“Our products just aren’t engineered for security.”
–Brian Valentine, Microsoft executive
Summary: Errors in Windows that facilitate remote access and privilege escalation (affecting every version of Windows) continue to surface and those who fix these errors risk bricking their systems/services
Having just made (generated rather, using an online tool) the above meme to make an important point (pardon the “Windows” typo), we wish to bring together some recent news about Microsoft Windows, probably the least secure operating system in the world (by design). The NSA is involved in finalising Windows development and knowing what many people finally know about the NSA, it oughtn’t be shocking that Windows uses weakened/flawed encryption, enables remote access, etc.
Earlier this month there was a lot of press coverage about a massive flaw and an “emergency” patch for Windows. The NSA, for a fact (based on Snowden’s leaks), already knew about this. It knew about before it was patched, as Microsoft tells the NSA about every flaw before patches are applied and flaws become common knowledge.
Stephen Withers, a booster of Microsoft from Australia, said that a “very old but only just fixed Windows vulnerability is the key to a new in-the-wild attack.
“Security vendor ESET says it has detected a real-life exploit for a vulnerability that’s been part of Windows for nearly two decades.”
So it’s not just exploitable by the NSA anymore.
Over at IDG, this flaw was said to have a botched ‘solution’. As the author put it: “Last Tuesday’s MS14-066 causes some servers to inexplicably hang, AWS or IIS to break, and Microsoft Access to roll over and play dead”
So patch or don’t patch, you are in a serious problem either way. Welcome to the “professional” and “enterprise-ready” world of Microsoft.
As Microsoft boosters put it, “Microsoft has announced that they will be pushing an out-of-band security patch today. The patch, which affects nearly all of the company’s major platforms, is rated ‘critical’ and it is recommended that you install the patch immediately.”
To brick one’s system?
Here is what British press wrote about it:
MICROSOFT HAS ISSUED an emergency patch for the Kerberos Bug that could allow an attacker to perform privilege escalation in several versions of Windows.
In what will be the firm’s third emergency patch in the past three months, the fix arrives just a week after the monthly Patch Tuesday release.
In other curious news from the same source, British taxpayers’ money has just been wasted cleaning up the mess of Microsoft Windows with its baked-in back doors. Windows is being hijacked en masse, but the corporate media refers to it as “PC”, not Windows. This is a crucial omission. The insecurity of Windows is not always accidental. It was designed to be easy to access (only by the “Good Guys”, of course!). “THE UK NATIONAL CRIME AGENCY (NCA) has arrested five people,” said the British press, “as part of a crackdown on hackers who hijack computers using Remote Access Trojans (RATs).” It’s a shame that they don’t point out that it’s a Windows-only problem. It doesn’t even take much in terms of skill to hijack Windows, as many hackers and crackers can attest to. To quote this report: “The NCA said on Friday that it has arrested two 33-year-old men and a 30-year-old woman from Leeds, along with a 20 year-old man from Chatham in Kent and a 40-year-old from Darlington in Yorkshire.”
This 20 year-old cracker is about as old as the latest bug door from Microsoft. With 19-year-old flaws in Windows (“critical” too) it oughtn’t be hard to hijack Windows-running PCs by the millions and even by the billions. As this article put it, the flaw is very severe and “Microsoft’s out-of-band update yesterday fixes a profoundly serious bug: Any user logged into the domain can elevate their own privilege to any other, up to and including Domain Administrator.”
Robert Pogson wrote that Microsoft “told the world they were naked and now system administrators are scurrying around to make sure every system running InActive Directory has a patch.”
As usual, no logos and brand names for this bug, not even the huge media hype that we saw when GNU Bash and OpenSSL had a bug in them. Perhaps the media learned to accept that Windows is Swiss cheese, or more likely it is unconsciously complicit in Microsoft’s PR. █
Send this to a friend
Summary: With Aorato acquisition Microsoft helps protect the criminals (from whistleblowers) and with lies about .NET Microsoft distracts from a bug that has facilitated remote access into Windows (by those in the know) for nearly two decades
MICROSOFT IS A company of liars, centred around media manipulation. This is why not enough people know about the company’s sheer levels of malice, crimes, and disregard for people.
