“I don’t want a back door. I want a front door.” — Director of the National Security Agency (NSA), April 2015
Summary: Microsoft Windows continues to be inherently insecure, at the very least because Microsoft worked to make intrusion possible by shady agencies that operate outside the law (much like cyber gangs)
IT IS no secret that Microsoft works closely with the NSA and other Five Eyes agencies. It is also no secret that Stuxnet was developed by those agencies and targets Microsoft Windows. After it had targeted Iran it sort of ‘spilled out’ and caused many billions in damages all around the world (we covered examples). Having gotten out of hand, Microsoft’s back doors for espionage agencies were soon exploited also by the “bad guys” (not that espionage agencies can be described as “good guys”). There is no substitute for absolute, scientifically-verifiable security and strong encryption. People who sell “Golden Key” dreams are non-technical war-loving liars. Based on this new article (Dan Goodin finally targets Microsoft for a change, having repeatedly bashed just Free software), a new Windows “exploit is reminiscent of those used to unleash Stuxnet worm.” To quote Goodin: “The vulnerability is reminiscent of a critical flaw exploited around 2008 by an NSA-tied hacking group dubbed Equation Group and later by the creators of the Stuxnet computer worm that disrupted Iran’s nuclear program. The vulnerability—which resided in functions that process so-called .LNK files Windows uses to display icons when a USB stick is plugged in—allowed the attackers to unleash a powerful computer worm that spread from computer to computer each time they interacted with a malicious drive.”
“GNU/Linux is designed for security from the ground up and if one does not believe it, one can freely scrutinise the code.”Any design that lets a USB device trigger commands at such high levels is a design that’s clearly not designed by security professionals. Many other issues tied to this design have been reported for over a decade and Microsoft is not fixing it. According to last year’s explosive report, titled “N.S.A. Devises Radio Pathway Into Computers”, the NSA “relies on a covert channel of radio waves that can be transmitted from tiny circuit boards and USB cards inserted surreptitiously into the computers.”
The media may go on about how Microsoft no longer delivering security patches is an issue, but as Microsoft tells the NSA about holes before patching them, what difference does it make? All versions of Windows, no matter how up to date they are, are vulnerable. It’s not an accident. “Both Microsoft and HP were insistent companies that hadn’t refreshed [Windows Server 2003] after 14 July,” said the report, “are exposing themselves to all sorts of security attacks, and that up-to-date patches and firmware are needed.”
No, their first mistake is that they use Windows anything (never mind Windows Server, irrespective of the version too). Windows is not designed to be secure. It has back doors and front doors. GNU/Linux is designed for security from the ground up and if one does not believe it, one can freely scrutinise the code. █
“The continuous and broad peer-review enabled by publicly available source code supports software reliability and security efforts through the identification and elimination of defects that might otherwise go unrecognized by a more limited core development team.”
–CIO David Wennergren, Department of Defense (October 2009)
Send this to a friend
“[W]e’re not going to have products that are much more successful than Vista has been.”
Summary: The media continues to mock Vista 10 ‘features’ (and by extension Microsoft) for their gross privacy violations while Microsoft boosters try to create an illusion that Microsoft wants to improve security, despite creating back doors for rogue government agencies
BASED on some of the very latest Web statistics, the adoption rate of Vista 10 is very poor, especially when one considers the cost. Vista 10 surprised many people when it was served to the public (final release) with all the surveillance built in, as if every user (or buyer) is a beta tester of Microsoft, expected to endlessly send input to Microsoft for debugging purposes (even keystrokes!). What started with some blogs and privacy groups ranting about Vista 10 is now a major story in much of the media.
“You know that Vista 10 is broken when people (both developers and non-developers) desperately try to ‘fix’ it, as is widely reported in the media right now.”WND, a GOP-centric site, complains about Vista 10 and goes with the headline “Windows 10 spies on emails, images, credit cards, more”. Linux Veda says that “Microsoft are abusing their users and we could do with a useful tool to restrict this.”
