Bonum Certa Men Certa

U.S. Department of Homeland Security/Cybersecurity and Infrastructure Security Agency (CISA) Repeating or Parroting Microsoft Talking Points

posted by Roy Schestowitz on Dec 17, 2023

Secure by Design Alert: How Manufacturers Can Protect Customers by Eliminating Default Passwords

FOUR days ago we politely complained that some media echoed talking points about "Log4Shell" being a major threat. It was patched more than 2 years ago, so why does this FUD make a comeback all of a sudden?

CISA, where Microsoft writes policies, is at it again. We want to alert readers, at the very least by citing the material in question. We want to demonstrate our point by at least bringing up one media report and the original from CISA. Yes, there are more examples, but 2 ought to suffice.

"log4j" - connected to the above - is still being brought up this year by the Linux Foundation (by media sites that it is funding! Linux Foundation head honchos worship Bill Gates for computer security) and it is still getting milked by the Microsofters, an associate reminds us, and it is now softening the heads of government officials. see the 2 CISA items below (from Daily Links):

  1. CISA urges vendors to get rid of default passwords

    The call to action comes shortly after CISA, the National Security Agency and Office of the Director of National Intelligence released additional secure-by-design guidance for open source software development. The release is a product of the Enduring Security Framework’s Software Supply Chain Working Group, which is made up of NSA, ODNI and CISA. The guidance is a part of a larger effort to secure the software supply chain that stems from an executive order on improving U.S. cybersecurity.

    “Software incorporated and/or utilized through open source may have embedded issues. It is imperative that we pay close attention to how these modules are bundled with the software at release,” the release said.

  2. Securing the Software Supply Chain: Recommended Practices for Managing Open-Source Software and Software Bill of Materials [PDF]

    Similarly, the ESF Software Supply Chain Working Panel established this second phase of guidance to provide further details for several of the Phase I Recommended Practices Guide activities. This guidance may be used to describe, assess, and measure security practices relative to the software lifecycle. Additionally, the suggested practices listed herein may be applied across a software supply chain’s acquisition, deployment, and operational phases. The software supplier is responsible for liaising between the customer and software developer. Accordingly, vendor responsibilities include ensuring the integrity and security of software via contractual agreements, software releases and updates, notifications, and the mitigation of vulnerabilities. This guidance contains recommended best practices and standards to aid customers in these tasks.

    This document aligns with industry best practices and principles that software developers and software suppliers can reference. These principles include managing open-source software and software bills of materials to maintain and provide awareness about software security.

Also note their use of the term "open-source" instead of the normal "open source". The hallmark of openwashing PR.

We kindly and humbly wish not to speculate or comment any further. We just present that for what it is.

Other Recent Techrights' Posts

Google Can Kill Mozilla Any Time It Wants
That gives Google far too much power over its rival... There are already many sites that refuse to work with Firefox or explicitly say Firefox isn't supported
Free (as in Freedom) Software Helps Tackle the Software Liability Issue, It Lets Users Exercise Greater Control Over Programs
Microsofters have been trying to ban or exclude Free software
In the US, Patent Laws Are Up for Sale
This problem is a lot bigger than just patents
ESET Finds Rootkits, Does Not Explain How They Get Installed, Media Says It Means "Previously Unknown Linux Backdoors" (Useful Distraction From CALEA and CALEA2)
FUD watch
Techdirt Loses Its Objectivity in Pursuit of Money
The more concerning aspects are coverage of GAFAM and Microsoft in particular
Techrights' Statement on Code of Censorship (CoC) and Kent Overstreet: This Was the Real Purpose of Censorship Agreements All Along
Bombing people is OK (if you sponsor the key organisations), opposing bombings is not (a CoC in a nutshell)
Links 23/11/2024: Press Sold to Vultures, New LLM Blunders
Links for the day
Links 23/11/2024: "Relationship with Oneself" and Yretek.com is Back
Links for the day
Links 23/11/2024: "Real World" Cracked and UK Online Safety Act is Law
Links for the day
Links 23/11/2024: Celebrating Proprietary Bluesky (False Choice, Same Issues) and Software Patents Squashed
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, November 22, 2024
IRC logs for Friday, November 22, 2024
Gemini Links 23/11/2024: 150 Day Streak in Duolingo and ICBMs
Links for the day
Links 22/11/2024: Dynamic Pricing Practice and Monopoly Abuses
Links for the day
Topics We Lacked Time to Cover
Due to a Microsoft event (an annual malware fest for lobbying and marketing purposes) there was also a lot of Microsoft propaganda
Microsofters Try to Defund the Free Software Foundation (by Attacking Its Founder This Week) and They Tell People to Instead Give Money to Microsoft Front Groups
Microsoft people try to outspend their critics and harass them
[Meme] EPO for the Kids' Future (or Lack of It)
Patents can last two decades and grow with (or catch up with) the kids
EPO Education: Workers Resort to Legal Actions (Many Cases) Against the Administration
At the moment the casualties of EPO corruption include the EPO's own staff
Gemini Links 22/11/2024: ChromeOS, Search Engines, Regular Expressions
Links for the day
This Month is the 11th Month of This Year With Mass Layoffs at Microsoft (So Far It's Happening Every Month This Year, More Announced Hours Ago)
Now they even admit it
Links 22/11/2024: Software Patents Squashed, Russia Starts Using ICBMs
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, November 21, 2024
IRC logs for Thursday, November 21, 2024