The “legally-binding” and “transparency” conundrums grossly distorted
Summary: News sites mislead their readers, teaching them that the biggest dangers associated with proprietary software are in fact problems exclusive to Free/libre Open Source software
FOR Microsoft to ever pretend to care about security would basically mean to lie, blatantly. Microsoft works hand in glove with the NSA and it has, on numerous occasions, admitted that true security isn’t the goal. Its actions too show this repeatedly. Known flaws -- or holes, or bug doors, or whatever one frames them as -- are not being patched unless the public finds out about them.
In order to bolster security perceptions and to give an illusion that Microsoft actually cares about security and invests in security, the company has just hired some staff in Israel (acquisition is one other way to frame this). The media calls it “security provider”, but given Israel’s record on back doors, cracking (e.g. Stuxnet development), wiretapping etc. this is rather laughable. A lot of Microsoft’s so-called ‘security’ products are made in Israel, and some companies in this military-driven industry facilitate and cater for spies using back doors, usually under the guise of ‘security’ (they mean “national security”). We wrote about this in past years.
“This proves that security through obscurity is a myth that merely encourages people to rely on poorly implemented programs with shoddy security, whereupon developers choose to hide the ugliness of the code.”We were rather disturbed to see this bizarre article yesterday. Titled “Hackers targeting .NET shows the growing pains of open source security”, the article is a big lie. The headline is definitely a lie. .NET is PROPRIETARY (still), it has holes in it, and some fool tries to use it to call Free/libre software “not secure”. Let’s assume for a second that .NET code becoming visible to the world exposes many holes, indeed. It proves exactly the opposite of what the headline says then. If anything, it shows that Microsoft keeping the code secret assured low quality code and bred vulnerable code. Once shown to the world, these holes are being exploited. This proves that security through obscurity is a myth that merely encourages people to rely on poorly implemented programs with shoddy security, whereupon developers choose to hide the ugliness of the code. A lot of the claims from the article come from a FOSS foe, Trend Micro, but they can be framed correctly to state that, if anything, a public audit of .NET now shows just how terrible proprietary software can be, having never been subjected to outside scrutiny.
In other disturbing headlines we find another inversion of the truth. The Business Software Alliance (BSA), or the EULA police, has done a lot to show how dangerous proprietary software licences can be. Nevertheless, Slashdot with its pro-Microsoft slant as of late [1, 2] gives a platform to Christopher Allan Webber.
“Is this another false “I really like the GPL except” post,” asked us a reader. To quote the author: “The fastest way to develop software which locks down users for maximum monetary extraction is to use free software as a base” (oh, yes, those greedy Free software developers!)
The article has a misleading/provocative headline (hence we provide no direct link) and Bruce Perens, who had already accused Black Duck of FUD against the GPL (“I think it’s 100% B.S.,” he said three years ago), responded to the piece by stating:
I help GPL violators clean up their act, it’s my main business.
Every one has had a total lack of due diligence. I will come in and find that they have violated the licenses of 21 proprietary software companies (this is a real customer example) by integrating their code into their main product, just like the GPL code. Some of them only had an “evaluation” license, some not even that, some wildly violated the terms of any license they got.
Most of them are in silicon valley. They seem to have the attitude that they will clean up their legal problems when they’re rich, and nothing but getting their product out of the door matters until then.
They don’t ask me to feel sorry for them. I bill them a lot, and in the end, they’re clean and legal.
When it comes to legal risk and licensing, nothing beats proprietary software. It’s risky, it’s expensive (lock-in makes the exit barriers considerably higher), and it is very hard to obey or comply with, especially when you are low on staff and funds (must renew licences all the time). Contrariwise, it is very easy to comply with copyleft; there is no renewal work required and no renewal fees. All one is required to do is to maintain the copyleft of the code used. The rules are very simple. █
Send this to a friend
Not the Rackspace we once knew…
Summary: Rackspace adds proprietary spyware to its premises, hence reducing confidence in its ability to secure whatever is on the racks (security or perceived security severely compromised)
OVER the past few months I have confronted Rackspace on numerous occasions because they were promoting (even by mass-mailing without consent) proprietary software. This was done repeatedly, even after I had asked them to stop and they said they took action. That’s really quite a shame because Rackspace’s patent policy is commendable and their support team is quite technically-competent. The PATRIOT Act was always quite a problem (they’re subjected to secret warrants and cannot notify customers), but nevertheless, they had a good track record. They throw it all away now.