Microsoft keeps throwing money around for favourable publicity, so not enough criticism is published where it’s well overdue. Today we’ll tackle several stories that deserve more attention from an appropriate angle, not a promotional (marketing) angle.
A few days ago Microsoft decided to buy a military-connected (IDF/Israel) anti-whistleblowing ‘software’ company. What a lot of shallow coverage failed to mention was the real purpose of the software (not often marketed as such). To quote one report: ‘“Snowden reportedly used colleagues’ passwords to access sensitive docs,” he told me. “Even if the user activity seems legitimate, the same account would actually present suspicious or abnormal behavior behind the scenes which Aorato would detect.”’
Actually, to keep the facts in tact, the NSA leaks were made possible by GNU WGet on the leakers’ side (same as Bradley/Chelsea Manning) and that horrible Microsoft SharePoint on the leaked side (NSA). It means that Microsoft itself was the problem which it claims to be trying to solve. We mentioned the role of SharePoint several times before. The acquisition by Microsoft seems to be geared towards stopping whistleblowing and hence defending corruption (so that Microsoft, for instance, can defend the NSA). How ethical a move, eh? So much for a ‘champion’ of privacy as it purports to be.
Anyway, there is a 19-year bug door in Microsoft Windows (almost no version is exempted from remotely-invoked full capture), but the press hardly covers it. We must give some credit to the BBC for covering it (for a change) and "calling out Windows". Other British press covered other inherent issues in Windows (compromising Tor)  and it looks like Dan Goodin is finally covering some security problems in proprietary software  rather than always picking on FOSS, then hyping it up with ugly imagery and exaggeration.
A reader of ours suspects that the .NET announcement was designed to distract from horrible security-related news. The .NET announcement is nonsense because it’s false (we wrote two posts about the .NET PR nonsense) and it also predicts future events like Visual Studio going cross-platform although the latest version of Visual Studio (proprietary) already runs under GNU/Linux using Wine, i.e. the Windows build works under GNU/Linux as it’s fully compatible anyway, for those foolish enough to want it. This is not news and the same goes for Office and other well-known Microsoft software. Xamarin staff keeps trying hard to infect GNU/Linux with .NET (that’s what they do) and as this very stupid article about .NET shows, the .NET nonsense did indeed help bury the news about the bug door. This disgusting article even gives credit to Microsoft for having fixed massive 19-year-old bug (only after IBM had found it). When bash or openssl have a bug, then FOSS is all bad, apparently. When Microsoft has a bug door for 19 years, the media says well done to Microsoft (for fixing it after another company forced it to). One has to wonder if this flaw (voluntary or involuntary) is part of Microsoft’s collaboration with the NSA, which made Stuxnet and has made yet another piece of Windows malware together with Israel. Here is a new article from The Intercept:
The Digital Hunt for Duqu, a Dangerous and Cunning U.S.-Israeli Spy Virus
Boldizsár Bencsáth took a bite from his sandwich and stared at his computer screen. The software he was trying to install on his machine was taking forever to load, and he still had a dozen things to do before the Fall 2011 semester began at the Budapest University of Technology and Economics, where he taught computer science. Despite the long to-do list, however, he was feeling happy and relaxed. It was the first day of September and was one of those perfect, late-summer afternoons when the warm air and clear skies made you forget that cold autumn weather was lurking around the corner.
Bencsáth, known to his friends as Boldi, was sitting at his desk in the university’s Laboratory of Cryptography and System Security, a.k.a. CrySyS Lab, when the telephone interrupted his lunch. It was Jóska Bartos, CEO of a company for which the lab sometimes did consulting work (“Jóska Bartos” is a pseudonym).
“Boldi, do you have time to do something for us?” Bartos asked.
