EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

02.07.15

Parasitical Firms Like Black Duck Exploit Bugs With Branding to Market Nonfree Services/Software

Posted in Free/Libre Software, Security at 4:53 pm by Dr. Roy Schestowitz

Skulls

Summary: Parasites that take advantage of public panic and lack of comprehension are occupying paper space, as usual

LAST WEEK we wrote about the overblown threat called/dubbed “GHOST” (all capital letters) by the company seeking to make money from it despite being only the third to discover it and knowing it was not much of a big deal. We have not yet heard about any major exploit, which pretty much can be said about the OpenSSL bug as well (this one too was discovered by two entities before a Microsoft-connected firm irresponsibly publicised it, giving it a name and a logo to sell its own services and spread FOSS-hostile FUD for many months to come). What unifies the GLibC and OpenSSL bugs is that they got “brand recognition” very quickly. It was like a marketing campaign rather than a non-alarmist discussion about security — something that non-technical/technically-illiterate journalists would surely fail at.

“As more stories are published in the media about big “hacks” (cracks) against large corporations we can’t help but feel that the media neglects to mention that Microsoft Windows — not OpenSSL or Bash, let alone GLibC — is usually to blame.”Days ago we saw the most FOSS-hostile IDG Web site becoming a platform of Black Duck, a Microsoft-connected firm that sells proprietary software by spreading and accentuating fear of FOSS. The article at hand uses bugs with “branding” to spook FOSS users while Black Duck, paying to publish this self-promotional press release on the same day, is still pretending to be an authority in FOSS.

The bugs with “branding” were also exploited by Veracode in this article (on the same day) and as Eric Lorenzo pointed out: “If businesses don’t update legacy software, often they will will have bugs fixed in later versions! Shock!”

“I wonder what percentage of businesses are using obsolete Windows without updates,” he added.

As more stories are published in the media about big “hacks” (cracks) against large corporations we can’t help but feel that the media neglects to mention that Microsoft Windows — not OpenSSL or Bash, let alone GLibC — is usually to blame. It not only sports back doors but is also badly designed and won't patch known critical holes. It is basically designed to be not secure.

When it comes to reporting on computer security, the corporate press has almost zero legitimacy. All it knows is brands and it is eager to promote corporate partners that piggyback those brands (like “heartbleed”) or stories (Anthem, Sony, etc.), claiming to be experts and offering remedies other than patches which were already issued and are free to apply by all.

01.30.15

Qualys Admits That Its Scare Campaign (So-called ‘GHOST’) Somewhat Baseless

Posted in FUD, Security at 6:14 am by Dr. Roy Schestowitz

Giving names to bugs to make them sound scary

Scare campaign

Summary: Even the company that bombarded the media with its “GHOST” nonsense admits that this bug, which was fixed two years ago, does not pose much of a threat

TWO days ago we wrote about the self-promotional FUD campaign from Qualys, noting that it had been blown out of proportion, as intended all along by Qualys (which even gave it the name “GHOST” and paid for expensive press releases in corporate news). A Red Hat employee reveals that even Qualys itself realised that its pet PR/marketing charade, “GHOST”, is not much of a risk.

He said that “the people at Qualys that worked hard to hype GHOST into a doomsday bug had to admit that most software calling the gethostbyname function couldn’t be forced to exploit the bug. As they say themselves (from “the Qualys Security Advisory team”):

“Here is a list of potential targets that we investigated (they all call gethostbyname, one way or another), but to the best of our knowledge, the buffer overflow cannot be triggered in any of them:

apache, cups, dovecot, gnupg, isc-dhcp, lighttpd, mariadb/mysql, nfs-utils, nginx, nodejs, openldap, openssh, postfix, proftpd, pure-ftpd, rsyslog, samba, sendmail, sysklogd, syslog-ng, tcp_wrappers, vsftpd, xinetd.”

“To put things in perspective see this [discussion],” he added. It’s LWN refuting Dan Goodin, the anti-GNU/Linux ‘security’ rhetoric person from Condé Nast (we took note of his coverage the other day).

“But as always,” added the guy from Red Hat, “the truth isn’t that clickbaiting…

“It was a bug. It has been fixed. But it wasn’t that simple to exploit. Patches are available and as it seems no one got hurt.”