You know that Vista 10 is broken when people (both developers and non-developers) desperately try to ‘fix’ it, as is widely reported in the media right now. Some people reportedly abandon it (to go back to older Windows or upgrade to GNU/Linux). Since Vista 10 is proprietary software, there is no way to fix it or even ensure it does not send personal data to Microsoft (silently, with or without encryption). One can only hope, especially when adjusting settings using Microsoft’s own handles.
Twitter’s Microsoft spam (paid for by Microsoft) now reaches shamelessly high levels, for they append “sponsored” Microsoft propaganda even to hashtag pages, calling it “top news” and linking to Bing shortcuts, posted by Microsoft’s professional buddies. We have already complained about how Twitter was helping Microsoft promote Vista 10 (these two companies have been working together for a long time [1, 2, 3, 4, 5]).
Much of Microsoft’s ‘damage control’ (notably in Twitter) is just linking to articles which suggest ‘fixes’, as if privacy in Vista 10 can be easily sorted out. The ToryGraph says that “Microsoft is collecting user account information, credit card details and passwords,” but then goes gentle/soft on Microsoft. An article by Steven J. Vaughan-Nichols refers to those concerned about privacy violations in Vista 10 as “paranoid”. TechRadar, which so often delivers Microsoft spin, tries to advise readers, not by telling them to steer away from Vista 10 but rather to ‘fix’ it. A better article came from Andrew Orlowski, who called Vista 10 “a clumsy, 3GB keylogger.” In his article titled “Microsoft vacates moral high ground for the data slurpers’ cesspit” (showing if not emphasising Microsoft’s hypocritical attacks on Google) Orlowski wrote: “A funny thing happened while I was reinstalling Windows 8 over Windows 10 yesterday morning. There in front of me, halfway through the installation process, were two full, clear pages of privacy toggles. Every toggle was set to not send private information to Microsoft, or anyone else.
“Microsoft has turned users of Windows into useds, or products.”“In addition, Windows 8 created a local user account by default – and didn’t demand I maintain a constant, umbilical connection to Microsoft’s servers. Windows 8 was configured for maximum privacy. Now compare this to the indiscriminate data slurp that Microsoft calls Windows 10. It’s basically a clumsy, 3GB keylogger.
“It’s often said that with data protection and privacy, we’re like lobsters: we don’t notice the water getting warmer and warmer, until we’re boiled alive. So it’s been with Windows. Windows 8.1 didn’t show you clear choices or screens with privacy toggles anymore, but invited you to agree to either “Express Settings” for privacy (wow: cool, convenient) or “Customise” them (there be monsters). It respected your local user account, but then bullied you into switching to the umbilical when you accessed the Store. Windows 10 makes the Customise option so small it looks like the trademark notice, and even then, the defaults are set to send everything to Microsoft, and only allow you to control the data slurp partially. Local user accounts are so buggy in Windows 10 that you’ll probably switch to always-being-slurped anyway.”
“It’s time we owned our own data,” says this new article, quoting what it called a “Silicon Valley truism.”
“If you’re not paying, you’re the product” is the truism. Microsoft has turned users of Windows into useds, or products. Microsoft is intensifying its relationship with the NSA while many other companies try to distance themselves from the NSA. Microsoft does not strive to offer security at all, despite its empty claims to the contrary (like a show trial involving data in Ireland). IDG's Microsoft boosters and Microsoft staff (Microsoft MVP J. Peter Bruzzese in this particular case) prop up the illusion of Microsoft as advocate of “security”, but it is just Microsoft marketing shrewdly disguised as “articles”, or Microsoft MVPs acting like external staff (watch this Microsoft advocacy site having a go too). Vista 10 ought to end any pretense that Microsoft cares about security.
Remember that Microsoft did not fix a serious Windows flaw for 3 months, despite Google urging Microsoft to fix it. The above ‘articles’ (from Microsoft mouthpieces) are just part of the publicity stunt. Microsoft is not bothering to fix critical flaws that it knows about and tells the NSA about (essentially giving back door access to all versions of Windows, as usual). Vista 10 takes all this to unprecedented new levels and lets spies track Windows users in real time (even their keystrokes!). It also harvests passwords, including encryption keys (supposedly for 'recovery'). █
Send this to a friend
“There’s no company called Linux, there’s barely a Linux road map. Yet Linux sort of springs organically from the earth. And it had, you know, the characteristics of communism that people love so very, very much about it. That is, it’s free.”
