“There’s no company called Linux, there’s barely a Linux road map. Yet Linux sort of springs organically from the earth. And it had, you know, the characteristics of communism that people love so very, very much about it. That is, it’s free.”
–Steve Ballmer, Microsoft’s CEO at the time
Summary: Corporate media helps stigmatise Free/Open Source software as unsuitable for commercial use and once again it uses the ‘security’ card
SEVERAL days ago in our daily links we includes two articles that used the term “commercial software” (to mean proprietary software). Both cited Synopsys. It is amazing that even in 2015 there are some capable of making this error, maybe intentionally. Commercial software just means software that is used commercially. A lot of it is Free/Open Source software (the corporate media prefers the term “Open Source” to avoid discussion about the F word, “freedom”).
“Commercial software just means software that is used commercially.”Yesterday we found yet another headline which repeats the same formula (as if they all received the same memo), calling proprietary software “commercial software”, thereby reinforcing the false dichotomy and the stigma of Free software. “Looking at our Java defect density data through the lens of OWASP Top 10,” says Synopsys, “we observe that commercial software is significantly more secure than open source software.”
Another article from yesterday reminded us that Free software takes security very seriously and top/leading Free software projects are widely regarded (even by Coverity) as more secure than proprietary counterparts. Oddly enough, Synopsys links to a “Coverity Scan Open Source Report 2014″, not 2015, and the report is behind walled gardens, so it is hard to check if these headlines tell the whole story or just part of it. The analysis itself is done by proprietary software, whose methods are basically a secret. Go figure…
We recently saw some very gross distortions where security issues in proprietary software got framed as a Free software issues. As we have repeatedly demonstrated and stressed over the past years and a half, there seems to be a campaign of FUD, ‘branding’, and logos (the latest being targeted at Android/MMS) whose goal is to create or cement a damaging stereotype while always ignoring back doors and even front doors in proprietary software (now out in the open because of the British Prime Minister and the ringleader of the FBI). █
Send this to a friend
“I don’t want a back door. I want a front door.” — Director of the National Security Agency (NSA), April 2015
Summary: Vista 10 to bring new ways for spies (and other crackers) to remotely access people’s computers and remotely modify the binary files on them (via Windows Update, which for most people cannot be disabled)
MICROSOFT never cared about security. A former Windows manager, Brian Valentine, said explicitly that Microsoft products “just aren’t engineered for security.” Last year we also showed how back in the 1990s Bill Gates and his staff had already collaborated quite intimately with the NSA, well before Snowden’s NSA and GCHQ leaks helped confirm this (with hard evidence and subsequently media reports).
The Apache Software Foundation (ASF), which is unfortunately headed by a guy from Microsoft, is going into bed with the NSA right now, despite the negative publicity that may accompany/come with such a move. Microsoft, much to our surprise, is still working with the NSA on Windows, and it does this also for Vista 10. One new article about Microsoft’s purchase of an Israeli (i.e. spy-friendly as we explained says ago) company says that “[a] big reason for this is the company’s collaboration with the National Security Agency (NSA).”
“Yes, Microsoft still keeps the NSA in the picture.”Microsoft is still thinking that enough people foolishly believe NSA collaboration is ‘for security’ rather than for ‘national security’, i.e. back doors. A Windows-powered site reminded us some days ago that NSA “worked with Microsoft on security aspects of the Windows 7 operating system and later for Windows 8 and 10.”
Yes, Microsoft still keeps the NSA in the picture. This actually surprised us because it’s a PR disaster. Why does Microsoft still want to be seen working in cahoots/collusion with the NSA? In proprietary software, back doors or “national security”, i.e. not real security, are the cause of many costly issues. Software is designed to be penetrable rather than secure. Is there anyone who still honestly thinks that Vista 10 won’t have back doors? Microsoft never stopped its relationship with the NSA and it is obviously still working with the NSA, despite knowing the negative publicity this can bring. A Darwin Award goes out to anyone who still thinks that Microsoft is not helping the NSA exploit its software (because “national security” and other such excuses), despite the Snowden-provided documents that show exactly that.
Earlier today the developer of GNU Telephony wrote that at Microsoft “they created the perfect environment for such demands to be met, forced updates is a front door for govt malware and spying” [and indeed, as The Register revealed last week, they had even removed the ability to stop/block these updates in most “editions”. Over ten years ago it was reported on the Web that even when you toggle off automatic updates Microsoft still does it.]