According to this article, Rackspace, which was traditionally about GNU/Linux, has climbed up Microsoft’s bed. Rackspace says: “We’re pleased to expand our relationship with Microsoft and the options we provide for our customers by offering Fanatical Support for Azure”. The company is based in 1 Fanatical Place, which probably explains the name. Reading further down the article we learn about “Rackspace’s Private Cloud that will be powered by Microsoft’s cloud platform Azure.” They must be out of their minds!
Rackspace makes a laughing stock of itself. What a dumb move.
Rackspace ought to know better, for no deployment on Windows in its datacentre can ever do any good. It is a threat to other guests and hyper-visors, even down to hardware. UEFI, promoted by the NSA’s leading partner, is targeted by Hacking Team and Microsoft Windows too is a target. To make matters worse, Microsoft is now leaving almost 200 million useds [sic] exposed. As The Register has just put it, “Windows XP holdouts are even more danger than ever after Microsoft abandoned anti-malware support for the ancient platform.
“Redmond overnight stopped providing XP support for new and existing installs of its Security Essentials package.”
“Rackspace’s business has back doors in it.”NSA surveillance of Windows is ever more trivial, not just because Microsoft constantly tells the NSA how to crack Windows (before patching flaws). The threat of Windows is contagious because it can spread to other platforms that share the same datacentre, network, and hardware. The weakest links are being targeted ti gain entry. Recall Pedro Hernandez with his Azure marketing (trying to convince GNU/Linux users to host with Microsoft) — shameless marketing which was soon followed by other sites (promoted by Microsoft-centric sites, some of which receive money from Microsoft, but alas, this was also noted by pro-Linux writers at Softpedia News). Any datacentre which gets ‘contaminated’ with Windows is no longer trustworthy; it should be deemed insecure because Microsoft deliberately adds flaws (back doors) to Windows. There are numerous technical reasons for this and we have covered them before. UKFast, for example, a large UK-based host, once told me (I spoke to the CTO) that they use Hyper-V (proprietary and Windows) to host GNU/Linux. This right there is a back door and I have confronted them over this. They never came up with a response that inspired any confidence.
Microsoft is now trying to make Apache software Windows- and Azure-tied, as British media now serves to remind us, and there is new additional bait to attract gullible people.
Don’t ever think that Windows can be contained or compartmentalised ‘away’ from Free software. Once a company starts to mix proprietary software with GNU/Linux (e.g. Hyper-V or VMware, which is connected to RSA) security is evidently lost. Security audits are impossible. Novell made some initial steps in this direction back in 2006 and now we have Rackspace. The company cannot be trusted anymore. Rackspace’s business has back doors in it. █
Send this to a friend
Summary: The United Airlines Web site, which uses Microsoft software, gets cracked, but the corporate media ignores the role of the underlying platform
“United hackers given million free flight miles,” says the BBC right now. Go to the United Airlines Web site and you will immediately see that they use Windows (ASPX is exposed at the URL of the front page, which is bad security practice in its own right). The United Airlines site is hiding behind Akamai (i.e. GNU/Linux), but it still shows a lot about the back end, which suggests that Microsoft frameworks are largely to blame (maybe poor programming, too).
This comes at an interesting time because, to quote other British media, “Microsoft Ends Windows Server 2003 Support But What Now?”