–Steve Ballmer, Microsoft’s CEO at the time
Summary: Corporate media helps stigmatise Free/Open Source software as unsuitable for commercial use and once again it uses the ‘security’ card
SEVERAL days ago in our daily links we includes two articles that used the term “commercial software” (to mean proprietary software). Both cited Synopsys. It is amazing that even in 2015 there are some capable of making this error, maybe intentionally. Commercial software just means software that is used commercially. A lot of it is Free/Open Source software (the corporate media prefers the term “Open Source” to avoid discussion about the F word, “freedom”).
“Commercial software just means software that is used commercially.”Yesterday we found yet another headline which repeats the same formula (as if they all received the same memo), calling proprietary software “commercial software”, thereby reinforcing the false dichotomy and the stigma of Free software. “Looking at our Java defect density data through the lens of OWASP Top 10,” says Synopsys, “we observe that commercial software is significantly more secure than open source software.”
Another article from yesterday reminded us that Free software takes security very seriously and top/leading Free software projects are widely regarded (even by Coverity) as more secure than proprietary counterparts. Oddly enough, Synopsys links to a “Coverity Scan Open Source Report 2014″, not 2015, and the report is behind walled gardens, so it is hard to check if these headlines tell the whole story or just part of it. The analysis itself is done by proprietary software, whose methods are basically a secret. Go figure…
We recently saw some very gross distortions where security issues in proprietary software got framed as a Free software issues. As we have repeatedly demonstrated and stressed over the past years and a half, there seems to be a campaign of FUD, ‘branding’, and logos (the latest being targeted at Android/MMS) whose goal is to create or cement a damaging stereotype while always ignoring back doors and even front doors in proprietary software (now out in the open because of the British Prime Minister and the ringleader of the FBI). █
Send this to a friend
“I don’t want a back door. I want a front door.” — Director of the National Security Agency (NSA), April 2015
Summary: Vista 10 to bring new ways for spies (and other crackers) to remotely access people’s computers and remotely modify the binary files on them (via Windows Update, which for most people cannot be disabled)
MICROSOFT never cared about security. A former Windows manager, Brian Valentine, said explicitly that Microsoft products “just aren’t engineered for security.” Last year we also showed how back in the 1990s Bill Gates and his staff had already collaborated quite intimately with the NSA, well before Snowden’s NSA and GCHQ leaks helped confirm this (with hard evidence and subsequently media reports).
The Apache Software Foundation (ASF), which is unfortunately headed by a guy from Microsoft, is going into bed with the NSA right now, despite the negative publicity that may accompany/come with such a move. Microsoft, much to our surprise, is still working with the NSA on Windows, and it does this also for Vista 10. One new article about Microsoft’s purchase of an Israeli (i.e. spy-friendly as we explained says ago) company says that “[a] big reason for this is the company’s collaboration with the National Security Agency (NSA).”
“Yes, Microsoft still keeps the NSA in the picture.”Microsoft is still thinking that enough people foolishly believe NSA collaboration is ‘for security’ rather than for ‘national security’, i.e. back doors. A Windows-powered site reminded us some days ago that NSA “worked with Microsoft on security aspects of the Windows 7 operating system and later for Windows 8 and 10.”
Yes, Microsoft still keeps the NSA in the picture. This actually surprised us because it’s a PR disaster. Why does Microsoft still want to be seen working in cahoots/collusion with the NSA? In proprietary software, back doors or “national security”, i.e. not real security, are the cause of many costly issues. Software is designed to be penetrable rather than secure. Is there anyone who still honestly thinks that Vista 10 won’t have back doors? Microsoft never stopped its relationship with the NSA and it is obviously still working with the NSA, despite knowing the negative publicity this can bring. A Darwin Award goes out to anyone who still thinks that Microsoft is not helping the NSA exploit its software (because “national security” and other such excuses), despite the Snowden-provided documents that show exactly that.
