SUSE (or MicroFocus) won’t even tell customers when its systems are in fact compromised
Summary: The same old and very notorious behaviour we found in Novell persists at SUSE under MicroFocus leadership; security neglected and keeping up appearances more important than honesty
TECHRIGHTS wrote many thousands of articles about Novell. We know Novell extremely well and we have documented its terrible behaviour for over half a decade, well before we began focusing on the EPO for example. As we shall show later, in a separate post, Microsoft’s and Novell’s “IP Peace of Mind” is making a comeback (as of last night), but right now we wish to focus on the crack I first wrote about on Monday (it has since then generated some press coverage, e.g. [1-3] below).
“Remember that no evidence has been presented by SUSE and moreover the gross negligence here is a bad sign in general.”A lot of people still miss the key point. IDG even went ahead with a rather misleading headline, as did Softpedia; rather than state the actual news (that OpenSUSE got cracked) the title says or overstates the ‘damage control’ from SUSE, diverting attention to what was not affected rather than what was affected (a politician’s trick). We used to see lots of that kind of spin back in the Novell days and the 2 articles below, having sought comment from SUSE, give SUSE the benefit of the doubt here. Remember that no evidence has been presented by SUSE and moreover the gross negligence here is a bad sign in general. That’s just “faith-based” security. My article about it was so short that it was mostly a screenshot, yet we understand that further coverage is on its way. So let’s elaborate a little. “They were using an outdated version of WordPress and got zapped,” one person wrote to me after I had published my findings. “It was just the front-end, no code was touched.” But says who? SUSE? Can we believe them?
“Nobody has yet covered that issue as properly as we hoped (poor security practices at SUSE) and the fact that they COMPLETELY FAILED or refused to publicly acknowledge what had happened is a serious aspect of it.”Whatever caused the defacement, it shows that they lost control of their platform. They did get cracked. Softpedia reported that “openSUSE devs immediately restored the news.opensuse.org website from a recent backup” (so the back end too appears to have been compromised).
Nobody has yet covered that issue as properly as we hoped (poor security practices at SUSE) and the fact that they COMPLETELY FAILED or refused to publicly acknowledge what had happened is a serious aspect of it. We waited patiently to see if an announcement would be made by then, even a reassurance that users should not worry. But nothing came out! To this date (half a week later). They attempted to cover it up, which is BAD BAD BAD. For a so-called “Enterprise-Grade” thing which SUSE tries to market itself as (selling SLE*) this is a serious breach of trust. Who would trust SUSE now?
“If someone injected a back door inside SLED and SLES, SUSE would probably say not a thing, only belatedly removing it and then lying about the whole thing, just like Microsoft does.”3 news sites and my own site wrote about it, but not a single word has been uttered by SUSE. They know they got cracked and they are not telling anyone, except when journalists ask them for comment (and press them with evidence).
OpenSUSE has a history of security issues in its sites (see “openSUSE Forum Hacked; 79500 Users Data Compromised” from 2014). Where are the reporters who are willing to ask SUSE some tough questions? Don’t let this slide. If someone injected a back door inside SLED and SLES, SUSE would probably say not a thing, only belatedly removing it and then lying about the whole thing, just like Microsoft does. █
In the news:
Softpedia was informed by Dr. Roy Schestowitz that the openSUSE News (news.opensuse.org) website got defaced by Kurdish hacker MuhmadEmad on the day of February 6, 2017.
It would appear that the server where the news.opensuse.org website is hosted is isolated from the rest of openSUSE’s infrastructure, which means that the hacker did not have access to any contributor data, such as email and passwords, nor to the ISO images of the openSUSE Linux operating system.
We already talked with openSUSE Chairman Richard Brown, who confirms for Softpedia that the offered openSUSE downloads remain safe and consistent, and users should not worry about anything. The vigilant openSUSE devs immediately restored the news.opensuse.org website from a recent backup, so everything is operating normally at this time.
The openSUSE team acted quickly to restore the site. When I talked to Richard Brown, openSUSE chairman, he said that “the server that hosts ‘news.opensuse.org’ is isolated from the majority of openSUSE infrastructure by design, so there was no breach of any other part of openSUSEs infrastructure, especially our build, test and download systems. Our offered downloads remain safe and consistent and there was no breach of any openSUSE contributor data.”
The team is still investigating the reason for the breach so I don’t have much information. The site ran a WordPress install and it seems that WordPress was compromised.