“Is this related to what we talked about before?” Bencsáth said, referring to a previous discussion they’d had about testing new services the company planned to offer customers.
“No, something else,” Bartos said. “Can you come now? It’s important. But don’t tell anyone where you’re going.”
Bencsáth wolfed down the rest of his lunch and told his colleagues in the lab that he had a “red alert” and had to go. “Don’t ask,” he said as he ran out the door.
A while later, he was at Bartos’ office, where a triage team had been assembled to address the problem they wanted to discuss. “We think we’ve been hacked,” Bartos said.
They found a suspicious file on a developer’s machine that had been created late at night when no one was working. The file was encrypted and compressed so they had no idea what was inside, but they suspected it was data the attackers had copied from the machine and planned to retrieve later. A search of the company’s network found a few more machines that had been infected as well. The triage team felt confident they had contained the attack but wanted Bencsáth’s help determining how the intruders had broken in and what they were after. The company had all the right protections in place—firewalls, antivirus, intrusion-detection and -prevention systems—and still the attackers got in.
The ability to keep people’s rights away and keep the population down depends on passivity and conformity, including the use of Windows. Avoiding Microsoft Windows is imperative for those not wishing to be controlled remotely. As Microsoft’s collaborations with the NSA serve to show, mass surveillance on the whole world is practically contingent upon not just innovation but sabotage and social engineering with corporate buddies. Eradication of Microsoft software isn’t about competition only; it’s about justice. █
Related/contextual items from the news:
There are suggestions that the malware code has been around for a while, and has predecessors, and F-Secure warned internet users, anonymous or otherwise, to tread carefully when they download.
“However, it would seem that the OnionDuke family is much older, based on older compilation timestamps and on the fact that some of the embedded configuration data makes reference to an apparent version number of four, suggesting that at least three earlier versions of the family exist,” the firm added.
“In any case, although much is still shrouded in mystery and speculation, one thing is certain: while using Tor may help you stay anonymous, it does at the same time paint a huge target on your back.
“It’s never a good idea to download binaries via Tor (or anything else) without encryption.”
Three weeks ago, a security researcher uncovered a Tor exit node that added malware to uncompressed Windows executables passing through it. Officials with the privacy service promptly shut down the Russia-based node, but according to new research, the group behind the node had likely been infecting files for more than a year by that time, causing careless users to install a backdoor that gave attackers full control of their systems.
Send this to a friend
Summary: At many levels — from communication to storage and encryption — Windows is designed for the very opposite of security
TO ONE who is aware of what Microsoft has been doing with the NSA since the 1990s it can be rather shocking to see entire nations relying on Microsoft Windows. As a quick recap, aided by one of our readers, back in the 90s there was this article stating: “Rubenstein, Microsoft attorney and a top lieutenant to Bill Gates. By his own account, Rubenstein acts as a “filter” between the NSA and Microsoft’s design teams in Redmond, Wash. “Any time that you’re developing a new product, you will be working closely with the NSA,”he noted.”
There is hardly room any for excuses or misinterpretation here. “How NSA access was built into Windows” is another important article from the German press and it was published back in the 90s. These older articles are merely few among many more (some no longer accessible due to ‘Web rot’) which already made it clear that Bill Gates and Microsoft were fine with back-dooring billions of people. Gates continues to be a vocal proponent of the NSA, even to this date (after Snowden had leaked details that made the NSA exceptionally unpopular like no time before, internationally).
Anyone who still thinks that proprietary software is secure says quite a lot about his/her own intelligence (and disregard for facts). It is also widely known why it is risky to connect Free software to proprietary software, which basically compromises the trust that Free software carries with it. Germany, based on this new article from Dr. Glyn Moody, is beginning to see the light as well. Here is a portion:
You Can’t Trust Closed-Source Code – Germany Agrees
Similarly, moves by both Microsoft and Amazon, among others, to set up local data centres in the EU will not on their own protect European data unless that is encrypted by the companies themselves, and the cloud computing providers do *not* have access to the keys. Indeed, if the data is encrypted in this way, local storage is not so important, since the NSA will have an equally hard time decrypting it wherever it is held – as far as we know, that is.