Earlier today the developer of GNU Telephony wrote that at Microsoft “they created the perfect environment for such demands to be met, forced updates is a front door for govt malware and spying” [and indeed, as The Register revealed last week, they had even removed the ability to stop/block these updates in most “editions”. Over ten years ago it was reported on the Web that even when you toggle off automatic updates Microsoft still does it.]
Looking back at news only a few days old, HP has reported 4 new vulnerabilities in Internet Explorer, and not for the first time. To quote IDG: “HP’s Zero Day Initiative (ZDI) doesn’t cut much slack with its 120-day disclosure policy. When ZDI knocks on your door and says you have a security hole, you get 120 days to fix it or risk full public disclosure. That’s what happened — again. With ZDI and Microsoft — again. Over Internet Explorer — again.”
“The only way to avoid MSIE is to ditch Windows since it is built-in and impossible to remove” iophk said to us. Will Hill wrote: “There are still vendor supplied IE6 specific software that will not work outside of IE. One of my vendors at work told me one of their pieces of software might work with IE8 but no other browser, including the IE 11 that Microsoft had shoved onto most of the computers. This just highlights the fact that vendors who use Microsoft don’t care about their customers and that Microsoft does not care about anyone.”
“In proprietary software, back doors or “national security”, i.e. not real security, are the cause of many costly issues.”Going only 3 days back, there is this news that Hacking Team helps governments take over Microsoft Windows through back/bug doors, exploiting fonts. “Unpatched systems,” wrote Paul Hill, “can be affected if the user opens a document of webpage that contains an embedded OpenType font file. As the font drivers in Microsoft systems runs in kernel mode it means that an attacker could gain access to the entire system with the ability to add and remove programs and create new user accounts with admin privileges.”
Windows recently suffered from other font-related holes, and not for the first time, either. It’s an easy access point for the NSA into Windows (Microsoft tells the NSA before patching such holes). All versions of Windows are vulnerable and they have all been found vulnerable (without fixes) for decades.
What will the world look like after this back doors ‘leader’ and ‘champion’, Microsoft, is gone for good? Well, we need to ensure that NSA partners like Red Hat [1, 2, 3, 4, 5] don’t compromise GNU/Linux, too. Social engineering, bribes, blackmail, anonymous patches, etc. are the classic tricks of this trade. █
Send this to a friend
The “legally-binding” and “transparency” conundrums grossly distorted
Summary: News sites mislead their readers, teaching them that the biggest dangers associated with proprietary software are in fact problems exclusive to Free/libre Open Source software
FOR Microsoft to ever pretend to care about security would basically mean to lie, blatantly. Microsoft works hand in glove with the NSA and it has, on numerous occasions, admitted that true security isn’t the goal. Its actions too show this repeatedly. Known flaws -- or holes, or bug doors, or whatever one frames them as -- are not being patched unless the public finds out about them.
In order to bolster security perceptions and to give an illusion that Microsoft actually cares about security and invests in security, the company has just hired some staff in Israel (acquisition is one other way to frame this). The media calls it “security provider”, but given Israel’s record on back doors, cracking (e.g. Stuxnet development), wiretapping etc. this is rather laughable. A lot of Microsoft’s so-called ‘security’ products are made in Israel, and some companies in this military-driven industry facilitate and cater for spies using back doors, usually under the guise of ‘security’ (they mean “national security”). We wrote about this in past years.
“This proves that security through obscurity is a myth that merely encourages people to rely on poorly implemented programs with shoddy security, whereupon developers choose to hide the ugliness of the code.”We were rather disturbed to see this bizarre article yesterday. Titled “Hackers targeting .NET shows the growing pains of open source security”, the article is a big lie. The headline is definitely a lie. .NET is PROPRIETARY (still), it has holes in it, and some fool tries to use it to call Free/libre software “not secure”. Let’s assume for a second that .NET code becoming visible to the world exposes many holes, indeed. It proves exactly the opposite of what the headline says then. If anything, it shows that Microsoft keeping the code secret assured low quality code and bred vulnerable code. Once shown to the world, these holes are being exploited. This proves that security through obscurity is a myth that merely encourages people to rely on poorly implemented programs with shoddy security, whereupon developers choose to hide the ugliness of the code. A lot of the claims from the article come from a FOSS foe, Trend Micro, but they can be framed correctly to state that, if anything, a public audit of .NET now shows just how terrible proprietary software can be, having never been subjected to outside scrutiny.