“The bottom line is, nobody should ever trust Microsoft for hosting of any kind of site.”Well, any company that still chooses Microsoft for public-facing site hosting would have to be dumb or seriously irresponsible. Microsoft is now hoping to also become the host of GNU/Linux sites. Microsoft’s booster Pedro Hernandez re-announces Microsoft propaganda right now (“Microsoft Rolls Out Linux Support Services on Azure”) even though it is not new, it is merely entrapment by Microsoft. Microsoft’s propaganda network “1105 Media”, featuring Microsoft’s booster Kurt Mackie, adds to it [1, 2] and promotes hosting by Microsoft. The latest Microsoft Channel 9 propaganda (we saw quite a bit of that recently), goes as far as openwashing Azure.
The bottom line is, nobody should ever trust Microsoft for hosting of any kind of site. The company is incompetent and it puts the NSA’s interests (e.g. back doors) first. █
Send this to a friend
Summary: The insecurity and abundant complexity/extensibility of UEFI is already exploited by crackers who are serving corrupt regimes and international empires
TECHRIGHTS has spent many years writing about dangers of Microsoft back doors and about 3 years writing about UEFI which, according to various citations we gathered, enables governments to remotely brick (at hardware level) computers at any foreign country, in bulk! This is a massive national security threat and Germany was notable in reacting to it (forbidding the practice). Among our posts which cover this:
Today we learn that UEFI firmware updates spread to the most widely used GNU/Linux desktop distribution and yesterday we learned that “HackingTeam has code for UEFI module for BIOS persistency of RCS 9 agent (i.e. survives even HD replace)…”
Rik Ferguso wrote this with link to the PowerPoint presentation, pointing to leaked E-mails via Wikileaks. The push back against UEFI ought to be empowered by such revelations, perhaps in the same way that these leaks now threaten to kill Adobe Flash for good. █
Send this to a friend
Image from the OpenSSH project
Summary: Exploring the real motivations and the real implications of Microsoft giving money to the OpenBSD Foundation
MICROSOFT is in pain. The company sees its monopoly diminished due to software becoming a commodity and platforms such as BSD and GNU/Linux taking over everything, not just the back end. Microsoft can attempt to cope with this the way it typically copes with competition (including Android as of late): Embrace, Extend, Extinguish [1, 2, 3, 4].
The other day we wrote about yet another example of openwashing from Microsoft (assimilation strategy). Microsoft booster Darryl K. Taft is the latest to call a Windows-only .NET pile of Microsoft APIs “open source” and it leads us to Microsoft’s effort to characterise its involvement in OpenSSH [1, 2] as something benign or even good.
“So it’s about putting secure Free software on an insecure proprietary software platform (with back doors), in order to promote its use.”Based on an OpenBSD Foundation announcement  and some press coverage  that says Microsoft “handed a pile of money to the OpenBSD Foundation”, we are becoming a little concerned, knowing Microsoft’s history in such circumstances (creating unnecessary financial dependencies). This story is growing feet now, even in some Linux sites, so it is hard to ignore the risk of Microsoft using BSD as a front against GNU/Linux and copyleft, as it did in past years. Prudently one can say that if things are as indicated, this won’t be the first time Microsoft uses BSD as anti-Linux front.
As Steven J. Vaughan-Nichols put it (implicitly) a couple of hours ago, it’s about “help in porting OpenSSH to Windows.”
Windows is known for gaping holes (see the latest in ), i.e. the very opposite of OpenBSD. For these two entities to work together (NSA resistor and the NSA’s number one partner) is to have an incompatible relationship. Nothing on top of Windows can be secured and as we pointed out in our past articles about this, SSH keys will be put at risk. Microsoft’s ‘help’ to OpenBSD reminds us of Microsoft’s ‘help’ to Novell, where the goal was to use Novell to promote Windows, even inside Linux (e.g. Hyper-V).