Because of that recent US court judgment ordering Microsoft to hand over emails held in Ireland, many people are now aware of the dangers of cloud computing in the absence of encryption under the control of the customer. But very few seem to have woken up to the problems of backdoors in proprietary software that I mentioned at the start of this post. One important exception is the German government, which according to Sky News is working on an extremely significant law in this area…
The NSA could get back door access into every data stored in Windows and now it can get access to data stored remotely, too. It’s total surveillance. Not even encryption can help.
I was contacted by a manager from Microsoft last week and after we exchanged some messages about the farce which is encryption in Windows he no longer had a counter argument. He found out, after some research, that I was in fact right. I was previously (almost a decade ago) ridiculed by top-level Microsoft staff for suggesting that encryption in Windows could easily be subverted, by design. Around that time Microsoft’s Allchin was seemingly worried about back doors and he was quoted on it (the Allchin article is hidden to many as the link has changed). Some of it is very old, but we have written about Bill Gates’ support of back doors since the early days of this Web site. Microsoft back doors in Windows go beyond just remote access and descend down to encryption, caused by a deficient-by-design (or generally bad) encryption. When we cited Cryptome's findings we received an overwhelming (and supporting) attention. The management from Microsoft tried to change our article (asking for changes) despite the article being correct. As stated in comments in Soylent News: “when my Windows 8.1 tablet recommended that I turn on encryption, as soon as I clicked “no” to handing my administrator user over to Microsoft, it disabled encryption.”
I showed it to Microsoft management, whereupon they checked and confirmed that this was true. No response since, hence we can assume there’s no counter argument.
In summary, Microsoft betrays the privacy of Windows users at many levels. No nation should deem Windows suitable for use (at any level) and ridicule is probably well deserved where one defends Windows as ‘secure’. █
Send this to a friend
Summary: Home Depot learns its lesson from a Microsoft Windows disaster, but it stays with proprietary software rather than move to software that is actively audited by many people and is inherently better maintained (Free/libre software)
MEDIA that is owned by large corporations likes to talk about FOSS bugs that have logos and brands not because there are many known incidents where harm was done but because FOSS is an easy scapegoat. Microsoft Windows, which has had bug doors for nearly two decades (very serious and remotely exploitable), should not be used on any production environment, but some businesses are evidently foolish enough to put it on critical systems, knowing damn well (they definitely should know it by now) that the NSA collaborates with Microsoft on back doors access and uses back doors for espionage (both industrial and political).
Earlier this year we asked journalists to call out Windows and urged Home Depot to speak about the role of Microsoft Windows in its massive (existence-threatening) incident that left millions of people (with credit card details) in the hands of crackers.
Microsoft Windows — not some FOSS bug with a logo and/or a name — punished not only Home Depot but also millions of innocent customers who did not know that Home Depot relied on Microsoft Windows for storing/processing sensitive details.
“Microsoft Windows — not some FOSS bug with a logo and/or a name — punished not only Home Depot but also millions of innocent customers who did not know that Home Depot relied on Microsoft Windows for storing/processing sensitive details.”Now there is acknowledgement of this, based on the report “Home Depot blames Windows for record hack, rushes out to buy Macs and iPhones afterward”. So basically they are moving to another proprietary platform with back doors. Apple has already admitted the existence of back doors in iOS, for example, and tried to pass them off as “diagnostics”. If Home Depot is serious about security, then GNU/Linux and other Free software (even BSD) should be universally used at Home Depot.