Looking back at news only a few days old, HP has reported 4 new vulnerabilities in Internet Explorer, and not for the first time. To quote IDG: “HP’s Zero Day Initiative (ZDI) doesn’t cut much slack with its 120-day disclosure policy. When ZDI knocks on your door and says you have a security hole, you get 120 days to fix it or risk full public disclosure. That’s what happened — again. With ZDI and Microsoft — again. Over Internet Explorer — again.”
“The only way to avoid MSIE is to ditch Windows since it is built-in and impossible to remove” iophk said to us. Will Hill wrote: “There are still vendor supplied IE6 specific software that will not work outside of IE. One of my vendors at work told me one of their pieces of software might work with IE8 but no other browser, including the IE 11 that Microsoft had shoved onto most of the computers. This just highlights the fact that vendors who use Microsoft don’t care about their customers and that Microsoft does not care about anyone.”
“In proprietary software, back doors or “national security”, i.e. not real security, are the cause of many costly issues.”Going only 3 days back, there is this news that Hacking Team helps governments take over Microsoft Windows through back/bug doors, exploiting fonts. “Unpatched systems,” wrote Paul Hill, “can be affected if the user opens a document of webpage that contains an embedded OpenType font file. As the font drivers in Microsoft systems runs in kernel mode it means that an attacker could gain access to the entire system with the ability to add and remove programs and create new user accounts with admin privileges.”
Windows recently suffered from other font-related holes, and not for the first time, either. It’s an easy access point for the NSA into Windows (Microsoft tells the NSA before patching such holes). All versions of Windows are vulnerable and they have all been found vulnerable (without fixes) for decades.
What will the world look like after this back doors ‘leader’ and ‘champion’, Microsoft, is gone for good? Well, we need to ensure that NSA partners like Red Hat [1, 2, 3, 4, 5] don’t compromise GNU/Linux, too. Social engineering, bribes, blackmail, anonymous patches, etc. are the classic tricks of this trade. █
Send this to a friend
The “legally-binding” and “transparency” conundrums grossly distorted
Summary: News sites mislead their readers, teaching them that the biggest dangers associated with proprietary software are in fact problems exclusive to Free/libre Open Source software
FOR Microsoft to ever pretend to care about security would basically mean to lie, blatantly. Microsoft works hand in glove with the NSA and it has, on numerous occasions, admitted that true security isn’t the goal. Its actions too show this repeatedly. Known flaws -- or holes, or bug doors, or whatever one frames them as -- are not being patched unless the public finds out about them.
In order to bolster security perceptions and to give an illusion that Microsoft actually cares about security and invests in security, the company has just hired some staff in Israel (acquisition is one other way to frame this). The media calls it “security provider”, but given Israel’s record on back doors, cracking (e.g. Stuxnet development), wiretapping etc. this is rather laughable. A lot of Microsoft’s so-called ‘security’ products are made in Israel, and some companies in this military-driven industry facilitate and cater for spies using back doors, usually under the guise of ‘security’ (they mean “national security”). We wrote about this in past years.
“This proves that security through obscurity is a myth that merely encourages people to rely on poorly implemented programs with shoddy security, whereupon developers choose to hide the ugliness of the code.”We were rather disturbed to see this bizarre article yesterday. Titled “Hackers targeting .NET shows the growing pains of open source security”, the article is a big lie. The headline is definitely a lie. .NET is PROPRIETARY (still), it has holes in it, and some fool tries to use it to call Free/libre software “not secure”. Let’s assume for a second that .NET code becoming visible to the world exposes many holes, indeed. It proves exactly the opposite of what the headline says then. If anything, it shows that Microsoft keeping the code secret assured low quality code and bred vulnerable code. Once shown to the world, these holes are being exploited. This proves that security through obscurity is a myth that merely encourages people to rely on poorly implemented programs with shoddy security, whereupon developers choose to hide the ugliness of the code. A lot of the claims from the article come from a FOSS foe, Trend Micro, but they can be framed correctly to state that, if anything, a public audit of .NET now shows just how terrible proprietary software can be, having never been subjected to outside scrutiny.
In other disturbing headlines we find another inversion of the truth. The Business Software Alliance (BSA), or the EULA police, has done a lot to show how dangerous proprietary software licences can be. Nevertheless, Slashdot with its pro-Microsoft slant as of late [1, 2] gives a platform to Christopher Allan Webber.