This site is not managed by the SUSE or openSUSE team. It is handled by the IT team of MicroFocus. However, Brown said that SUSE management certainly doesn’t want any such incident to happen again and they are considering moving the site to the infrastructure managed by SUSE and openSUSE team.
In the latest Linux news, the news.opensuse.org got hacked and displayed “KurDish HaCk3rS WaS Here” for a while Monday and while the site has been restored, no comment on the hack has been issued. Elsewhere, Debian 9.0 has entered its final freeze in the last steps in preparations for release. FOSS Force has named their winner for top distro of 2016 and Swapnil Bhartiya shared his picks for the best for 2017. Blogger DarkDuck said MX-16 Xfce is “very close to the ideal” and Alwan Rosyidi found Solus OS is giving Elementary OS a run for its money. Phoronix.com’s Michael Larabel explained why he uses Fedora and Jeremy Garcia announced the winners of the 2016 LinuxQuestions.org Members Choice Awards.
openSUSE’s news portal was compromised Monday by a hacker or group of hackers called MuhmadEmad, via the message left in its place. A Kurdish flag with the message “HaCkeD by MuhmadEmad – KurDish HaCk3rS WaS Here” was displayed for hours before it was taken down and the site’s content restored. Roy Schestowitz has a screen capture and said that openSUSE has not yet publicly acknowledged the hack. Swapnil Bhartiya spoke to Richard Brown, openSUSE chairman, who said that site was isolated from most SUSE infrastructure, especially the distribution code. There was no breach of any contributor data either. The site in question is run by MicroFocus, but all are investigating to make sure it’s an isolated incident.
Send this to a friend
Summary: Why running GNU/Linux distributions on top of Azure is begging not only to be taxed by Microsoft but also to be under surveillance by Microsoft and the NSA/CIA
OEMs should not preload Windows on PCs because they turn these PCs into spying devices right out of the box (there are NSA back doors in Windows) and no government should ever touch anything from Microsoft anymore (mind this silly promotion), especially knowing how the NSA spies on ‘ally’ governments. Everything has changes since Snowden put out there evidence to show what many of us already knew for years. Here is a bunch of new Windows back doors for those who believe it’s old news (the NSA gets prior notifications about those holes before they are plugged).
“Everything has changes since Snowden put out there evidence to show what many of us already knew for years.”A few days ago we got confirmation of Microsoft not only engaging in Skype spying/eavesdropping (in real-time) but also allowing others to do so. It’s not a design flaw, it’s intentional. Dan Gilmore said, “How can any business even begin to trust Microsoft now?”
When Dr. Glyn Moody, another occasional author who writes for The Guardian found out about NSA book doors, he wrote the article “How Can Any Company Ever Trust Microsoft Again?” This article went viral and also got some translations. It makes similar points to the ones above. Anybody foolish enough to still trust Microsoft is simply deserving of the Darwin Award.
The news about Microsoft-NSA collusion received a lot of press coverage, including some in pro-FOSS sites, even in numerous different languages (I saw over a hundred headlines while researching the subject). This is really hurting Microsoft, which is struggling to spin what it just cannot denied. Not only was Microsoft shown to be colluding with the NSA (PRISM lists Microsoft as the first partner) but it also got caught lying to the public.
“Given what we know, surveillance just ought to be the expectation, not a theory or an hypothesis.”At this stage, anybody foolish enough to host anything on Microsoft Azure just simply deserves to be spied on. Given what we know, surveillance just ought to be the expectation, not a theory or an hypothesis. Canonical was stupid enough to end up aiding the criminals when it signed a deal with the devil (Azure). Then again, it’s not as though Canonical cherishs users’ privacy; it gives Amazon (hence the NSA) some data about users’ local searches — something which even Microsoft is not doing just yet (although other reports which Richard Stallman speaks of say that this has been going on for many years). Knowing that Microsoft uses faux ‘encryption’ with back doors, expect nothing to be secure. It’s just not designed to be secure, it’s designed to serve US “national security”, which basically means US interests — whatever they may be.
Given SUSE’s financial dependence on Microsoft, it is not surprising to see it being hosted on Microsoft servers with surveillance. Watch this new interview with a SUSE official. Notice how almost the entire interview is about Microsoft and it says:
MS and Linux at Loggerheads is History: Peter Lees, Suse
SUSE Linux is in a great position of being the only enterprise Linux recommended for Microsoft and VMware.