In other disturbing headlines we find another inversion of the truth. The Business Software Alliance (BSA), or the EULA police, has done a lot to show how dangerous proprietary software licences can be. Nevertheless, Slashdot with its pro-Microsoft slant as of late [1, 2] gives a platform to Christopher Allan Webber.
“Is this another false “I really like the GPL except” post,” asked us a reader. To quote the author: “The fastest way to develop software which locks down users for maximum monetary extraction is to use free software as a base” (oh, yes, those greedy Free software developers!)
The article has a misleading/provocative headline (hence we provide no direct link) and Bruce Perens, who had already accused Black Duck of FUD against the GPL (“I think it’s 100% B.S.,” he said three years ago), responded to the piece by stating:
I help GPL violators clean up their act, it’s my main business.
Every one has had a total lack of due diligence. I will come in and find that they have violated the licenses of 21 proprietary software companies (this is a real customer example) by integrating their code into their main product, just like the GPL code. Some of them only had an “evaluation” license, some not even that, some wildly violated the terms of any license they got.
Most of them are in silicon valley. They seem to have the attitude that they will clean up their legal problems when they’re rich, and nothing but getting their product out of the door matters until then.
They don’t ask me to feel sorry for them. I bill them a lot, and in the end, they’re clean and legal.
When it comes to legal risk and licensing, nothing beats proprietary software. It’s risky, it’s expensive (lock-in makes the exit barriers considerably higher), and it is very hard to obey or comply with, especially when you are low on staff and funds (must renew licences all the time). Contrariwise, it is very easy to comply with copyleft; there is no renewal work required and no renewal fees. All one is required to do is to maintain the copyleft of the code used. The rules are very simple. █
Send this to a friend
Not the Rackspace we once knew…
Summary: Rackspace adds proprietary spyware to its premises, hence reducing confidence in its ability to secure whatever is on the racks (security or perceived security severely compromised)
OVER the past few months I have confronted Rackspace on numerous occasions because they were promoting (even by mass-mailing without consent) proprietary software. This was done repeatedly, even after I had asked them to stop and they said they took action. That’s really quite a shame because Rackspace’s patent policy is commendable and their support team is quite technically-competent. The PATRIOT Act was always quite a problem (they’re subjected to secret warrants and cannot notify customers), but nevertheless, they had a good track record. They throw it all away now.
According to this article, Rackspace, which was traditionally about GNU/Linux, has climbed up Microsoft’s bed. Rackspace says: “We’re pleased to expand our relationship with Microsoft and the options we provide for our customers by offering Fanatical Support for Azure”. The company is based in 1 Fanatical Place, which probably explains the name. Reading further down the article we learn about “Rackspace’s Private Cloud that will be powered by Microsoft’s cloud platform Azure.” They must be out of their minds!
Rackspace makes a laughing stock of itself. What a dumb move.
Rackspace ought to know better, for no deployment on Windows in its datacentre can ever do any good. It is a threat to other guests and hyper-visors, even down to hardware. UEFI, promoted by the NSA’s leading partner, is targeted by Hacking Team and Microsoft Windows too is a target. To make matters worse, Microsoft is now leaving almost 200 million useds [sic] exposed. As The Register has just put it, “Windows XP holdouts are even more danger than ever after Microsoft abandoned anti-malware support for the ancient platform.
“Redmond overnight stopped providing XP support for new and existing installs of its Security Essentials package.”