01.28.15

Qualys Starts Self-Promotional FUD Campaign, Naming a Bug That Was Already Fixed 2 Years Ago and Distros Have Covered With Patches

Posted in FUD, GNU/Linux, Google, Red Hat, Security, Ubuntu at 12:23 pm by Dr. Roy Schestowitz

Ghostwriting a Qualys horror story for maximal FUD (fear, uncertainty, and doubt)

Spooky

Summary: Responding to the media blitz which paints GNU/Linux as insecure despite the fact that bugs were evidently found and fixed

THERE IS something to be said about the “top” news regarding GNU/Linux. It’s not really news. The so-called “GHOST” publicity stunt needn’t be repeated by FOSS sites. It is about a bug which was patched two years ago, but some sites overlook this important fact and stick lots of spooky logos, playing right into the hands of Qualys, an insecurity firm (making money from lack of security or perception of insecurity).

We have watches the ‘news’ unfolding over the past day and a half and now is a good time to explain what we deal with. The so-called “GHOST” (all capital letters!) bug is old. Qualys is going two years ago into bugfixes, giving a name to the bugfixes, then making plenty of noise (all over the news right now). Qualys does not look like a proxy of Microsoft or other GNU/Linux foes, but it is self-serving. Insecurity firms like Qualys probably learned that giving a name to a bug in GNU (SJVN mistakenly calls it “Linux”, but so do many others) would give more publicity and people will pay attention to brands and logos rather than to substance. Just before Christmas an insecurity firm tried to do that with "Grinch" and it turned out to be a farce. SJVN says that this old “vulnerability enables hackers to remotely take control of systems without even knowing any system IDs or passwords.”

Well, it was patched back in 2013. Use of names for marketing is what makes it “news”; the opportunists even prepared a PRESS RELEASE and pushed it into ‘big’ sites like CNN. It has marketing written all over it, just like “Heartbleed” that had strong Microsoft connections behind the disclosure. It is sad that Linux sites fall for this. Phoronix copies the press release as though it’s reliable rather than self-promotional. Michael Larabel writes: “The latest high-profile security vulnerability affecting Linux systems us within Glibc, the GNU C Library.”

It is not “latest”, it is 2 years old. Larabel says that “Qualys found that the bug had actually been patched with a minor bug fix released on May 21, 2013 between the releases of glibc-2.17 and glibc-2.18.”

OK, so it’s not news. FOSS Force cites SJVN to amplify the scare and other FOSS sites are playing along as though this is top news. It oughtn’t be. It is already widely patched (maybe requiring a reboot), so let’s patch and move on (unless it was already patched upstream/downstream years ago). IDG has already published at least three articles about it [1, 2], including one from Swapnil Bhartiya, who is not too alarmist to his credit. He noted that “there was a patch released back on May 21, 2013, between the releases of glibc-2.17 and glibc-2.18. However it was not considered to be a security risk and thus major Linux distributions that offer long term support and get security updates remained vulnerable, including Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7 and Ubuntu 12.04.”

It affects very specific versions, mostly long-term support releases that already have reliable patches available. It should be clear that some headlines such as this or that clarify the limited scope of impact (not bad reporting) unlike the alarmist trolls.

What Techrights generally found was that early coverage came from so-called ‘security’ sites or blogs of insecurity firms that try to sell their services (e.g. [1, 2, 3]). These set the tone for many.

The response to this bug is proportional to the perceived danger (e.g. due to media hype), not the severity of the bug. Some security news sites [1, 2] focus on names and logos while facts remain only a side issue. This so-called “ghost” nonsense (some lines of code basically) was fixed 2 years ago and as the blog post “long term support considered harmful” explains it: “In theory, somebody at glibc should have noticed that fixing a buffer flow in a function that parses network data has security implications. That doesn’t always happen, however, for many reasons. Sometimes the assessment isn’t made; sometimes the assessment fails to consider all possible exploit strategies. Security bugs are “silently” fixed frequently enough (without evil intentions) that we should consider them a fact of life and deal with them accordingly.”