Microsoft would like tax GNU/Linux through SUSE, with or without Azure in the underlying platform.
Gilmore and Moody are currently being joined by John Dvorak, who explains “Why We Can No Longer Trust Microsoft” (after the NSA revelations). To quote:
If anyone should be mad at the NSA for all the snooping that appears to be going on, it should be the Department of Commerce, not privacy advocates. The recent revelations are not a threat to national security so much as a threat to the national economy. And if I were Microsoft, I’d be having around-the-clock meetings to discuss how to fix what is about to happen.
Microsoft, despite denials, appears to be in bed with the NSA. Apparently all encryption and other methods to keep documents and discussions private are bypassed and accessible by the NSA and whomever it is working with. This means a third party, for whatever reason, can easily access confidential business deals, love letters, government classified memos, merger paperwork, financial transactions, intra-corporate schemes, and everything in between.
Anybody who puts GNU/Linux on top of Azure should not only expect to pay patent tax to Microsoft but should also expect government surveillance on everything. We know that storage servers as a whole, not just routers, have back doors. Free software and GNU/Linux are the way to go, provided there is no proprietary bug in the stack. █
Send this to a friend
Further restrictions and obscurity in the age of NSA Fibre-tapping
Summary: How SUSE continues to show loyalty to Microsoft, which has paid on multiple occasions for its agenda to be served
Novell helped OOXML and Hyper-V after Microsoft had bribed Novell’s management (hundreds of millions of dollars which mostly benefited people like Ron Hovsepian and Jeff Jaffe, who currently ruins the Web) and later scooped Novell’s patents, too (via CPTN).
“Then again, SUSE has been endorsing and advertising Microsoft for almost seven years, having purged from its Web site any material critical of Microsoft (this mass destruction began in 2006, very shortly after the patent deal with Microsoft).”As we noted last year and earlier this year, much of the force for UEFI restricted boot in Linux can be attributed to developers from Novell [1, 2] (some no longer work directly on SUSE or OpenSUSE) and now that Microosft Linux (SUSE) has a new Service Pack, it is prominently marketed as sucking Microsoft's dick, to paraphrase Linus Torvalds on such matters. To quote Michael Larabel, who is by no means hostile towards SUSE, the “Nuremberg-based company calls this the first enterprise Linux distribution integrating UEFI Secure Boot support.”
Ubuntu and Fedora have already made releases for this and suffered delays as well. To focus on restricted boot in this case is merely to endorse or even advertise what Microsoft is doing. Then again, SUSE has been endorsing and advertising Microsoft for almost seven years, having purged from its Web site any material critical of Microsoft (this mass destruction began in 2006, very shortly after the patent deal with Microsoft).
Here is another take on the news, among several from longtime Novell/SUSE apologists [1, 2] and a corresponding press release from the Microsoft-funded SUSE.
“That is a rhetorical question because SUSE is the de facto Microsoft Linux and everyone should avoid it.”Sam Varghese, the “Open Sauce” writer at IT Wire and a longtime Novell sceptic, warns that SUSE now helps make restricted boot compulsory on servers. He asks: “Does the Germany-based GNU/Linux company SUSE know something about Microsoft’s secure boot plans that other Linux companies do not?”
That is a rhetorical question because SUSE is the de facto Microsoft Linux and everyone should avoid it. SUSE uses euphemisms like “secure boot” and “service pack” (secure pack?) to market what is essentially a Microsoft-taxed GNU/Linux distribution which Microsoft profits from and technically controls,
Varghese correctly notes that “[g]iven Windows 8 desktop take-up by businesss that can only be described as a disaster, one would have thought that Microsoft would think twice about making lockout mechanisms such as secure boot compulsory for its server range.”
But those lockout mechanisms are controlled by Microsoft keys, so they are only effective at blocking Microsoft’s competition, not Microsoft products. UEFI deserves more antitrust complaints and SUSE continues to deserve a stern objection, or a boycott. █
Send this to a friend
Summary: ‘Former’ Microsoft staff is shaping opinions, controlling messages, and disseminating its own version of the data about FOSS
Microsoft has been indirectly funding the development of Mono for a number of years. Mono is about promoting .NET, not promoting FOSS (just targeting FOSS developers). Mono is a thing of the past as far as GNU/Linux desktops are concerned. Xamarin will try to spread it to Android, but so far there has been little progress on this. Developers who appreciate FOSS learned to antagonise this Microsoft technology.
