EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

06.04.15

With SSH Keys on Windows the World Will be a Vastly Less Secure Place

Posted in GNU/Linux, Microsoft, Security, Windows at 11:27 am by Dr. Roy Schestowitz

“Our products just aren’t engineered for security.”

Brian Valentine, Microsoft executive

Summary: Another warning about the grave consequences of putting SSH endpoints on an operating system which is compromised by design

QUITE a few readers (and also pro-Microsoft bullies) have written to us regarding yesterday's article about OpenSSH and Microsoft, the first PRISM company which also uses broken (by design) ciphers to act as passive back doors. Microsoft is losing and is getting left behind, hence it tries to ‘embrace’ the competition. It’s not a good gesture but an effort to entice people into Windows prison, i.e. inherent insecurity. OpenSSH is supposed to be all about security, which Windows is inherently (by design) not compatible with. Does anyone really want to put public and private keys on a machine that is remotely accessible by spies? That’s suicidal for a government, corporation, legal firm, journalist, etc.

“We already know, thanks to leaks from Edward Snowden, that spies in the West are systematically harvesting passwords of systems administrators and then use these to hijack/infiltrate entire networks.”Microsoft promotion sites continue to praise Microsoft, whereas other sites cautiously welcome the move [1, 2, 3, 4, 5, 6]. This has been mentioned in various news sites since we first covered it, some Linux-centric ones ones too [1, 2]. In Linux Questions, for example, comments included “welcome microsoft to the year 2000.” Or even: “It was nice having known about you, PuTTY.”

To set the record straight, if we correctly understand Microsoft’s plans (all they are at this stage is just speculative, as there is not even a timetable, let alone any code), there will be increased access by espionage-seeking, power-motivated spies to people’s SSH keys. This will decrease overall security. Windows will be the weakest link. We already know, thanks to leaks from Edward Snowden, that spies in the West are systematically harvesting passwords of systems administrators and then use these to hijack/infiltrate entire networks all around the world. All that Microsoft’s involvement can achieve in this case is an increase in compromised computer networks. Putting SSH keys on Windows is the technical equivalent of putting tanks on rhapsodies (rendering the tanks sinkable).

06.03.15

Microsoft Wants to Remove (or Deprecate) PuTTY From Windows and Replace It With Proprietary Microsoft Software

Posted in Free/Libre Software, Microsoft, Security at 10:04 am by Dr. Roy Schestowitz

What would Simon Tatham say?

Simon Tatham

Summary: The most prominent NSA partner wants to ‘contribute’ to OpenSSH, one of the thorns in the side of spies all around the world

MICROSOFT has just made this bizarre “Looking Forward” announcement, with no timetable. It’s about OpenSSH.

“I haven’t read the page or even tried to load the link,” told us a reader, “but the URL if legit says a lot of bad if they are now targeting and may corrupt that community. Connecting to or from a Windows machine defeats the purpose of the program.”

PowerShell was recently mentioned in the context of Microsoft's attempt to openwash it, trying to get UNIX/Linux people addicted to it. PowerShell is proprietary software and it is using Microsoft APIs, conventions, etc. No security-conscientious person (especially computer professional) should ever use it.

A very misleading headline from IDG says that making proprietary software devour OpenSSH is “love”. IDG extended this nonsense to several sites which it owns and many people read it there first because of this spamming/repetition/googlebombing [1, 2]. There was later (due to lesser visibility, no spamming) some additional ZDNet‘s coverage from Linux-oriented journalists and some Linux-oriented sites like Softpedia‘s Linux section and Phoronix, which wrote: “In the Windows world it has been traditional to use a program such as PuTTY to remotely manage Unix boxes from Windows clients, but no more.”

“Like porting a hardened steel padlock to a paper bag.”
      –iophk
Well, so it’s more like an unnecessary move then, at the very least because of PuTTY (there are other reasons which we can name another day). What at all is Microsoft contributing here? PuTTY has worked for well over a decade (I first used it around 2001). It was adequately adapted/updated to all versions of Windows as there was market need/demand.

There was pro-Microsoft slant in Microsoft-supportive sites [1, 2] and increasingly (over time) Microsoft-leaning sites such as Slashdot (see coverage) or The Register (see coverage). These used to be pro-FOSS, but that was before Microsoft influence, boosters, money etc. got funneled in.