Some of the worst kind of coverage we found came from The Register with its flamebait headlines (scary headlines for maximum effect) and the troll Brian Fagioli. They are only some among many who are using the name to come up with puns and FUD. Jim Finkle is back to his GNU/Linux-hostile ‘reporting’, bringing this to the corporate media (there is some in the UK also) and LWN quickly cited the GNU/Linux-hostile Dan Goodin. He called “Highly critical” a bug that was patched two years ago.

Debunking some of the latest security FUD we had Fedora Magazine which stated “don’t be [worried], on supported Fedora versions.”

For unsupported version there is a lot more than this one bug that one needs to worry about.

Apple fans were quick to take advantage of the news, despite the fact that Apple is leaving systems vulnerable for many months, knowingly (like Microsoft does, until Google steps in).

See, with proprietary systems one knows for a fact that there is no security. With GNU/Linux is an open question and it depends on what measures one takes to keep it secure. For Apple and Microsoft security is not at all the goal; back doors and unpatched flaws are not really as “interesting” and important for them to patch as helping spying agencies. Google is not at fault here, Google just saw that Apple and Microsoft had no plans to plug serious holes — a patch evidently wasn’t going to be made ready before the public finds out about it, owing to Google. Apple chooses to blame Google; same as Microsoft. They should only blame themselves both for the bugs and for negligence after the bugs were highlighted to them. There is no room here for properly comparing GNU/Linux (Free/libre) to OS X or Windows (proprietary) because evidence clearly shows that the latter are not interested in security and not pursuing security when it is trivially possible.

What we find curious amid the latest FUD campaign is that Apple back/bug doors are not as widely publicised as a GNU bug that was patched 2 years ago and mostly affects LTS systems (which already have patches available). “Nothing I can think of,” said a reader of ours about this media hype, “but the LTS model followed by RHEL and Ubuntu have different goals and purposes than the short, fast development cycle like OpenBSD.”

Nobody is forced to use an LTS release and those who choose it must be aware of the potential risk.

Regarding the other FUD that flooded the press in recent weeks, targeting for the most part Google and Android, our reader XFaCE wrote the following:

I assume you want to write about that new Android vulnerability. Basically I can see the narrative being pushed through three points

- Microsoft supported Windows XP/7/etc. for years, why doesn’t Google support old Android versions

- Google told Microsoft about a very old bug in their software, so they are hypocritical

- Heartbleed bug was fixed way back for 4.1.1

For the last point, it’s a bullshit comparison because

a) 4.1.1 was one point release where upgrading to 4.1.2 fixed the issue (it was already fixed back when 4.1.2 was released)

b) The fix was one file, as evident by XDA members patched it themselves on phones manufacturers refused to upgrade to 4.1.2 SOURCE: http://forum.xda-developers.com/showthread.php?t=2712916

c) As shown by the link, a lot of manufacturers DIDN’T update certain 4.1.1 devices to 4.1.2, hence proving Google’s point. The fix there was SIMPLE, but the OEMs didn’t bother to do it

With Webview, not only is webview involved, but so is the webkit rendering engine, so the fix for all those previously releases is much more complicated

As for the second point, Google did catch it, with KitKat, and furthermore made KitKat supported on more low-end devices so theoretically older 512mb or less devices could be updated

For example, HTC said (when Jelly Bean 4.1 came out) that they would not update any device with 512 mb of RAM (SOURCE: http://www.cnet.com/news/htc-one-v-and-desire-c-will-never-get-jelly-bean/ ), so naturally when KitKat came out, they updated those devices because the OS officially was designed for such low ram devices

oh wait

http://www.androidpit.com/android-4-4-kitkat-update-plans

“Later this year, the entry-level smartphone the HTC Desire 500, should also be seeing the KitKat update. However, the One X, One X+, One S, and One V will be left in the dust and will be receiving no more official updates from HTC.”

So the OEMs are at fault for not upgrading the devices, not Google, which leads to point 1 – Google doesn’t control the Android OEMs like Microsoft does OEM pay Microsoft for the support whereby Microsoft controls all updates, Google doesn’t get paid or have the agreemeent in that way

OEMs like HTC could easily fix this by porting Kitkat to those devices, but they won’t cause they want you to buy a new HTC phone or whatever phone brand

Techrights did not cover that (except in daily links) because it should be self-evident that free-of-charge Android upgrades make it inhernetly different from proprietary software and keeping up to data typically ensures security. A lot of the analogies (Android and Windows) were inherently flawed and the FUD rather shallow.