Richard Hillesley explains in his new column that in the FOSS world people have ostracised this bit of Trojan horse/infiltration tactic. To quote the ending paragraph which cites Richard Stallman:
According to Stallman, the problem was “not in the C# implementations, but rather in Tomboy and other applications written in C#. If we lose the use of C#, we will lose them too. That doesn’t make them unethical, but it means that writing them and using them is taking a gratuitous risk.”
Juniper, in the mean time, having also become full of Microsoft people (we lost count of how many, but here are some examples [1, 2, 3, 4, 5]), has no made Executive VP out of Microsoft’s Bob Muglia, who in turn can infiltrate Microsoft threats. It’s a familiar pattern of conduct. Just see other companies that got hijacked by Microsoft veterans.
In other news, notice how FOSS events which groom Black Duck actually have Microsoft as a top sponsor (these are partners which promote one another), based on the official Web site. It’s not a coincidence. The funding controls these events. They are controlling messages, controlling data, and basically doing what Microsoft wants them to do.
“Resistance to this ongoing assimilation attempt is vital for the survival of FOSS as a meaningful distinguisher.”OpenLogic, which is run by a Microsoft veteran, promotes Azure and openwashes it, giving us yet another example of Microsoft’s infiltrations in FOSS.
Over at the ‘Microsoft press’, the booster Kurt Mackie uses promotional language to characterise the Microsoft-sponsored SUSE and Microsoft proxy "Microsoft Open Technologies Inc."
These are only some of the many examples where Microsoft-affiliated folks try to distort the views of FOSS. Resistance to this ongoing assimilation attempt is vital for the survival of FOSS as a meaningful distinguisher. It’s not about intolerance, it’s about defending ourselves from what Microsoft knows too well to be a charm offence. It’s offensive. █
“There’s no company called Linux, there’s barely a Linux road map. Yet Linux sort of springs organically from the earth. And it had, you know, the characteristics of communism that people love so very, very much about it. That is, it’s free.”
Send this to a friend
Summary: The resemblance between Microsoft’s strategy against free Linux phones (Android) and against free GNU/Linux servers, two areas of FOSS domination
Microsoft is frantically trying to stop GNU/Linux by robbing it in the development sense. On the server side, the de facto operating system is not Windows and Microsoft would love to change that by striking deals with companies like BitNami. Here is the latest press release about it. Microsoft has been using a "man in the middle" style of attack against real FOSS (i.e. FOSS that is not tied to a proprietary stack) and the latest openwashing about it can be found here. It says: [hat tip: iophk]
Last week, Microsoft Open Technologies, Inc. quietly turned one year old. The birthday passed without fanfare, but next week, Microsoft plans to host a birthday party at its Silicon Valley campus.
More PR nonsense. It is not even news. All this thing should be considered to be is an attack on free systems like GNU/Linux and *BSD. Here we see, in another new press release, the Microsoft-sponsored SUSE. playing along. SUSE pays Microsoft for GNU/Linux and so does this new product from Amazon. Dell, which Microsoft is taking control of these days, favours Microsoft’s SUSE as well now.
Canonical, which has been aiding Microsoft as of late, does this too with Dell. To quote:
Dell’s (NASDAQ: DELL) not the only big-name channel partner with which Canonical, the company that develops Ubuntu Linux, has been forging closer ties lately. On Tuesday, as Microsoft (NASDAQ: MSFT) announced the general availability of Windows Azure Infrastructure Services, Canonical was also playing up Ubuntu’s seamless integration into the Azure cloud platform—a move that makes much more sense than it might at first seem.
All we are seeing here is Microsoft’s attempts to tax GNU/Linux servers, making them more expensive while offering the same applications under Windows. The same strategy is being used against Android. This is not some far-fetched theory. Microsoft has been very clear about that. █
“I would love to see all open source innovation happen on top of Windows.”
–Steve Ballmer, Microsoft CEO
Send this to a friend
Summary: Patent tax on Linux is still far from dead, due to proxies of Microsoft
Several months ago (almost half a year) I started just simply ignoring all SUSE and OpenSUSE news, including stories of Microsoft patent tax coming through SLE*, but this one I could not just ignore because it’s posted in the OpenSUSE site and it says:
If thats the way of support we may experience in the future, I am forced to stop actively promoting the project.