“Rackspace’s business has back doors in it.”NSA surveillance of Windows is ever more trivial, not just because Microsoft constantly tells the NSA how to crack Windows (before patching flaws). The threat of Windows is contagious because it can spread to other platforms that share the same datacentre, network, and hardware. The weakest links are being targeted ti gain entry. Recall Pedro Hernandez with his Azure marketing (trying to convince GNU/Linux users to host with Microsoft) — shameless marketing which was soon followed by other sites (promoted by Microsoft-centric sites, some of which receive money from Microsoft, but alas, this was also noted by pro-Linux writers at Softpedia News). Any datacentre which gets ‘contaminated’ with Windows is no longer trustworthy; it should be deemed insecure because Microsoft deliberately adds flaws (back doors) to Windows. There are numerous technical reasons for this and we have covered them before. UKFast, for example, a large UK-based host, once told me (I spoke to the CTO) that they use Hyper-V (proprietary and Windows) to host GNU/Linux. This right there is a back door and I have confronted them over this. They never came up with a response that inspired any confidence.
Microsoft is now trying to make Apache software Windows- and Azure-tied, as British media now serves to remind us, and there is new additional bait to attract gullible people.
Don’t ever think that Windows can be contained or compartmentalised ‘away’ from Free software. Once a company starts to mix proprietary software with GNU/Linux (e.g. Hyper-V or VMware, which is connected to RSA) security is evidently lost. Security audits are impossible. Novell made some initial steps in this direction back in 2006 and now we have Rackspace. The company cannot be trusted anymore. Rackspace’s business has back doors in it. █
Send this to a friend
Summary: The United Airlines Web site, which uses Microsoft software, gets cracked, but the corporate media ignores the role of the underlying platform
“United hackers given million free flight miles,” says the BBC right now. Go to the United Airlines Web site and you will immediately see that they use Windows (ASPX is exposed at the URL of the front page, which is bad security practice in its own right). The United Airlines site is hiding behind Akamai (i.e. GNU/Linux), but it still shows a lot about the back end, which suggests that Microsoft frameworks are largely to blame (maybe poor programming, too).
This comes at an interesting time because, to quote other British media, “Microsoft Ends Windows Server 2003 Support But What Now?”
“The bottom line is, nobody should ever trust Microsoft for hosting of any kind of site.”Well, any company that still chooses Microsoft for public-facing site hosting would have to be dumb or seriously irresponsible. Microsoft is now hoping to also become the host of GNU/Linux sites. Microsoft’s booster Pedro Hernandez re-announces Microsoft propaganda right now (“Microsoft Rolls Out Linux Support Services on Azure”) even though it is not new, it is merely entrapment by Microsoft. Microsoft’s propaganda network “1105 Media”, featuring Microsoft’s booster Kurt Mackie, adds to it [1, 2] and promotes hosting by Microsoft. The latest Microsoft Channel 9 propaganda (we saw quite a bit of that recently), goes as far as openwashing Azure.
The bottom line is, nobody should ever trust Microsoft for hosting of any kind of site. The company is incompetent and it puts the NSA’s interests (e.g. back doors) first. █
Send this to a friend
Summary: The insecurity and abundant complexity/extensibility of UEFI is already exploited by crackers who are serving corrupt regimes and international empires
TECHRIGHTS has spent many years writing about dangers of Microsoft back doors and about 3 years writing about UEFI which, according to various citations we gathered, enables governments to remotely brick (at hardware level) computers at any foreign country, in bulk! This is a massive national security threat and Germany was notable in reacting to it (forbidding the practice). Among our posts which cover this:
Today we learn that UEFI firmware updates spread to the most widely used GNU/Linux desktop distribution and yesterday we learned that “HackingTeam has code for UEFI module for BIOS persistency of RCS 9 agent (i.e. survives even HD replace)…”
Rik Ferguso wrote this with link to the PowerPoint presentation, pointing to leaked E-mails via Wikileaks. The push back against UEFI ought to be empowered by such revelations, perhaps in the same way that these leaks now threaten to kill Adobe Flash for good. █
Send this to a friend
« Previous Page — « Previous entries « Previous Page · Next Page » Next entries » — Next Page »