“Is this another false “I really like the GPL except” post,” asked us a reader. To quote the author: “The fastest way to develop software which locks down users for maximum monetary extraction is to use free software as a base” (oh, yes, those greedy Free software developers!)
The article has a misleading/provocative headline (hence we provide no direct link) and Bruce Perens, who had already accused Black Duck of FUD against the GPL (“I think it’s 100% B.S.,” he said three years ago), responded to the piece by stating:
I help GPL violators clean up their act, it’s my main business.
Every one has had a total lack of due diligence. I will come in and find that they have violated the licenses of 21 proprietary software companies (this is a real customer example) by integrating their code into their main product, just like the GPL code. Some of them only had an “evaluation” license, some not even that, some wildly violated the terms of any license they got.
Most of them are in silicon valley. They seem to have the attitude that they will clean up their legal problems when they’re rich, and nothing but getting their product out of the door matters until then.
They don’t ask me to feel sorry for them. I bill them a lot, and in the end, they’re clean and legal.
When it comes to legal risk and licensing, nothing beats proprietary software. It’s risky, it’s expensive (lock-in makes the exit barriers considerably higher), and it is very hard to obey or comply with, especially when you are low on staff and funds (must renew licences all the time). Contrariwise, it is very easy to comply with copyleft; there is no renewal work required and no renewal fees. All one is required to do is to maintain the copyleft of the code used. The rules are very simple. █
Send this to a friend
Not the Rackspace we once knew…
Summary: Rackspace adds proprietary spyware to its premises, hence reducing confidence in its ability to secure whatever is on the racks (security or perceived security severely compromised)
OVER the past few months I have confronted Rackspace on numerous occasions because they were promoting (even by mass-mailing without consent) proprietary software. This was done repeatedly, even after I had asked them to stop and they said they took action. That’s really quite a shame because Rackspace’s patent policy is commendable and their support team is quite technically-competent. The PATRIOT Act was always quite a problem (they’re subjected to secret warrants and cannot notify customers), but nevertheless, they had a good track record. They throw it all away now.
According to this article, Rackspace, which was traditionally about GNU/Linux, has climbed up Microsoft’s bed. Rackspace says: “We’re pleased to expand our relationship with Microsoft and the options we provide for our customers by offering Fanatical Support for Azure”. The company is based in 1 Fanatical Place, which probably explains the name. Reading further down the article we learn about “Rackspace’s Private Cloud that will be powered by Microsoft’s cloud platform Azure.” They must be out of their minds!
Rackspace makes a laughing stock of itself. What a dumb move.
Rackspace ought to know better, for no deployment on Windows in its datacentre can ever do any good. It is a threat to other guests and hyper-visors, even down to hardware. UEFI, promoted by the NSA’s leading partner, is targeted by Hacking Team and Microsoft Windows too is a target. To make matters worse, Microsoft is now leaving almost 200 million useds [sic] exposed. As The Register has just put it, “Windows XP holdouts are even more danger than ever after Microsoft abandoned anti-malware support for the ancient platform.
“Redmond overnight stopped providing XP support for new and existing installs of its Security Essentials package.”
“Rackspace’s business has back doors in it.”NSA surveillance of Windows is ever more trivial, not just because Microsoft constantly tells the NSA how to crack Windows (before patching flaws). The threat of Windows is contagious because it can spread to other platforms that share the same datacentre, network, and hardware. The weakest links are being targeted ti gain entry. Recall Pedro Hernandez with his Azure marketing (trying to convince GNU/Linux users to host with Microsoft) — shameless marketing which was soon followed by other sites (promoted by Microsoft-centric sites, some of which receive money from Microsoft, but alas, this was also noted by pro-Linux writers at Softpedia News). Any datacentre which gets ‘contaminated’ with Windows is no longer trustworthy; it should be deemed insecure because Microsoft deliberately adds flaws (back doors) to Windows. There are numerous technical reasons for this and we have covered them before. UKFast, for example, a large UK-based host, once told me (I spoke to the CTO) that they use Hyper-V (proprietary and Windows) to host GNU/Linux. This right there is a back door and I have confronted them over this. They never came up with a response that inspired any confidence.
