EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS


The Shameless Campaign to Paint/Portray Free Software as Inherently Insecure, Using Brands, Logos, and Excessive, Selective Press Coverage

Posted in Free/Libre Software, FUD, Security at 5:39 am by Dr. Roy Schestowitz

Image courtesy of Red Hat, demonstrating lack of correlation between severity and logos/brands

Summary: Some more FUD from firms such as Sonatype, which hope to make money by making people scared of Free/libre software

The corporate media is in the business of selling (for corporations), not informing. Advertising is the business model, as well as media ‘partnerships’ (euphemism for PR). Security firms too are in the business of selling, not informing. Misinformation often helps improve sales. We have already ranted quite a lot about media misdirection, designed to sell products or malign the competitors of those who try to sell unnecessary products. We must assume that this is happening because it has always been happening; it’s just that it got a lot more frequent now that Free/libre is more widely used.

The other day IDG published some promotion of Veracode. To quote one paragraph: “The scale of the problem is significant. Cryptographic issues are the second most common type of flaws affecting applications across all industries, according to a report this week by application security firm Veracode.”

This is not an independent security researcher; it is the Black Duck-connected Veracode (Black Duck came from Microsoft and VeraCode’s co-founder recently joined Black Duck), which overlooks security issues with proprietary software. Veracode is not an objective observer; it is trying to sell something. Sonatype too, a nasty company which we wrote about before [1, 2, 3, 4, 5, 6], rears its ugly head in the media, in an article provocatively titled “Open-Source Code Can Be More Dangerous Than Useful”.

So Sonatype has launched yet another FUD attack on Free software, using myths and rhetoric, capitalising on gullible ‘journalists’ who would print just about anything, along with clueless pasting of bugs with logos (for extra fear), no discussion about severe bugs in proprietary software, and many other issues. This article is relaying marketing from Sonatype and dramatises it even further. “It gets worse,” says the writer, “according to Sonatype: Many of the software companies that have built insecurities right into their products wouldn’t be able to tell which of their applications are affected by a known component flaw because of poor inventory practices.”

Well, proprietary software deliberately adds flaws to act as secret back doors. How about that in the discussion? The article totally omits that. The article then adds some talking points from the FOSS-hostile Symantec, another company which tries to sell its proprietary software based on perceptions of insecurity.

Thankfully, there are a couple of comments there (below the article) that highlight the issues with the article; both are titled “Not only open source…”

As Free/libre software becomes more mainstream we should expect more parasites like Sonatype to look out for fools who are willing to do their marketing, monetising trash-talk.


Microsoft Windows So Insecure That Even Fonts Are Remotely Exploitable

Posted in Microsoft, Security, Windows at 5:28 am by Dr. Roy Schestowitz

Turning the alphabet into a security nightmare


Summary: Windows userbase is once again under serious threat and high risk because something as simple as fonts (rendering of text/pixels on the screen) isn’t done securely in Windows

THERE IS plenty evidence which shows that Microsoft is not interested in security, maybe because there are commitments to the NSA (the motivations are hard to reason about, but Microsoft’s reluctant to patch known holes is easily demonstrable).

Now we are being reminded that even fonts are a security risk in Windows. Yes, Microsoft continues to put users under remote execution threat because of fonts. As the British media put it:

Get patching: Google Project Zero hacker Mateusz Jurczyk has dropped 15 remote code execution vulnerabilities, including a single devastating hack against Adobe Reader and Windows he reckons beats all exploit defences.

The accomplished offensive security researcher (@j00ru) presented findings at the Recon security conference this month under the title One font vulnerability to rule them all: A story of cross-software ownage, shared codebases and advanced exploitation [PDF ] without much fanfare and published a video demonstration of the exploit overnight.

As one commenter (found by Robert Pogson) put it, “Adobe (and I guess MS as well) put font handling in the kernel from NT 4.0 to gain speed at the expense of having privileged-based protection, and against Dave Cutler’s original micro kernel plans. What could possibly go wrong?”