01.24.15

Apple — Like Microsoft — Not Interested in the Security of Its Operating Systems

Posted in Apple, Google, Microsoft, Security at 9:54 am by Dr. Roy Schestowitz

A big hole in Apple, but Apple doesn’t mind as long as the public doesn’t know

Foul apple

Summary: Apple neglected to patch known security flaws in Mac OS X for no less than three months and only did something about that vector of intrusion when the public found out about it

LAST year Apple admitted having back doors in iOS, conveniently dubbing them “diagnostics” (Orwellian newspeak). Apple did this only after a security researcher had found and publicised severe flaws that enabled remote intrusion into any device running iOS (there are unfortunately many such devices out there). This led us to alleging that not only Microsoft and the NSA worked to enable back doors for secret access into Windows. Both Apple and Microsoft are in PRISM and both produce proprietary software onto which it’s trivial to dump back doors, both undetectable and immutable.

Weeks ago we showed that Microsoft does not strive to make Windows secure, based on its very own actions whenever the public is unaware of the insecurities (only the NSA/GCHQ and the reporter/s are 'in the know'). Now we come to realise that Apple too — like Microsoft — did not close back/bug doors in Mac OS X for 90 days despite knowing about them. This isn’t a 0-day, it is a 90-day. It’s incompetence, negligence and might one even say deliberate sabotage by Apple. Apple just chose to leave the serious flaws in tact until it was too late because the public found out about it, owing to Google.

Do not let the Wintel-centric media blame Google for merely informing the public that proprietary operating systems like Windows and Mac OS X have holes in them that Microsoft and Apple refuse to patch. We should generally be thankful for this information. It says quite a lot about Microsoft’s and Apple’s priorities. It helps prove China right for banning Windows and Apple operating systems in government.

There is increasing consensus that Apple is going down the bin when it comes to users’ trust and browsing the Net these days I often read or hear from people who abandon Apple for GNU/Linux. Suffice to say, based on public appearances, the NSA is intimately involved in the build process of OS X (for a number of years now), which does make one wonder.

01.22.15

Microsoft Symptoms of a Dying Company: More Boosters Depart, Back Doors Revealed, Microsoft’s Outlook Cracked

Posted in Microsoft, Security, Vista 10, Windows at 12:15 pm by Dr. Roy Schestowitz

Journalists currently under heavy barrage from Microsoft marketing (outsourced and in-house)

Office of telemarketing

Summary: Bad news for Microsoft shortly before the marketing extravaganza served to cover much of it up

IF YOU believe the hype (Microsoft has been talking about it for nearly 2 years), you will easily believe that Vista 10 is the return of Windows monopoly and supposed OS ‘leadership’, even though Microsoft is shrinking along with its notorious back doors and criminal behaviour (less Microsoft means less crime).

Those of us who have watched Microsoft closely for years saw a lot of the company’s boosters ebbing away. Microsoft laid off a lot of marketing people. It’s a ‘luxury’ it cannot afford anymore as breaking/infiltrating the media is not cheap. Last week we learned that Paul Thurrott left as well; he had been one of Microsoft’s leading boosters and now, according to a source of ours, he “[p]robably moved to be able to change focus, adding FUD against non-Microsoft stuff in the guise of coverage. This is how far he has gone.” (notice the usual and typical propaganda we have been seeing for weeks now).

Some falsely claim that Android is losing share and others try to paint Windows as running Android apps even though it cannot. That is the type of FUD we have been debunking here for years. This FUD is not dead yet. Just notice the patterns, part of the PR campaign perhaps. If many people repeat the same lie in unison, then the lie gains legitimacy. Just watch Microsoft’s propaganda network 1105 Media trolling FOSS yet again over ‘security’ (only yesterday). A lot of this PR/FUD started last April when a Microsoft-connected firm gave a name and a logo to a bug in OpenSSL. It did it exactly when Windows XP ran out of support (i.e. left totally vulnerable to crackers).