Home Depot should generally cleanse itself of proprietary software, which is totally unsuitable for credit cards handling because it has back doors and other security issues, mostly inherent issues. Other companies should learn from Home Depot’s mistake and never again process important data using proprietary software. The bad reputation that Home Depot gets from this incident is now putting the whole business in jeopardy and based on news reports about surveillance software Skype (after the Microsoft takeover), Microsoft wants to put it at the very heart of businesses, enabling wiretapping of unprecedented proportions, even inside private businesses (not some mundane chats). Only days ago the Electronic Frontier Foundation warned that Skype is inherently insecure and so is WhatsApp, which is owned by a partly Microsoft-owned company (Facebook). Here is what Beta News wrote:
Secure communication is something we all crave online, particularly after Edward Snowden’s NSA revelations increased public interest in privacy and security. With dozens of messaging tools to choose from, many claiming to be ultra-secure, it can be difficult to know which one to choose and which one to trust. Electronic Frontier Foundation (EFF) has published its Secure Messaging Scorecard which rates a number of apps and services according to the level of security they offer.
Businesses should shun not only Microsoft but proprietary software in general (Microsoft tends to be one of the worst among them) if they wish to secure their communications, respect their customers’ safety, and ultimately assure their survival. Use of proprietary software is no joking matter; it can be lethal. The corporate press has hardly done enough — if anything at all — to highlight the real culprit in the Home Depot disaster. █
Send this to a friend
Summary: The back doors-enabled Microsoft Windows is being revealed and portrayed as the Swiss cheese that it really is after massive holes are discovered (mostly to be buried by a .NET propaganda blitz)
Windows ‘Update’, which essentially translates into Microsoft manipulating binaries on people’s machines without any changelog (at least not in source code form), is making the news again this month. Windows ‘Update’ is happening quite often (a monthly recurrence), but this time there is a lot to say about it.
The British NHS, which holds full medical records of very many individuals, recently received a lot of flack for sticking with an unsupported operating system that was released when I was a teenager instead of upgrading to recently-built Free software like GNU/Linux. Guess what happened to the NHS? “NHS XP patch scratch leaves patient records wide open to HACKERS” says the British press, meaning that not only the NSA gets access to NHS data:
Thousands of patient records could be left exposed to hackers, as up to 20 NHS trusts have failed to put an agreement in place with Microsoft to extend security support for Windows XP via a patch, The Register can reveal.
Another story of a botched update of Windows says that “Crypto attack that hijacked Windows Update goes mainstream in Amazon Cloud”:
Underscoring just how broken the widely used MD5 hashing algorithm is, a software engineer racked up just 65 cents in computing fees to replicate the type of attack a powerful nation-state used in 2012 to hijack Microsoft’s Windows Update mechanism.
That’s what one gets when using weak ciphers that the NSA promotes and Microsoft willingly spreads. Windows Update is a dangerous tool for many reasons not just because it is bricking Linux devices these days but because it’s a tool that gives the NSA a lot of power. Before an update kicks in the NSA is given information that allows it to take full control of PCs with Windows, remotely even (this is done every month). This may sound benign until one learns about Stuxnet (weaponised malware of the NSA) and considers this latest Patch Tuesday:
Microsoft is issuing the largest number of monthly security advisories since June 2011, five of them critical and affecting all supported versions of Windows. And applying the patches will be time consuming, experts say.
“Next week will tell us how many CVEs are involved but suffice to say, this patch load will be a big impact to the enterprise,” says Russ Ernst, the director of product management for Lumension.
CBS, being not just a proponent of espionage, mass surveillance, assassination and violent wars but also a proponent of back doors, had its site ZDNet downplay the above. “So far in calendar year 2014,” it said, “Microsoft has fixed 215 vulnerabilities in Internet Explorer” (lots of potential NSA back doors). Then come some lame excuses and damage control from Microsoft in the update, trying to make its bad record look like a positive, neglecting that fact that Microsoft has been secretly patching holes to yield fake numbers and give a false sense of security. Here is the full summary:
So far in calendar year 2014, Microsoft has fixed 215 vulnerabilities in Internet Explorer, with more coming out today. There have been security updates to Internet Explorer every month this year except for January.