Proprietary software is so bad that even fonts are a huge risk. This isn’t the first such incident. It serves also as a reminder for GNU/Linux users because some users continues to install proprietary software from Adobe, despite Free/libre alternatives being equally potent.

To quote the part which shows why Windows makes things even worse: “The nastiest vulnerabilities for 32-bit (CVE-2015-3052) and 64-bit (CVE-2015-0093) systems exist in the Adobe Type Manager Font Driver (ATMFD.dll) module which has supported Type 1 and Type 2 fonts in the Windows kernel since Windows NT 4.0.”

“Our products just aren’t engineered for security.”

Brian Valentine, Microsoft executive


Microsoft is Again Demonstrating That It is Not Interested in Making Windows Secure

Posted in Microsoft, Security, Windows at 9:33 am by Dr. Roy Schestowitz

“Our products just aren’t engineered for security.”

Brian Valentine, Microsoft executive

Michael S. Rogers
“I don’t want a back door. I want a front door.”Director of the NSA (2015)

Summary: Microsoft decides to leave Windows with flaws in it, claiming that fixing the flaws would not be worth Microsoft’s resources

FOR A LONG period of time (3 months or more) Microsoft refused to fix a serious flaw in Windows. It only did something about it when it was too late because the public had found out. Microsoft blamed the messenger.

This is not the exception, it’s pretty much the norm. Some Windows flaws exist for as long as 15 years, but they have no "branding" like a name or a logo.

“People with access to the world’s biggest stockpile of nuclear weapons still use Windows XP.”“Dustin Childs says the company couldn’t get Microsoft to patch an IE exploit,” says this new report, pointing to HP’s Web site. “Since Microsoft feels these issues do not impact a default configuration of IE,” Childs wrote, “it is in their judgment not worth their resources and the potential regression risk” (a lot more damning information can be found in the HP Security Research Blog).

Given Microsoft’s cooperation with the NSA on back door access, this hardly surprises us. Even more sad than this is a new report about the US Navy wasting millions in taxpayers’ money to run an operating system initially released in 2001. People with access to the world’s biggest stockpile of nuclear weapons still use Windows XP. As IDG put it:

The U.S. Navy is paying Microsoft millions of dollars to keep up to 100,000 computers afloat because it has yet to transition away from Windows XP.

After the Office of Personnel Management (OPM) disaster (Windows involved), we oughtn’t be too shocked about some nuclear disaster happening because of dependence of ancient Windows.


Kaspersky Lab Hypocritical on Patents

Posted in Patents, Security at 7:03 am by Dr. Roy Schestowitz

None for you, but good for us?

Kaspersky Lab logo

Summary: Kaspersky Lab shows that its stance on software patents (and the patent system in general) is not as strong as it claims

Kaspersky, which is based in Russia and is certainly no ally of the US, turns out to be pursing US-style software patents, despite Kaspersky (the chief) publicly slamming the patent system on numerous occasions. Kaspersky might try to argue that it does this for defensive purposes (the same excuse Google uses as it continues to hoard software patents), especially now that Microsoft-connected patent aggressors shake down security companies, but overall it shows that Kaspersky isn’t too serious about change or reform. It doesn’t play a role in it.

Meanwhile, as this London-based patent lawyers’ blog reminds us, software patents’ validity is being diminished in the US, with potential implications in Europe. “Coupled with the relatively restrictive (or realistic) ruling on patentability of software in Alice v CLS,” it says, “the question is asked whether this is a sea-change or merely a blip in the annual statistics, which will soon be corrected by regression to the norm. In Europe, ongoing work on fixing the procedural rules and institutional infrastructure of the Unified Patent Court has provided a major focal point for litigation interest.”

Kaspersky would be wise to stop wasting time and money acquiring patents. Developers need to focus on good programming and secure algorithms, not typing up papers to be submitted to lawyers for the acquisition of monopolies. Mr. Kaspersky ought to change his company’s policy to coincide with a computer scientist’s common sense. Besides, software patents may already be on their way out (bulk invalidation).