Our reader iophk, quoting Microsoft Peter as saying that “Microsoft is going to work with {sic} and contribute to {sic} OpenSSH, the de facto standard SSH implementation in the Unix world, to bring its SSH client and server to Windows,” criticises this worrisome move. “Like porting a hardened steel padlock to a paper bag,” to use his analogy. So a platform with back doors can compromise a network which the NSA, based on Snowden’s leak, has not been so successful penetrating (some improvements have been made since there, like deprecation of old ciphers, not deliberately-compromised ciphers like those which Microsoft uses). We have legitimate reasons to be concerned when the first PRISM company and NSA ally (Microsoft) says it wants to ‘contribute’. Even when a company like Red Hat wants to alter SSH we dread it a bit because of Red Hat’s own relationship with its big client, the Department of Defence, as we have explained before [1, 2, 3, 4]. OpenSSH is a BSD project and the licence too is different, not just the philosophy (OpenBSD is exceptionally strict).

05.31.15

McAfee Associates Free Software and Anonymity With Crime

Posted in Free/Libre Software, FUD, Security at 3:23 pm by Dr. Roy Schestowitz

Summary: Insecurity firm McAfee, whose record on Free software is appalling (it is Windows-centric for its business), continues years of tradition by slinging mud at Tor

TECHRIGHTS regards and has for many years considered McAfee to be a leading source of FUD against Free software. To give a very recent example, McAfee is connected to the "VENOM" hype (former management), just like Microsoft.

The latest McAfee FUD targets Tor [1-4]. It’s FUD which associates Tor with crime. Framing Tor as a crime tool is like framing kitchen knives as weapons for murder, but this kind of characterisation sure fits the current war against Tor (anonymity). The attack on encryption is also on the rise and much of the British media is now spreading propaganda that associates encryption with terrorism. A recent movie that I watched, The Imitation Game, shrewdly associates encryption with the Nazis.

Related/contextual items from the news:

  1. ‘Tox’ Offers Ransomware As A Service

    The ransomware is free to use but site retains 20 percent of any ransom that is collected, McAfee researcher says.

  2. Almost anyone can make ransomware with this horrifying new program

    We might be entering a whole new era of malware, one where even those who lack any semblance of deep technical expertise will be able to acquire and disseminate viruses and the like on the fly.

  3. Yay for Tor! It’s given us RANSOMWARE-as-a-service
  4. Open Source Malware Lets Anyone Hold Computer Users to Ransom

    A free collection of files has been discovered that aids in the creation of ransomware; the process of encrypting the contents of someone’s computer until they pay to have it unlocked. Set your price and away you go.

05.30.15

The Lessons of Stuxnet: Never Use Microsoft Windows

Posted in Microsoft, Security, Windows at 4:26 pm by Dr. Roy Schestowitz

The NSA is playing with nukes

Missiles

Summary: Windows is sufficiently ‘NSA-compatible’ for remote compromise and physical damage (sabotage) to highly sensitive, high-risk equipment

MANY news reports from around Friday [1-13] made it abundantly clear that Stuxnet, an Israel- and US-made virus that targets Microsoft Windows, was deployed not only in Iran (which uses Windows and Microsoft Linux) but also deployed (albeit unsuccessfully) in North Korea.

It is worth noting that Stuxnet was developed not only in the US but also in Israel and much of Microsoft’s software development for ‘security’ is also done in Israel, so it might not detect Stuxnet (by design).

“Imagine the media reaction if some nation’s government tried to install viruses in nuclear facilities in the US…”News from North Korea should remind any nation with military facilities (that’s about every nation on Earth) to dodge Microsoft Windows. Turkey, for instance, reportedly moved its army to GNU/Linux and several other nations make similar moves for security reasons. In order to explain North Korea’s resistance to the infection some corporation media likes to highlight “near-complete isolation” (see below) rather than reliance on GNU/Linux. The ToryGraph (see below) calls Stuxnet a “computer virus” even through it is uniquely a Microsoft Windows virus. Imagine the media reaction if some nation’s government tried to install viruses in nuclear facilities in the US…

This is by no means defence of North Korea; it’s just that the story makes is abundantly clear that, Microsoft’s special relationship with the NSA aside, Windows is a target. Even Western governments target it. The NSA habitually said that it worried about attacks on its electric grid while hypocritically enough it is attacking nuclear facilities in other countries, never mind the risk of “blowback” or the “fallout” (pun intended) such aggressive actions may consequently bring. Pentagon would label this an “act of [cyber] war”.

Related/contextual items from the news:

  1. NSA eggheads tried to bork Nork nukes with Stuxnet. It failed – report

    The NSA tried to wreck North Korea’s nuclear weapons lab using the centrifuge-knackering malware Stuxnet, and ultimately failed, multiple intelligence sources claim.