“A lot of this PR/FUD started last April when a Microsoft-connected firm gave a name and a logo to a bug in OpenSSL.”Either way, Microsoft boosters continue to be dissolved. We used to see many more FUD attacks on GNU/Linux or Free software several years ago and as Soylent News put it: “Longtime Microsoft-centric journalist and blogger Paul Thurrott has left Supersite for Windows, and the website he founded sixteen years ago, and its sister site Windows IT Pro, for reasons explained in his farewell post. The sites (the former of which is still branded ‘Paul Thurrott’s SuperSite for Windows’ for now, but that will surely change) will be maintained by a staff of journalists employed by Penton, an information services conglomerate.”

Microsoft very much relies on propaganda agents who blame Google for Microsoft's failings and incite against Microsoft’s top competitors (Chromebooks seem to be Microsoft’s nightmare at the moment, not just Google Docs and ODF). Consider this rebuttal from Thom Holwerda:

First, this article makes the usual mistake of calling these vulnerabilities “zero day”. They are not zero day. They are 90 day. A huge difference that changes the entire context of the story. Microsoft gets 90 days – three months – to address these issues.

The accusations against Google were repeated later, at around the beginning of last week (second time) and the end of last week (third wave). This is totally insane an accusation to make, but given that those blaming Google are longtime Microsoft boosters, one can expect it.

In other news, a new Bloomberg puff piece glamourises Microsoft privacy violations, milking the Paris shootings for Microsoft PR. What an unbelievably shallow puff piece; then again, it’s Bloomberg. In similar news, Outlook has been cracked [1]. Even Microsoft cannot maintain a state of security. “Clumsily done” labelled it our source. Maybe the back doors have taken their toll in the wrong country. That won’t be good for business.

Related/contextual items from the news:

  1. Microsoft Outlook hacked following Gmail block in China

    Microsoft’s Outlook email service was subject to a cyberattack over the weekend, just weeks after Google’s Gmail service was blocked in China.

    On Monday, online censorship watchdog Greatfire.org said the organization received reports that Outlook was subject to a man-in-the-middle (MITM) attack in China. A MITM attack intrudes on online connections in order to monitor and control a channel, and may also be used to push connections into other areas — for example, turning a user towards a malicious rather than legitimate website.

01.14.15

Microsoft — Like David Cameron — Attacking the Computer Security Industry

Posted in Microsoft, Security at 4:17 pm by Dr. Roy Schestowitz

Microsoft is essentially a snitching company, unconditionally serving those in power

Police

Summary: Microsoft’s latest moves that help expose its real policy when it comes to computer security and people’s privacy

THE OTHER day we mentioned demands for back doors, which basically would make any piece of proprietary software (where back doors cannot be removed) utterly useless for any serious work because secure communication is a cornerstone of computing in a connected environment. We also mentioned Microsoft hiding many of its existing back doors even more aggressively, essentially telling users nothing about their easy-to-compromise systems.

“Always remember that Microsoft makes money from spying on users (government subsidies for the back door access), including in cases where this directly benefits Microsoft’s business interests”This article from the British press says that this “move was criticised by some security professionals, who said it would hinder organisations’ ability to quickly test and deploy Microsoft’s updates.”

They should just quit relying on Windows. Sony can tell them how reliance on Microsoft Windows already caused them to be doxxed against, potentially costing the company many billions of dollars in damages. One security-oriented professional “called the change, which was made with no advance notice, an “assault” on IT security teams.”

Microsoft “assaults” the IT security industry. It attacks security itself, too. To quote further from the article: “Other industry observers said the change may have resulted from a broad reorganisation at Microsoft that began in 2013 and included large-scale layoffs in the middle of last year, with the Trustworthy Computing security group shut down in September. The reorganisation is itself the result of a broad industry shift toward mobile devices which has diminished the importance of Microsoft products such as Windows.

“Prominent figures at MSRC have left Microsoft, including senior development manager Jonathan Ness and Dustin Childs, group manager of response communications. In November Microsoft discontinued a long-running webcast in which engineers gave details on the monthly updates.