Kaspersky Reminds Us of the Dangers of Microsoft Windows

Posted in Microsoft, Security, Windows at 4:31 pm by Dr. Roy Schestowitz

Eugene Kaspersky

Summary: State-sponsored malware which targets Microsoft Windows serves to show that Windows should be banned, especially in important operations

Two readers of ours wrote to us about Kaspersky coming under Stuxnet-like attacks. We have been shown articles that completely fail to call out Windows. Some call it “state-sponsored malware attacks”. We previously wrote about Kaspersky’s rants regarding US patents [1, 2], Windows, and Windows in nuclear facilities. We recently wrote about attempted US attacks on North Korea's nuclear facilities, targeting Windows. It is rather amazing that despite mountains of evidence that Windows is not secure (often a politically-motivated trap), some states are still eager or at least willing to allow Windows installations (infestations).


Debunking the Idea of ‘Secure’ Windows (or Proprietary Software, by Extension)

Posted in Deception, Microsoft, Security, Windows at 4:13 am by Dr. Roy Schestowitz

“The continuous and broad peer-review enabled by publicly available source code supports software reliability and security efforts through the identification and elimination of defects that might otherwise go unrecognized by a more limited core development team.”

CIO David Wennergren, Department of Defense (October 2009)

Summary: Microsoft has a new charade, centered around lobbying hubs such as Brussels, to give non-technical people the false impression of Windows ‘security’

GIVEN the special relationship between Microsoft and the NSA (proven by NSA leaks), one might expect no sane government (or even company) to do business with Microsoft ever again. But after some show trials (e.g. in Ireland), public lobbying, and the many lies spread through corporate media (puff pieces) some actually do view Microsoft as antagonising the NSA — a nice and convenient myth if you can get yourself to believe it.

Dr. Glyn Moody wrote a response to Microsoft’s publicity stunt which tries to sell the impression that Windows and other Microsoft software do not have back doors, despite admissions to the contrary. Microsoft is pretending that Windows is secure using the 'Transparency Centre' farce. Here is some of Moody’s response to it:

The issue of back doors and the possibility that software companies have been cooperating with the NSA to undermine the security of their products has become particularly sensitive in the wake of Edward Snowden’s revelations about the surveillance activities of the NSA and GCHQ. One of the earliest leaked documents concerned the Prism programme, which apparently showed that the NSA had direct access to the systems of all the top US software and Internet companies.

On a presentation slide indicating the dates when Prism began for each “provider,” Microsoft is listed as the very first, starting in 2007. In response, Brad Smith, General Counsel & Executive Vice President, Legal and Corporate Affairs, Microsoft, denied that the NSA had “direct and unfettered access to our customer’s data.” He insisted: “Microsoft only pulls and then provides the specific data mandated by the relevant legal demand.”

Soon after the Prism story appeared, a report from Bloomberg claimed that Microsoft “provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix.” In an article published this week by The Intercept discussing criticisms of Microsoft’s BitLocker disk encryption program, the company was asked to respond to Bloomberg’s allegations from 2013. A Microsoft spokesperson said that sharing bugs was simply part of the GSP, and that “its intention is to be transparent, not to aid spy agencies in making malicious software.”

According to the original Bloomberg article, however, that’s exactly what the NSA used them for: specifically, they “allowed the U.S. to exploit vulnerabilities in software sold to foreign governments.” Asked about “instances in which Microsoft built methods to bypass its security and about backdoors generally”, the spokesperson also told The Intercept that Microsoft “doesn’t consider complying with legitimate legal requests backdoors.”

The opening of the Transparency Centre in Brussels is evidence that Microsoft is worried that some in Europe still have their doubts about whether its software can be trusted. Microsoft’s Thomlinson described the move as “the latest step … to enhance the transparency of our software code and continue building trust with governments around the world.” He also said that there needs to be “a high level of openness and cooperation between public and private sectors.”