  2. Pyongyang 1, NSA 0: U.S. Tried and Failed to Hack North Korea’s Nuclear Infrastructure

    By almost completely shutting itself off from the rest of the world, the North Korean government has denied its people and society access to the fruits of the digital communications revolution. It has also reportedly helped stymie a U.S. cyberattack on the country’s nuclear infrastructure modeled on the so-called Stuxnet virus the United States and Israel used against Iranian centrifuges.

  3. The NSA reportedly tried — but failed — to use a Stuxnet variant against North Korea

    Right around the time that the Stuxnet attack so famously sabotaged Iran’s nuclear program in 2009 and 2010, the U.S. National Security Agency reportedly was trying something similar against North Korea.

    The NSA-led U.S. effort used a version of the Stuxnet virus designed to be activated by Korean-language computer settings, but it ultimately failed to sabotage North Korea’s nuclear weapons program, according to a Friday Reuters report, which attributed the information to people familiar with the campaign.

  4. NSA tried Stuxnet cyber-attack on North Korea five years ago but failed

    The US tried to deploy a version of the Stuxnet computer virus to attack North Korea’s nuclear weapons programme five years ago but ultimately failed, according to people familiar with the covert campaign.

  5. Report: US tried Stuxnet variant on N. Korean nuke program, failed
  6. US tried to bring down North Korean missile programme with computer virus
  7. Report: U.S. failed to sabotage North Korean nuclear program with Stuxnet-twin
  8. Report: US cyberattack on North Korea was ineffective
  9. Why Did a US Cyber Attack on North Korea Fail?
  10. US Tried, Failed To Sabotage North Korea Nuclear Weapons Program With Stuxnet-Style Cyber Attack
  11. US Reportedly Launched Stuxnet Attack Against North Korea
  12. US Failed at Planting Stuxnet-Style Computer Bug in N. Korea Nuke Program
  13. US reportedly tried to destroy North Korea’s nuclear program with a Stuxnet-type virus

05.27.15

Yet Another Major Security Deficiency in UEFI

Posted in Microsoft, Security at 6:03 am by Dr. Roy Schestowitz

Another reason to reject UEFI: system compromise before boot sequence starts (e.g. GNU/Linux)

UEFI

Summary: UEFI is inherently insecure, more so than the alternatives which it strives to replace, including Free/libre ones

INTEL’S UEFI has been marketed as ‘security’ because of “Restricted Boot”, which basically gives a bunch of companies like Microsoft control over one’s computer. Microsoft works closely with the NSA and the NSA already spoke about compromise at boot time. UEFI enables remote bricking of PCs — a subject that we covered here before, e.g. in:

There is a post titled “UEFI backdoor allows root exploit in Linux” which UEFI apologist and developer Matthew Garrettresponded to not exactly with refutation, only the insistence that it is not the “backdoor you are looking for”. To quote: “And that’s what Dmytro has done – he’s written code that sits in that hidden area of RAM and can be triggered to modify the state of the running OS. But he’s modified his own firmware in order to do that, which isn’t something that’s possible without finding an existing vulnerability in either the OS or (or more recently, and) the firmware. It’s an excellent demonstration that what we knew to be theoretically possible is practically possible, but it’s not evidence of such a backdoor being widely deployed.”

Maybe not yet. We’re talking about and dealing with imperialistic espionage agencies that go as far as putting back doors in the firmware of just about every hard drive.

We really need to stop referring to UEFI as a security enhancement. This is far from the first time security issues are found in UEFI, which is complicated, proprietary, patents-encumbered and relatively immature.

Computers with UEFI should be appropriately labeled (warning labels), just like foods with genetically-modified ingredients or packets of cigarettes.

05.18.15

Microsoft’s ‘Former’ Staff Continues With His Anti-Google Rhetoric at CBS

Posted in Deception, Google, Microsoft, Security at 7:16 am by Dr. Roy Schestowitz

Zack Whittaker
From Twitpic

Summary: A Microsoft intern, who has moved on to journalism, is still showing his affinity for Microsoft with apologetics and spin

Zack Whittaker, formerly Microsoft staff in the UK who is now writing for ZDNet (a CBS-owned technology tabloid), keeps attacking Microsoft's rivals. It’s an habitual thing.