This other report, titled “Potentially catastrophic bug bites all versions of Windows. Patch now”, does not entertain the possibility of back/bug doors in Microsoft Windows being exploited, despite that fact that Microsoft already told the NSA (prodifing exploit knowledge), which undoubtedly engages in illegal intrusions/cracking. A report from IDG notes that this bug is nearly two decades old and add that only “[w]ith help from IBM, Microsoft has patched a critical Windows vulnerability that flew under the radar for nearly two decades. ”
“How many times might this flaw have been exploited by now?”So IBM, despite having no access to source code (as far as we can tell), was perhaps the only reason why Microsoft addressed this issue two decades late, eh? How many times might this flaw have been exploited by now? A reader of us, alluding to that nonsense .NET PR, explains: “Perhaps a big reason for the PR teams trumpeting the open-core or freemium model?”
It sure serves as a good distraction. When Windows XP support (patches) came to an end a Microsoft-connected firm immediately (on the very same day) started throwing brands and logos in relation to an OpenSSL bug, stealing the show and spreading FUD for many months, generalising it so as to appear like a serious, inherent issue in FOSS.
Watch this critical remote code execution flaw in Windows. It is extremely serious, but there is no logo or brand for it (unlike FOSS FUD like “Heartbleed” or “Shellshock” — with a brand that was even perpetuated by the Russia-based Mandriva the other day). █
Send this to a friend
Summary: Cryptome has an article, comprised/composed of hard evidence, revealing ways in which Microsoft enables aggressive spies to break encryption
The FBI does not even pretend not to be pursuing back doors; quite the contrary! It demands them and now insists on legislation that would make them mandatory. The same goes for the NSA, Microsoft’s very special partner. Anyone who still thinks that back doors in encryption are within the realm of “conspiracy theory” must not have paid attention. We wrote about such issues more than half a decade ago. At this stage, judging by thousands of articles on the topic, these factual observations are very commonplace in the press, even in the corporate media.
“Anyone who still thinks that back doors in encryption are within the realm of “conspiracy theory” must not have paid attention.”“Microsoft backdoor bitlocker key escrow for the FBI & NSA,” writes to us David Sugar from GNU Telephony. “From the OS that loves to spy on you,” he added.
Some months ago we showed that a former Microsoft engineer working on Windows BitLocker confirmed that the US government asks Microsoft for back doors and now we have more details on how this is done, courtesy of cryptology enthusiasts in Cryptome:
Microsoft OneDrive in NSA PRISM
1) Bitlocker keys are uploaded to OneDrive by ‘device encryption’.
“Unlike a standard BitLocker implementation, device encryption is enabled automatically so that the device is always protected.
If the device is not domain-joined a Microsoft Account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to online Microsoft account and TPM protector is created.”
2) Device encryption is supported by Bitlocker for all SKUs that support connected standby. This would include Windows phones.
“BitLocker provides support for device encryption on x86 and x64-based computers with a TPM that supports connected stand-by. Previously this form of encryption was only available on Windows RT devices.”
3) The tech media and feature articles recognise this.
“… because the recovery key is automatically stored in SkyDrive for you.”
4) Here’s how to recover your key from Sky/OneDrive.
“Your Microsoft account online. This option is only available on non-domain-joined PCs. To get your recovery key, go to …onedrive.com…”
5) SkyDrive (now named OneDrive) is onboarded to PRISM. (pg 26/27)
When Microsoft speaks about security it usually means “national security”, i.e. the ability of the state to break security of software. It’s about interception, not security. When Microsoft speaks about ‘secure boot’ it speaks about an antifeature in UEFI that enables the state to remotely brick computers, too.