It’s not a payment intended to help OpenSSH development. Microsoft looks to get its money’s worth (shareholders’ money). So it’s about putting secure Free software on an insecure proprietary software platform (with back doors), in order to promote and increase its use. █
Related/contextual items from the news:
The OpenBSD Foundation is happy to announce that Microsoft has made a significant financial donation to the Foundation. This donation is in recognition of the role of the Foundation in supporting the OpenSSH project. This donation makes Microsoft the first Gold level contributor in the OpenBSD Foundation’s 2015 fundraising campaign.
Microsoft has handed a pile of money to the OpenBSD Foundation, becoming its first-ever Gold level contributor in the process.
Here at Univention, we are of course also concerned by the attack on the German parliament’s IT infrastructure, better known as the “Bundestag hack”. To recap: It appears that there were some bogus e-mails there including links to malware. A number of the Windows PCs in the Bundestag’s “Parlakom” network were or may still be infected with the malware, which is alleged to have searched for and copied certain confidential Word documents. According to a report in the Tagesspiegel (German) newspaper, this allowed the hackers to gain “administration rights for the infrastructure”. The attack was conducted as an “advanced persistent threat” or “APT attack” for short: in other words, a complex, multi-phase attack on the German parliament’s “Parlakom” IT network.
Send this to a friend
A game of perception alternation
“Well, it’s in the brand. The image you create around the brand. That’s why I need you in this company. Because nobody in this company, or in this industry, really understands that. And if we can have the perception, I can create the reality. With the combination of the reality and the perception, nobody will ever beat us.”
Summary: More AstroTurfing for Vista 10, including shameless promotion of the mere perception of it being ‘open’ and ‘secure’
THINGS must be working out pretty well for Microsoft’s PR agencies when/if even some Linux sites are willing to promote the NSA-friendly (hyper-visor runs only on Windows) Hyper-V. This is a little frustrating because it is not hard to see what it’s all about for Microsoft, whose software is made insecure by design. As FOSS Force put it the other day:
I assume that most enterprise users of Microsoft products already know not to trust Redmond to handle Windows’ security. I worry, however, about the poor consumer who plops a thousand dollars down for a laptop, and thinks it’s just fine to stop in to use the free Wi-Fi at Mickey Dee’s for a quick check of the bank account while being protected by nothing more than the best Redmond has to offer.
It looks like Vista 10 will remain as flawed and inherently insecure and its predecessors, no matter how much AstroTurfing Microsoft does (it gets worse by the day, as perception changing is the goal with official release day imminent) and how much openwashing Microsoft constantly does. It’s hard to keep up with the propaganda and refute it quickly enough.
Yesterday we spotted Microsoft’s propaganda channel (Channel 9) brainwashing Microsoft staff and readers of Channel 9, implicitly telling them that Visual Studio “open source”. Openwashing of SAP  and Apple  (below) could also be found in the news yesterday, so not only Microsoft does this. Remember that both companies were asked (if not demanded) by Russia to reveal their source code last year, for fear of back doors. We don’t know if SAP and Apple ever complied. █
Related/contextual items from the news:
SAP SE is dedicated to helping businesses respond to market demands around the clock, according to Steve Lucas, president of Platform Solutions at SAP. Its partnership with Red Hat, Inc. is a key part of its strategy. In an interview with theCUBE at RedHat Summit, Lucas explained further.
Recently, Apple released its programming language, Swift 2, to the public. By releasing Swift to the open source community, Apple is giving software developers more access to and control over the programming language. This release opens up a myriad of exciting possibilities for application development, software advancements and increased functionality.
Send this to a friend
Red Hat and back doors: poll from FOSS Force
Summary: The return of XKEYSCORE to some media outlets (not news anymore) brings us back to debating Red Hat’s role (also not really news)
QUITE a few sites (see [1-3] below) seem to be talking about Red Hat’s special (but no longer secret) relationship with the NSA, which is not at all news. The NSA uses a lot of RHEL (and also Fedora) on some malicious spying equipment, based on various NSA leaks. We already wrote a great deal about this back in 2013 [1, 2, 3, 4]. The only new thing we learn from the latest articles is that Red Hat continues to refuse to remark on the subject, even when asked by journalists (see the first article below). █
Related/contextual items from the news:
A little over two years ago, the first disclosures about the massive surveillance operation being carried out by the NSA were made in the Guardian, thanks to an intrepid contractor named Edward Snowden.