Microsoft’s back doors in its software do not need to be built into the binaries. Microsoft can add them when it’s time to update, it can use security holes (which it tells the NSA about before they are fixed), and it uses bogus encryption — as it does — to completely beat the purpose of secure messaging or massage-passing. Moreover, nobody supervises the build process of Windows, except the NSA. There is no telling what is being compiled and how. There is no telling what happens before binaries are installed on computers (en route), where hard drives and various other hardware have back doors (as revealed by NSA leaks) that ‘hook’ onto Windows like a hand inside a glove. Proprietary software cannot be trusted, not in this ‘transparency’ sense. It might, however, be just enough to fool some non-technical people.


Pretending That Windows is Secure and ‘Open’ Using the ‘Transparency Centre’ Farce

Posted in Free/Libre Software, Microsoft, Security at 10:42 pm by Dr. Roy Schestowitz

“Two security researchers have developed a new technique that essentially bypasses all of the memory protection safeguards in the Windows Vista operating system…”

Dennis Fisher, August 7th, 2008

Summary: Microsoft is trying to redefine what Free/Open Source software means and what it takes for security of software to be assured/audited

THE strategy of Microsoft as of late has been combating Free software by changing what it actually means and then pretending to be it. FOSS Force has a good new article about Microsoft’s completely bogus posturing, intended to battle Free software by pretending that Microsoft’s source code is accessible. We are soon going to show (maybe later today) how Microsoft battled Free/Open Source software in voting, essentially using truly misleading lobbying, entryism, and obfuscation ploys.

As FOSS Force put it, “The Transparency Center concept was meant to allay fears that might cause foreign governments to consider options other than Microsoft (read: Linux and FOSS), by granting them unprecedented access to source code.”

In our latest articles about SSH and Microsoft we countered the claim that Microsoft is ever pursing security. It’s not. Security is not the goal. Read the article from FOSS Force for further details.

With SSH Keys on Windows the World Will be a Vastly Less Secure Place

Posted in GNU/Linux, Microsoft, Security, Windows at 11:27 am by Dr. Roy Schestowitz

“Our products just aren’t engineered for security.”

Brian Valentine, Microsoft executive

Summary: Another warning about the grave consequences of putting SSH endpoints on an operating system which is compromised by design

QUITE a few readers (and also pro-Microsoft bullies) have written to us regarding yesterday's article about OpenSSH and Microsoft, the first PRISM company which also uses broken (by design) ciphers to act as passive back doors. Microsoft is losing and is getting left behind, hence it tries to ‘embrace’ the competition. It’s not a good gesture but an effort to entice people into Windows prison, i.e. inherent insecurity. OpenSSH is supposed to be all about security, which Windows is inherently (by design) not compatible with. Does anyone really want to put public and private keys on a machine that is remotely accessible by spies? That’s suicidal for a government, corporation, legal firm, journalist, etc.

“We already know, thanks to leaks from Edward Snowden, that spies in the West are systematically harvesting passwords of systems administrators and then use these to hijack/infiltrate entire networks.”Microsoft promotion sites continue to praise Microsoft, whereas other sites cautiously welcome the move [1, 2, 3, 4, 5, 6]. This has been mentioned in various news sites since we first covered it, some Linux-centric ones ones too [1, 2]. In Linux Questions, for example, comments included “welcome microsoft to the year 2000.” Or even: “It was nice having known about you, PuTTY.”

To set the record straight, if we correctly understand Microsoft’s plans (all they are at this stage is just speculative, as there is not even a timetable, let alone any code), there will be increased access by espionage-seeking, power-motivated spies to people’s SSH keys. This will decrease overall security. Windows will be the weakest link. We already know, thanks to leaks from Edward Snowden, that spies in the West are systematically harvesting passwords of systems administrators and then use these to hijack/infiltrate entire networks all around the world. All that Microsoft’s involvement can achieve in this case is an increase in compromised computer networks. Putting SSH keys on Windows is the technical equivalent of putting tanks on rhapsodies (rendering the tanks sinkable).

« Previous Page« Previous entries « Previous Page · Next Page » Next entries »Next Page »

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channels: Come and chat with us in real time

New to This Site? Here Are Some Introductory Resources




Samba logo

We support

End software patents


GNU project


EFF bloggers

Comcast is Blocktastic? SavetheInternet.com

Recent Posts