The sad thing is that amid many BSD milestones as of recently (FreeBSD, OpenBSD, PC-BSD and others) there are those who fall for the false promise of UEFI, which does more harm than good to security. OpenBSD, which takes security very seriously, has already blasted UEFI 'secure boot' and blasted those who support it (including Red Hat), whereas FreeBSD got bamboozled into UEFI 'secure boot' and with it, the FreeBSD-derived PC-BSD gets bamboozled too:
Marking the twenty-first birthday of FreeBSD was the release of FreeBSD 10.1-RC4 and separately was the FreeBSD-derived PC-BSD 10.1 RC2 release.
FreeBSD 10.1-RC4 is expected to be the final RC build of FreeBSD 10.1 and brought fixes for ATA CF ERASE breakage and a race fix that could cause an EPT misconfiguration VM-exit.
More details on FreeBSD 10.1-RC4 can be found via its Sunday release announcement. The official release of FreeBSD 10.1 is now hopefully a few days out with its many new features and changes.
This is not a good idea at all. PC-BSD needs to follow the example set by OpenBSD, not FreeBSD (with its codebase). It sure starts looking like not only Microsoft but Red Hat too is bending over to its lucrative clients and contracts with the Deep State. Based on established observations from one decade ago, including more recent developments that Red Hat refuses to comment on, it seems possible that back doors in encryption (by default) is the de facto standard among large corporations. When they speak about “security” there must be fine prints and they’re omitted from the advertising. At risk of breaking the silence about
systemd (because we don’t want to inflame ‘civil wars’),
systemd replaces/obviates so much highly mature software that it certainly increases the likelihood of bug doors being introduced in RHEL/Red Hat (
systemd‘s patron) and by extension/inheritance many other distributions of GNU/Linux. █
Send this to a friend
“Our products just aren’t engineered for security.”
–Brian Valentine, Microsoft executive
Summary: Following the familiar pattern of FOSS FUD, wherein we see Microsoft partners badmouthing FOSS over “security” (ignoring much worse problems in proprietary software), FOSS gets widely bashed in the British media
MICROSOFT has made many back doors available for the FBI and for the NSA. We have covered this for over half a decade and given concrete examples. Our next post will give yet another new example.
So, how does Microsoft have the audacity to tell us — usually by proxy — that Free software is not secure? Yes, Free software has some bugs (not many are critical), but Microsoft software is insecure by design. There are lots of back doors in Windows XP, for example, but the British NHS, which holds medical records (highly sensitive) of tens of millions of people (including my family), continues using it based on this new report:
Many UK NHS Trusts are at risk of missing the extended cut-off deadline for Windows XP support in April 2015, according to the results of several Freedom of Information requests by software firm Citrix.
Although the government acquired a support extension, the FOI request found that the trusts have been slow to make the transition, or are simply unsure when their transition would be complete.
Why on Earth are they not migrating to GNU/Linux yet? I have been part of British migrations to GNU/Linux, both in the private sector and government, and all I can say is that it always works. Not only does it save money but it also produces more secure and more stable systems.
“Entertaining more of that nonsense about FOSS being less secure than platforms with back doors or about Microsoft loving the competition that hurts it the most is probably a waste of time.”Trend Micro littering the British press at the moment with anti-FOSS messages that promote Microsoft, not mentioning back doors. We need not link to any examples because there are many of them this afternoon, but we have confronted Trend Micro UK and publications that gave it a platform today. So has the President of the OSI. Trend Micro has a FOSS-hostile track record, so it hasn’t been too surprising.
Speaking of poor journalism that’s actually PR in disguise, watch what IDG is doing right now. A new article by Eric Knorr of InfoWorld (editor), perhaps infatuated/in love with his sponsor (ads), repeats Microsoft's lie that it loves Linux
Entertaining more of that nonsense about FOSS being less secure than platforms with back doors or about Microsoft loving the competition that hurts it the most is probably a waste of time. The next post will show another back door that Microsoft deliberately put it its common carrier. █
Send this to a friend
“Our products just aren’t engineered for security.”