The other day he tossed some FUD at Android (yet again) and repeated Microsoft’s classic talking points (which its boosters had all uniformly spread several months ago). “This year alone,” he wrote, “Google disclosed two security flaws in Microsoft’s software, leaving the software giant fuming. The security team gave Microsoft three months to fix the flaw, or face public shaming.” The article is titled “Google has an Android security problem” and it’s trying to portray Google — not Microsoft — as the problem.

Microsoft was trying to blame Google, so here again we have Whittaker defending Microsoft (his former employer) and shaming Google for revealing how Microsoft exposed users. It’s not hard to find Microsoft bias in sites like ZDNet. All one has to check is where CBS is hiring from. This is a widespread problem as many people from Microsoft (some still working for Microsoft) are writers at ZDNet.

05.14.15

“VENOM” FUD Attack — Like “Heartbleed” FUD Attack — Linked to Microsoft

Posted in Microsoft, Security at 7:48 pm by Dr. Roy Schestowitz

VENOM™ and Heartbleed™ do have something in common

Mike Convertino
From Microsoft management to CrowdStrike™ management

Summary: Why CrowdStrike™ is motivated to smear Free software and establish a stigma of insecurity in Free software-based virtual machines/’clouds’

The word/brand “Heartbleed” was made up by a Microsoft-connected firm — a firm that is headed by Microsoft’s former security chief. It basically took credit for a 2-year-old flaw that a Google engineer had found, publishing (along with a logo and a catchy brand name) dangerous details well before a patch could be made available and widely deployed/applied, i.e. it was an irresponsible disclosure.

CrowdStrike™ 'pulled a "Heartbleed"' in the sense that it followed some similar patterns (reminiscent of the above). XFaCE, a regular from our IRC channels, diverted our attention to the press release “CrowdStrike™ Appoints Amol Kulkarni as Vice President Engineering”, dated Dec 9, 2014 (less than half a year ago).

“Former Microsoft Bing Engineering Leader [leaving a dead/dying effort] joins Executive Team at CrowdStrike,” says the press release.

“Why is it that we so often find out-of-proportion scare (or FUD) against Free software linked to Microsoft and its ‘former’ staff or close partners?”More important a find, however, is the background of Mike Convertino from the company’s leadership team. The introduction is very telling; rather than hide his background it is noting: “Prior to his work at CrowdStrike, Convertino was the Senior Director of Network Security at Microsoft where he was responsible for protecting all of the company’s networks from intrusion and exploitation.”

So the apple doesn’t fall too far from the tree.

“They also use Microsoft Office extensively, given their job ads,” XFaCE added.

“Adam Meyers, “VP of Intelligence” at CrowdStrike™, used to work for SRA International,” XFaCE says. According to Wikipedia, “SRA provides information technology services to clients in national security, civil government, and health care and public health. Its largest market, national security, includes the Department of Defense, Homeland Security, US Army, US Air Force, and intelligence agencies.”

“Microsoft is a partner,” says XFaCE. George Kurtz, the CEO and co-founder of CrowdStrike, comes from McAfee, a common and frequent source of anti-Linux and anti-Android FUD. The famed Scottish-American founder of McAfee is now a fugitive.

Why is it that we so often find out-of-proportion scare (or FUD) against Free software linked to Microsoft and its ‘former’ staff or close partners?

New Windows Ransomware: No Branding, Not Even a Mention of Windows

Posted in Microsoft, Security at 11:15 am by Dr. Roy Schestowitz

Summary: New example of media bias which completely omits Windows and spares Microsoft as that may lead to bad publicity

The VENOM® hype campaign is still occupying headlines, serving to distract from Microsoft’s ~50 vulnerabilities which were disclosed on Tuesday and hardly received any media attention.

We recently complained that the ToryGraph advertised Microsoft and deleted Netscape from history, thereby hiding Microsoft's criminal shame.

A reader has just told us that the ToryGraph fails to call out Windows when there is negative news. There is Windows ransomware again, but Windows not even named. There is no brand, no name, no logo, etc.

Microsoft Windows does not need to be infected to demand ransom, Microsoft does the job itself and has done exactly that (demanded ransom) since the first of the Vista series (before 7, 8, and 10). Microsoft no longer thinks it can convince people to pay for Windows, so this strategy is seemingly being dropped.

« Previous Page« Previous entries « Previous Page · Next Page » Next entries »Next Page »

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channels: Come and chat with us in real time

New to This Site? Here Are Some Introductory Resources

No

Mono

ODF

Samba logo






We support

End software patents

GPLv3

GNU project

BLAG

EFF bloggers

Comcast is Blocktastic? SavetheInternet.com



Recent Posts