Now comes the rather disturbing information that the NSA runs its XKEYSCORE program — an application that the Intercept, the website run by journalist Glenn Greenwald, describes as NSA’s Google for private communications — for the most part on Red Hat Linux servers.
If report is correct, Red Hat’s marketing department has a very tricky customer reference
SELinux is a product of the NSA and some worried when it was added to Red Hat, Fedora, and later many other distributions. Even before Snowden revealed the massive government spying, having the NSA anywhere near Linux activated certain Spidey-senses. Now we learn that SELinux may have had an exploit for bypassing the security enforcements. Italian software company Hacking Team, who admits to providing “technology to the worldwide law enforcement and intelligence communities,” has been selling technology to governments (most with bad human rights records) to assist in gathering surveillance data on citizens, groups, journalists, and other governments. Recently Hacking Team was hacked and their information has been leaked onto the Internet. Besides the SELinux exploit, it’s been reported that the FBI, U.S. Army, and the Drug Enforcement Agency are or were customers of Hacking Team’s services.
Send this to a friend
“Our products just aren’t engineered for security.”
–Brian Valentine, Microsoft executive
Summary: More timely reminders that Windows is simply not designed to be secure, irrespective of version, status of patching, etc.
GIVEN the exceptionally strong ties between Microsoft and the NSA we shouldn’t be so shocked that Microsoft constantly lets the NSA know how to break into computers with Windows installed on them. That’s a fact.
Samsung, perhaps realising that ‘updating’ Windows (or even ‘upgrading’ it) won’t make it more secure decided to altogether abandon Windows Update. As IDG put it:
This week, it’s Samsung, which has been outed as intentionally disabling Windows Update. According to independent researcher Patrick Barker, he was trying to help a customer figure out why a PC kept randomly disabling Windows Update, which caused the system to be dangerously and continuously vulnerable to open security flaws.
Remember that Windows Update can also be used (or misused) to install new back doors at any time. Richard Stallman has repeatedly warned about the danger of any such mechanism. It’s basically a remote control for one’s PC, where the controller is not the user but the software vendor and potentially crackers (like NSA and the GCHQ, as well as non-government entities). When the article above says “vulnerable to open security flaws” it probably means security flaws that are provably known to cyber criminals not affiliated with governments.
“Remember that Windows Update can also be used (or misused) to install new back doors at any time.”According to Microsoft Peter (Peter Bright), writing about how much of a farce Windows ‘security’ really is might be something that a research student cannot do. To quote the booster:
Willcox’s research investigates ways in which Microsoft’s EMET software can be bypassed. EMET is a security tool that includes a variety of mitigation techniques designed to make exploiting common memory corruption flaws harder. In the continuing game of software exploit cat and mouse, EMET raises the bar, making software bugs harder to take advantage of, but does not outright eliminate the problems. Willcox’s paper explored the limitations of the EMET mitigations and looked at ways that malware could bypass them to enable successful exploitation. He also applied these bypass techniques to a number of real exploits.
The laws here have become so ridiculous that merely pointing out that some piece of software is ‘Swiss cheese’ and ‘easy pickings’ would potentially constitute a violation of the law. Microsoft Peter, writing another article about the failing Xbox business (billions in losses), shows how Microsoft secretly tried to deal with manufacturing flaws that may have led to loss of lives (there is a famous case involving a baby who died after an Xbox-induced house fire).
It often seems like Microsoft can get away with just about anything (surveillance by the back door, house fires etc.) as long as it colludes with the state against citizens. Anyone who still believe that Windows can be made secure (intrusions-resistant) clearly is deluded, or at least misinformed. █
Send this to a friend
« Previous Page — « Previous entries « Previous Page · Next Page » Next entries » — Next Page »