–Brian Valentine, Microsoft executive
Summary: Microsoft’s insecure-by-design software is causing massive damages (possibly trillions of dollars in damages to date) and yet the corporate press does not ask the right questions, let alone suggest a ban on Microsoft software
According to the New York Times and other news sites, “Staples Is Latest Retailer Hit by Hackers” because it was using Microsoft Windows. Well, other recent examples included UPS, which basically hurt millions of people because it let crooks have lots of credit card details. The TJ Maxx heist and other credit card heists were also the fault of Microsoft Windows, not GNU Bash or OpenSSL, among other bits of software that dominate the news in the context of security. It sure looks like Microsoft Windows is the target, not FOSS. There are hardly any stories at all about an apocalypse or any great damage caused by bugs in Bash or in OpenSSL. So go figure what the press is doing, in part because the OpenSSL bug has been hyped up by Microsoft partners at a very strategic time (same day as Windows XP support ending).
As Will Hill put it the other day, “Business Week Covers Up for Microsoft In Target Hack and Misses the Big Story”. Mr. Hill adds that “The US government covering up for Microsoft is not too surprising after learning about the HACIENDA program . That’s a massive program where the US government has been cracking servers and ordinary around the world to serve as botnets. If everyone used software that was better then Microsoft’s intentionally weak garbage, GHCQ, NSA and other spooks would not be able to cover their tracks. Because of US government promotion of Microsoft and their combined incompetence, criminals around the world have it easy. NSA spying has put trillions of dollars in commerce at risk.”
Those botnets do even greater damage than what was done at Staples. They are taking down a lot of Web sites and fill the Internet with heaps of SPAM. To quote our reader, complaining about articles like these: “Somehow they manage to omit the key role of Windows yet again.” They must call out Windows.
Another new article was sent to us by a reader. It is titled “Computer users who damage national security could face jail” and it was published by a Bill Gates-sponsored newspaper. This reader of ours asked: “What about those that knowingly deploy Windows on machines connected to the Internet?”
Our sites are still under DDOS attack (for over a month ago). Tux Machines has been offline for several hours now after a DDOS attack from Windows botnets hit it.
Why are ISPs still permitting customers to connect to the Internet with Windows? When will ISPs or users face liability for the damage they cause? Some people have been trying to take down my sites for well over a month now and they have used Microsoft Windows as a weapon. Windows has weaponised back doors, so it should be banned already.
Speaking of takedowns, watch the latest commentary [1,2] about Microsoft breaking the law to take material and sites (or even entire networks) offline, despite them doing nothing illegal.
The corporate media should start directing some tough questions at Microsoft, not just its victims. The company should face massive fines for the damages it causes on the Web. Ultimately, its software should be banned until security — not insecurity (weaponised back doors) — is its goal. █
Related/contextual items from the news:
Microsoft has gained immense popularity over its never-ending war on software piracy. However, this time, the company appears to have caused a bit of collateral damage. So who are the victims? A handful of prominent and highly acclaimed YouTube video bloggers.
Oh, Microsoft. The company has now admitted that it ended up sending a bunch of DMCA takedown notices on non-infringing videos, all because someone had posted product keys in comments to those videos. To its credit, Microsoft has apologized and said that it has “taken steps to reinstate legitimate video content and are working towards a better solution to targeting stolen IP while respecting legitimate content.” That’s all well and good, but this seems like the kind of thing that they should have done long before issuing obviously bad takedowns. This is the kind of thing that happens when you have a tool like the DMCA notice-and-takedown provision that makes it just so damn easy to censor content. Those issuing the takedowns do little to nothing to make sure the content being removed actually infringes. They just use either automated means or someone rushing through the process with little review, sending off takedowns willy nilly with no real concern about how they might kill off perfectly legal content. It still boggles the mind that a basic notice-and-notice regime couldn’t suffice to handle situations like this. That and making sure that those issuing bogus DMCA notices receive some sort of real punishment to give them the incentive to stop sending bogus takedowns.
Send this to a friend
« Previous Page — « Previous entries « Previous Page · Next Page » Next entries » — Next Page »