“Microsoft said in a statement that while ANS is no longer public, the company may also “take the appropriate actions to reach customers” if it determines that “broad communication” is needed for a specific situation.”

So Microsoft Windows bug doors are becoming more secretive now. Nice timing given Cameron’s call for back doors in everything; he would be so proud. Remember that Microsoft tells the NSA (and hence GCHQ too) about these bug doors well before they are patched, even 3 months in advance (Microsoft does not bother to patch holes until much later, if ever).

GNU/Linux is completely different because the code is visible and everyone can patch holes as soon as they are revealed. There are huge software repositories for which source code is available, so even underlying applications — not just the operating system — can be fixed. On Windows it is a sordid mess of random downloads of binaries from the Web and so-called ‘crapware’ that comes preinstalled with Windows and often has malicious behaviour. As Jim Lynch put it the other day: “I guess the bottom line here is to try to avoid being the sucker by installing crapware in the first place, regardless of the operating system you are using. If you don’t understand or aren’t sure about what’s being installed THEN DON’T INSTALL IT on your system. And only install software from trusted sources that don’t engage in the freeware bundling shenanigans.”

Free software has none of these issues. The user is in charge.

Caspar Bowden, whom Microsoft fired for 'daring' to care about security and privacy, talks about Microsoft’s publicity stunt case (intended to make it look like Microsoft cares about security and privacy). He now says he hopes Microsoft’s publicity stunt will go down in flames and here is why: “His reasoning is that the US government can use other legal instruments, such as FISA 702 or Executive Order 12333, to brush aside such niceties as Safe Harbor or binding corporate rules (BCR) to get its hands on such data perfectly legally any time it likes, and as such the whole case is a smokescreen that actually suits both parties.

“”Even if Microsoft wins that case, and I hope they don’t because that’ll just shore up the whole rotten system, it will make no difference to surveillance by the NSA under FISA 702 or Executive Order 12333 [see below],” he told Computing.

“Bowden – who was the chief privacy adviser to 40 national technology officers at Microsoft before he was “let go” in 2011 after revealing what FISA 702 implies for the firm’s non-US customers – believes that this is all for show. It is part of a campaign of “cloudwashing” on the part of government and the industry, he says, that deliberately conflates data security – over which US cloud companies and their customers can take an active role – and government surveillance, over which, for legal reasons, they cannot. FISA 702 allows the US government to install surveillance apparatus inside the data centres of US companies. These interventions are covered by the espionage law, and anyone revealing their existence could face a lengthy jail sentence, as Yahoo’s Marissa Mayer revealed.”

Bowden is a Brit speaking about Ireland in the British press. We are happy to see him using the term “cloudwashing” — a term we have used a lot for years. A lot of the pro-cloud hype is about increasing surveillance; it’s often the business model. Always remember that Microsoft makes money from spying on users (government subsidies for the back door access), including in cases where this directly benefits Microsoft's business interests.

01.13.15

Microsoft’s Strategy for Dealing With Back Doors: Blame Google

Posted in Microsoft, Security, Windows at 12:57 pm by Dr. Roy Schestowitz

Closed doors keep the back doors out of sight and resistant to change

Closed doors

Summary: Microsoft willingly leaves Windows users exposed to costly attacks and surveillance, but its propaganda blames the messenger that warned Microsoft about the problem 3 months ago

BASED on Microsoft’s own actions, the company is not at all interested in security and as we last noted the other day, the company is now pulling out of (withdrawing) notifications of back doors, except for the NSA. One might guess this would appease British Prime Minister Cameron, who now openly calls for back doors in everything and a ban on everything without back doors, but will this appease the rest of us, including journalists (never mind banks) who require encryption for secure communication? We have put some related articles in our daily links for those who wish to know more.

“One might guess this would appease British Prime Minister Cameron, who now openly calls for back doors in everything and a ban on everything without back doors, but will this appease the rest of us, including journalists (never mind banks) who require encryption for secure communication?”For those who missed last week’s news, here is what the British press wrote: “MICROSOFT HAS ESCHEWED the first Update Tuesday, or ‘Patch Tuesday’, Advance Notification of the year to announce that it is killing off the Advance Notification Service (ANS) for the general public and, as such, from next month there will be no Advance Notification.”

