually effective action by law enforcement”. As a result, UK publications have been posting self-preservation information for their readers.
This is a Windows-only issue and since Microsoft does facilitate back doors (bug doors to be precise), Microsoft deserves at least some of the blame here. As Phipps concludes:
So actually it’s somewhat appropriate to blame Windows versions prior to Windows 8 for being vulnerable to many viruses which exploited bugs in this way. The existence of the vulnerability was a conscious choice and a marketing decision; in OS/2, which had no legacy to accommodate, the ring 0 separation was enforced.
Yes, Windows also offers a larger attack “surface” because of its wide adoption, and yes, there are other exploit mechanisms. But this tolerated technical vulnerability is the root cause of a large number of exploits. So while it’s true that malware authors are directly to blame for malware, there’s also a culpability for Microsoft that can’t be ignored.
For Gartner to be advocating the use of such rubbish spaghetti code (in binary form) is worse than incompetent; it’s utterly irresponsible. Why will any serious CIO or CTO ever listen to Gartner again?
Based on publicly-available evidence, even BIOS cracks require Windows. To give “BULLDOZER” as an example: “The technique supports any desktop PC system that contains at least one PCI connector (slot) and uses Microsoft Windows 9x, 2000, 2003 server, XP, or Vista. The PCI slot is required for the BULLDOZER hardware implant installation.”
To give “DEITYBOUNCE” as an example: “DEITYBOUNCE supports multiprocessor systems with RAID hardware and Microsoft Windows 2000, XP, and 2003 Server.”
No wonder China and Russia are banning x86 and/or Microsoft Windows. It’s not because they’re “anti-American” but because Microsoft Windows and some US-made hardware are anti-users. In Germany, for example, ‘secure’ boot was banned for similar reasons. Perhaps they have not been taking Garner’s advice then. In Munich, Gartner notably tried to derail (with words) the migration to GNU/Linux, as we demonstrated some years ago. █
Send this to a friend
Tick the box to ban
Summary: Symantec, a Windows insecurity firm, is miserably trying to divert attention away from reports about distrust that led to a ban in China
According to many reports this week [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16], China does not trust some US- and Russia-based companies to take care of ‘security’ in China. It’s about time.
Reports focus on two firms, but another one is seemingly affected (Symantec). While Kaspersky (which we occasionally mention here) does not deny the claims, Symantec does strike back and “Says its Products are Still Allowed in China”. This is a cleverly-worded denial. Some products are definitely banned, but the “Security software developer Symantec Corporation denied its software has been banned in China.” Symantec merely says or emphasises that not everything is banned.
Just to be more specific: “It is important to note that this list is only for certain types of procurement and Symantec products are not banned by the Chinese government.”
Kaspersky is hyping up security threats at the moment and Symantec is trying hard to dodge the negative publicity because trust is fundamental to their sales. Symantec, which has strong Microsoft connections and disdain for FOSS, should not be trusted if China does not trust Microsoft (we already know how China feels about the ‘new’ Microsoft). To quote an IDG report:
Symantec and Kaspersky Lab have become the latest tech firms to be kicked off the Chinese Government’s approved list, according to an unconfirmed report in the country’s media.
The People’s Daily newspaper broke the news at the weekend in a report that claimed that local supplies including Qihoo 360, Venustech, CAJinchen, Beijing Jiangmin and Rising would from now on be the preferred software for antivirus duties.
The news seems to have surprised both firms, which have until now have been approved suppliers for desktop security.
Symantec has been overlooking government back doors such as the ones Microsoft puts in place and lets the US government know about. This is an older debate which made a comeback amid NSA leaks (other antivirus makers seemingly exempt government malware and such, e.g. Stuxnet). Here is Wall Street’s press coverage:
That’s a lesson that Microsoft and Symantec are learning right now. An antivirus company from Silicon Valley, Symantec competes in China against local favorites like Beijing-based Qihoo 360 Technology. According to reports by Bloomberg News and the Chinese media, China has instructed government departments to stop buying antivirus software by Symantec and its Moscow-based rival, Kaspersky Lab. Symantec software has backdoors that could allow outside access, according to an order from the Public Security Ministry. Not coincidentally, Qihoo’s New York-traded shares rose 2.7 percent yesterday, following reports of the move against Symantec and Kapersky.
Well, good for them. After being cracked by the NSA they need to secure their systems by better identifying possible moles (in the software sense).
Dan Goodin, who typically slams FOSS over security issues (less severe than in proprietary software), finally writes about Microsoft’s best known back doors that it tells the NSA about (Goodin does not mention the NSA connection):
There’s a trivial way for drive-by exploit developers to bypass the security sandbox in almost all versions of Internet Explorer, and Microsoft says it has no immediate plans to fix it, according to researchers from Hewlett-Packard.
The exploit technique, laid out in a blog post published Thursday, significantly lowers the bar for attacks that surreptitiously install malware on end-user computers. Sandboxes like those included in IE and Google Chrome effectively require attackers to devise two exploits, one that pierces the sandbox and the other that targets a flaw in some other part of the browser. Having a reliable way to clear the first hurdle drastically lessens the burden of developing sophisticated attacks.
What can Symantec do to stop this other than suggest abandoning Windows (its bread and butter)? Symantec must have known about back doors in the form of IE vulnerabilities, but did it properly protect China from it? No, Symantec makes money from the prevalence of Windows and the company’s management is deeply connected to Microsoft’s. █
Send this to a friend
« Previous Page — « Previous entries « Previous Page · Next Page » Next entries » — Next Page »