Some sites which promoted the project for years sometimes still do so, but I could name a few which no longer cover it, or very rarely do. SUSE is now funded by Microsoft and the 'old Novell' still tries to get money from Microsoft for its abuses in the 90s. Here is the latest:
Novell has filed its opening appeals brief [PDF] in the Novell v. Microsoft antitrust litigation regarding WordPerfect.
Another company that turned from a controversial Linux contributor (NTFS driver) into a Microsoft taxman is Tuxera, which now offers several patent tax options for several platforms including Android. From its latest press release:
Tuxera comprehensive file systems portfolio for storage solutions and other embedded devices include Tuxera NTFS, Tuxera exFAT, Tuxera HFS+, and Tuxera FAT.
Those are Microsoft patent Trojan horses. Just like SUSE in its different ‘flavours’, these should all be avoided. For those who think that Apple file systems (HFS+) are benign, remember Apple’s patent aggression against Linux and consider this latest action which involves software patents:
In ongoing legal proceedings in California, Apple has added six new devices to its patent infringement claims against rival Samsung, getting them in late Friday evening ahead of a deadline on changes to the scope of the complaint. The new additions essentially cover just about every piece of Samsung hardware now available in the U.S. market, with modifications that also account for recent software updates.
We should reject every technology which is associated with Apple. This branding company clearly still wants war. Groklaw, which covered the above case better than anyone, has just received a sort of award and finished putting all the trial transcripts from Oracle vs. Google online:
I’m happy to tell you that we now have all the remaining trial transcripts from the Oracle v. Google trial, and you can find them all in the Oracle v. Google Timeline by date.
These attempts to tax Linux/Android using patents have been largely facilitated by the USPTO, but they are not successful yet, with the exception of Microsoft’s FAT patents. █
Send this to a friend
Summary: Arguments against the GPLv3 turn out to have come from companies which all along were nothing but trouble
HE third version of the GPL is largely accepted, widely adopted, and those who are affected by it are mostly out of business, e.g. Novell. Novell and SUSE opposed the GPLv3. “Linus is changing distros,” told us iophk, quoting Linus Torvalds as saying:” I gave OpenSUSE a try, because it worked so well at install-time on the Macbook Air, but I have to say, I’ve had enough. There is no way in hell I can honestly suggest that to anybody else any more.”
“That’s good news,” says iophk. But another company which the GPLv3 affects is TiVo, which not only pioneered the malpractice now known as “TiVoization” but also became a patent aggressor with growing appetite (it wants of billions of dollars from software patents). TiVo is a very bad company, no matter if it leverages Linux. See our TiVo wiki page for details. Might all Americans with cable television be forced to pay “TiVo tax” for some software patents?
The GPLv3 sought to address two problems which TiVo makes real. The obvious one is “TiVoization”; The other one is software patents. Sadly, a Microsoft marketing executive created a company which routinely bashes the GPL. It is called Black Duck and days ago we found yet more statistics that contradict its dubious, proprietary output (saturated with Microsoft input after a Microsoft deal). We put that in our daily links.
In other news, trolls suffer a loss against Nintendo in the US:
Today sees Nintendo of America prevailing in a patent infringement lawsuit. At the center of the case was the Wii remote, Wii Balance Board, and Wii Fit software. Impulse technology claimed that these three devices or software infringed upon their patent (U.S. Patent No 5,524,637) which was issued in 1996.
Note that this is an American lawsuit. Nintendo is not an American company, but this is where the patent system breeds trolls. We need the GPLv3 to prevent this, but first the licence must become widespread. It’s clear why Microsoft spreads a lot of FUD about it, usually through proxies. █
Send this to a friend
Microsoft is FOSS is Microsoft
Summary: How Microsoft staff and money help change the message of its opposition
THE LINUX FOUNDATION continues to promote ‘Microsoft Linux’ in a variety of ways. This is one of two examples from this week — an example where an offering from SUSE gets lip service from a SUSE-funded (which is in turn Microsoft-funded) organisation. Another company with Microsoft ties gets its say on FOSS after issuing a press release that can be found here. Over the years we have shown examples (here is a recent example [1, 2]) where Microsoft connections and funding helped change the policy and message of FOSS, so this subject is important. It aids the propaganda machine whenever the opposing side gets infiltrated. █
“I would love to see all open source innovation happen on top of Windows.”
–Steve Ballmer, Microsoft CEO
Send this to a friend
« Previous entries Next Page » Next Page »