This basically means that while the NSA, GCHQ etc. know about back doors (or bug doors) that are not patched, the rest of us will know nothing. Since it is secret proprietary code, there is nothing that can be done about it either.

Earlier this month there were also report about Microsoft knowingly failing to patch a serious Windows flaw. It took Microsoft 3 months to actually do anything and when it did do something it was after Google had forced it to. It was Google that originally told Microsoft about this flaw 3 months ago. Here is what a reader of ours insists on calling “Microsoft apologists” wrote about it. They basically blame it all on Google rather than chastise Microsoft for leaving a lot of Windows users vulnerable due to Microsoft’s own laziness. It is worth emphasising that “the problem was not fixed within 90 days.” That’s how much of a priority security is to Microsoft.

Amid the calls for encryption bans in the UK it is clear that everyone who cares about privacy should move to Free software. Software freedom is imperative for privacy because only when the code is free can one be sure there are no back doors and also remove any that exist. Proprietary software exercises unjust power and control over its user, as Richard Stallman said all along, and the calls to ban encryption in the UK reinforce Stallman’s views. Microsoft’s negligence and reluctance to patch known flaws which are very serious also prove Stallman’s point to be valid. It is almost as though Microsoft actually chose to leave users exposed. Remember that the so-called ‘Sony hack’ was due to use of Microsoft Windows, based on numerous reliable reports. Also remember that about half a decade ago Google prevented its staff from using Windows. That was due to recognition that Windows was Swiss cheese when it comes to security.

01.09.15

Another Reason to Boycott UEFI and Proprietary Software From Microsoft: Insecurity

Posted in Microsoft, Security at 12:27 pm by Dr. Roy Schestowitz

Summary: Some blobs like Microsoft’s Windows patches and the binary-level UEFI ‘validation’ do not and cannot provide real security, only insecurity in disguise

THE ‘PROMISE’ of UEFI ‘secure’ boot is as ludicrous as Microsoft's claims that it pursues security. UEFI does nothing real for security; in fact, it once again does the very opposite. Quoting the news:

A pair of security researchers have found a buffer overflow vulnerability within the implementation of the unified extensible firmware interface (UEFI) within the EDK1 project used in firmware development.

Bromium researcher Rafal Wojtczuk and MITRE Corp’s Corey Kallenberg said the bug in the FSVariable.c source file was linked to a variable used to reclaim empty space on SPI flash chips.

According to other news, as told (spun) by a Microsoft booster.,”Microsoft’s advance security notification service no longer publicly available”. The booster says that “Microsoft is taking its Advance Notification Service private, claiming the change is due to changes in the way users want their advance security notifications.” Microsoft sure
tells the NSA about ways to hijack/wiretap Microsoft software, so it’s a matter of privilege, not some company-wide policy.

How does the above serve users? It doesn’t. This is about Microsoft, not users. Users will be left even more vulnerable. As Pogson correctly points out, “There are no Patch Tuesdays with Debian GNU/Linux so the bad guys are no further ahead. We can all get Debian’s patches as soon as they generate them and we can usually install the updates on running systems with no adverse consequences, like a re-re-reboot.”

Moreover, in large corporations in particular, patching code internally is possible or even relying on third parties. Don’t ever trust security at binary level, such as large blobs being sent that are supposedly ‘patched’ or some opaque board giving ‘approval’ before the running of a binary blob, mostly likely based on some cryptic signature approved by unknown people for unknown reasons (usually employees of companies that work with the NSA). Real security emanates from transparency, which breeds trust and provides to ability for one to study and patch one’s own programs (or rely on others to do so using their specialised skills).

“Anyone wonder why the Microsoft SQL server is called the sequel server? Is that because no matter what version it’s at there’s always going to be a sequel needed to fix the major bugs and security flaws in the last version?”

Unknown

« Previous Page« Previous entries « Previous Page · Next Page » Next entries »Next Page »

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channels: Come and chat with us in real time

New to This Site? Here Are Some Introductory Resources

No

Mono

ODF

Samba logo






We support

End software patents

GPLv3

GNU project

BLAG

EFF bloggers

Comcast is Blocktastic? SavetheInternet.com



Recent Posts