Microsoft is now trying to make Apache software Windows- and Azure-tied, as British media now serves to remind us, and there is new additional bait to attract gullible people.
Don’t ever think that Windows can be contained or compartmentalised ‘away’ from Free software. Once a company starts to mix proprietary software with GNU/Linux (e.g. Hyper-V or VMware, which is connected to RSA) security is evidently lost. Security audits are impossible. Novell made some initial steps in this direction back in 2006 and now we have Rackspace. The company cannot be trusted anymore. Rackspace’s business has back doors in it. █
Send this to a friend
Summary: The United Airlines Web site, which uses Microsoft software, gets cracked, but the corporate media ignores the role of the underlying platform
“United hackers given million free flight miles,” says the BBC right now. Go to the United Airlines Web site and you will immediately see that they use Windows (ASPX is exposed at the URL of the front page, which is bad security practice in its own right). The United Airlines site is hiding behind Akamai (i.e. GNU/Linux), but it still shows a lot about the back end, which suggests that Microsoft frameworks are largely to blame (maybe poor programming, too).
This comes at an interesting time because, to quote other British media, “Microsoft Ends Windows Server 2003 Support But What Now?”
“The bottom line is, nobody should ever trust Microsoft for hosting of any kind of site.”Well, any company that still chooses Microsoft for public-facing site hosting would have to be dumb or seriously irresponsible. Microsoft is now hoping to also become the host of GNU/Linux sites. Microsoft’s booster Pedro Hernandez re-announces Microsoft propaganda right now (“Microsoft Rolls Out Linux Support Services on Azure”) even though it is not new, it is merely entrapment by Microsoft. Microsoft’s propaganda network “1105 Media”, featuring Microsoft’s booster Kurt Mackie, adds to it [1, 2] and promotes hosting by Microsoft. The latest Microsoft Channel 9 propaganda (we saw quite a bit of that recently), goes as far as openwashing Azure.
The bottom line is, nobody should ever trust Microsoft for hosting of any kind of site. The company is incompetent and it puts the NSA’s interests (e.g. back doors) first. █
Send this to a friend
Summary: The insecurity and abundant complexity/extensibility of UEFI is already exploited by crackers who are serving corrupt regimes and international empires
TECHRIGHTS has spent many years writing about dangers of Microsoft back doors and about 3 years writing about UEFI which, according to various citations we gathered, enables governments to remotely brick (at hardware level) computers at any foreign country, in bulk! This is a massive national security threat and Germany was notable in reacting to it (forbidding the practice). Among our posts which cover this:
Today we learn that UEFI firmware updates spread to the most widely used GNU/Linux desktop distribution and yesterday we learned that “HackingTeam has code for UEFI module for BIOS persistency of RCS 9 agent (i.e. survives even HD replace)…”
Rik Ferguso wrote this with link to the PowerPoint presentation, pointing to leaked E-mails via Wikileaks. The push back against UEFI ought to be empowered by such revelations, perhaps in the same way that these leaks now threaten to kill Adobe Flash for good. █
Send this to a friend
Image from the OpenSSH project
Summary: Exploring the real motivations and the real implications of Microsoft giving money to the OpenBSD Foundation
MICROSOFT is in pain. The company sees its monopoly diminished due to software becoming a commodity and platforms such as BSD and GNU/Linux taking over everything, not just the back end. Microsoft can attempt to cope with this the way it typically copes with competition (including Android as of late): Embrace, Extend, Extinguish [1, 2, 3, 4].
The other day we wrote about yet another example of openwashing from Microsoft (assimilation strategy). Microsoft booster Darryl K. Taft is the latest to call a Windows-only .NET pile of Microsoft APIs “open source” and it leads us to Microsoft’s effort to characterise its involvement in OpenSSH [1, 2] as something benign or even good.
“So it’s about putting secure Free software on an insecure proprietary software platform (with back doors), in order to promote its use.”Based on an OpenBSD Foundation announcement  and some press coverage  that says Microsoft “handed a pile of money to the OpenBSD Foundation”, we are becoming a little concerned, knowing Microsoft’s history in such circumstances (creating unnecessary financial dependencies). This story is growing feet now, even in some Linux sites, so it is hard to ignore the risk of Microsoft using BSD as a front against GNU/Linux and copyleft, as it did in past years. Prudently one can say that if things are as indicated, this won’t be the first time Microsoft uses BSD as anti-Linux front.
As Steven J. Vaughan-Nichols put it (implicitly) a couple of hours ago, it’s about “help in porting OpenSSH to Windows.”
Windows is known for gaping holes (see the latest in ), i.e. the very opposite of OpenBSD. For these two entities to work together (NSA resistor and the NSA’s number one partner) is to have an incompatible relationship. Nothing on top of Windows can be secured and as we pointed out in our past articles about this, SSH keys will be put at risk. Microsoft’s ‘help’ to OpenBSD reminds us of Microsoft’s ‘help’ to Novell, where the goal was to use Novell to promote Windows, even inside Linux (e.g. Hyper-V).
It’s not a payment intended to help OpenSSH development. Microsoft looks to get its money’s worth (shareholders’ money). So it’s about putting secure Free software on an insecure proprietary software platform (with back doors), in order to promote and increase its use. █
Related/contextual items from the news:
The OpenBSD Foundation is happy to announce that Microsoft has made a significant financial donation to the Foundation. This donation is in recognition of the role of the Foundation in supporting the OpenSSH project. This donation makes Microsoft the first Gold level contributor in the OpenBSD Foundation’s 2015 fundraising campaign.
Microsoft has handed a pile of money to the OpenBSD Foundation, becoming its first-ever Gold level contributor in the process.
Here at Univention, we are of course also concerned by the attack on the German parliament’s IT infrastructure, better known as the “Bundestag hack”. To recap: It appears that there were some bogus e-mails there including links to malware. A number of the Windows PCs in the Bundestag’s “Parlakom” network were or may still be infected with the malware, which is alleged to have searched for and copied certain confidential Word documents. According to a report in the Tagesspiegel (German) newspaper, this allowed the hackers to gain “administration rights for the infrastructure”. The attack was conducted as an “advanced persistent threat” or “APT attack” for short: in other words, a complex, multi-phase attack on the German parliament’s “Parlakom” IT network.
Send this to a friend
A game of perception alternation
“Well, it’s in the brand. The image you create around the brand. That’s why I need you in this company. Because nobody in this company, or in this industry, really understands that. And if we can have the perception, I can create the reality. With the combination of the reality and the perception, nobody will ever beat us.”
Summary: More AstroTurfing for Vista 10, including shameless promotion of the mere perception of it being ‘open’ and ‘secure’
THINGS must be working out pretty well for Microsoft’s PR agencies when/if even some Linux sites are willing to promote the NSA-friendly (hyper-visor runs only on Windows) Hyper-V. This is a little frustrating because it is not hard to see what it’s all about for Microsoft, whose software is made insecure by design. As FOSS Force put it the other day:
I assume that most enterprise users of Microsoft products already know not to trust Redmond to handle Windows’ security. I worry, however, about the poor consumer who plops a thousand dollars down for a laptop, and thinks it’s just fine to stop in to use the free Wi-Fi at Mickey Dee’s for a quick check of the bank account while being protected by nothing more than the best Redmond has to offer.
It looks like Vista 10 will remain as flawed and inherently insecure and its predecessors, no matter how much AstroTurfing Microsoft does (it gets worse by the day, as perception changing is the goal with official release day imminent) and how much openwashing Microsoft constantly does. It’s hard to keep up with the propaganda and refute it quickly enough.
Yesterday we spotted Microsoft’s propaganda channel (Channel 9) brainwashing Microsoft staff and readers of Channel 9, implicitly telling them that Visual Studio “open source”. Openwashing of SAP  and Apple  (below) could also be found in the news yesterday, so not only Microsoft does this. Remember that both companies were asked (if not demanded) by Russia to reveal their source code last year, for fear of back doors. We don’t know if SAP and Apple ever complied. █
Related/contextual items from the news:
SAP SE is dedicated to helping businesses respond to market demands around the clock, according to Steve Lucas, president of Platform Solutions at SAP. Its partnership with Red Hat, Inc. is a key part of its strategy. In an interview with theCUBE at RedHat Summit, Lucas explained further.
Recently, Apple released its programming language, Swift 2, to the public. By releasing Swift to the open source community, Apple is giving software developers more access to and control over the programming language. This release opens up a myriad of exciting possibilities for application development, software advancements and increased functionality.
Send this to a friend
« Previous Page — « Previous entries « Previous Page · Next Page » Next entries » — Next Page »