Bonum Certa Men Certa

U.S. Department of Homeland Security/Cybersecurity and Infrastructure Security Agency (CISA) Repeating or Parroting Microsoft Talking Points

posted by Roy Schestowitz on Dec 17, 2023

Secure by Design Alert: How Manufacturers Can Protect Customers by Eliminating Default Passwords

FOUR days ago we politely complained that some media echoed talking points about "Log4Shell" being a major threat. It was patched more than 2 years ago, so why does this FUD make a comeback all of a sudden?

CISA, where Microsoft writes policies, is at it again. We want to alert readers, at the very least by citing the material in question. We want to demonstrate our point by at least bringing up one media report and the original from CISA. Yes, there are more examples, but 2 ought to suffice.

"log4j" - connected to the above - is still being brought up this year by the Linux Foundation (by media sites that it is funding! Linux Foundation head honchos worship Bill Gates for computer security) and it is still getting milked by the Microsofters, an associate reminds us, and it is now softening the heads of government officials. see the 2 CISA items below (from Daily Links):

  1. CISA urges vendors to get rid of default passwords

    The call to action comes shortly after CISA, the National Security Agency and Office of the Director of National Intelligence released additional secure-by-design guidance for open source software development. The release is a product of the Enduring Security Framework’s Software Supply Chain Working Group, which is made up of NSA, ODNI and CISA. The guidance is a part of a larger effort to secure the software supply chain that stems from an executive order on improving U.S. cybersecurity.

    “Software incorporated and/or utilized through open source may have embedded issues. It is imperative that we pay close attention to how these modules are bundled with the software at release,” the release said.

  2. Securing the Software Supply Chain: Recommended Practices for Managing Open-Source Software and Software Bill of Materials [PDF]

    Similarly, the ESF Software Supply Chain Working Panel established this second phase of guidance to provide further details for several of the Phase I Recommended Practices Guide activities. This guidance may be used to describe, assess, and measure security practices relative to the software lifecycle. Additionally, the suggested practices listed herein may be applied across a software supply chain’s acquisition, deployment, and operational phases. The software supplier is responsible for liaising between the customer and software developer. Accordingly, vendor responsibilities include ensuring the integrity and security of software via contractual agreements, software releases and updates, notifications, and the mitigation of vulnerabilities. This guidance contains recommended best practices and standards to aid customers in these tasks.

    This document aligns with industry best practices and principles that software developers and software suppliers can reference. These principles include managing open-source software and software bills of materials to maintain and provide awareness about software security.

Also note their use of the term "open-source" instead of the normal "open source". The hallmark of openwashing PR.

We kindly and humbly wish not to speculate or comment any further. We just present that for what it is.

Other Recent Techrights' Posts

Hundreds of Microsoft Layoffs (Net Headcount Decrease) in the United Kingdom
headcount decreased
What Really Matters to Companies is Net Income or Profit (Bankruptcy is Possible Even With High Revenue)
We ought to stop talking about revenue without focusing on actual profit
Carole Cadwalladr Talks About How Big Business Tried to Silence Her (and Why You Might be Next)
Our story is very different from Cadwalladr's for many reasons
LLM Slop and SEO SPAM Take Us Further Away From Facts (the Case of IBM Layoffs)
Some of these can impact Red Hat as well
 
Gemini Links 14/04/2025: Silver Pigs and more Foundation, Disliking Computers
Links for the day
Links 14/04/2025: Russian Attack on Sumy Shows No Intention of Peace, Virgin Australia Admits Overcharging People
Links for the day
The Dilemma of Web Browsers Lying About What They Are (in Order to Bypass Discriminatory Gateways Like Clownflare) Worsens Due to LLM Slop
LLM crawlers/scrapers have made sites more restrictive and hostile towards browsers that are potent but not "famous"
Companies Conspiring to Keep Salaries Down and Undermine Competition
People who do all the practical work are being paid less and made to work for much longer
Links 14/04/2025: Disinformation, Public Disdain for LLMs, and "Lessons on Tyranny"
Links for the day
Gemini Links 14/04/2025: Ween and Historic Ada Project Management
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, April 13, 2025
IRC logs for Sunday, April 13, 2025
Influencers: Red Hat, Inc's IPO, 1999, post-mortem on the directed share offer to open source developer community
Reprinted with permission from Daniel Pocock
Links 13/04/2025: Microsoft Cuts to "AI" and Azure (It's Failing), ‘Ghiblification’ Shows Slop Doing Much Harm
Links for the day
Microsoft SLAPPs Against Techrights Losing Momentum
It always backfires
Links 13/04/2025: Tariff Remorse and Chatbots Leak Again
Links for the day
Gemini Links 13/04/2025: No CSS, Spring Scripting
Links for the day
Richard Stallman Turns 72 and Will Be Giving Talks in Europe Soon
We have many local copies of his talks as WebM, having converted files uploaded to YouTube
Revisionism and Lies by LLM Slop and Lazy "Media"
What happened to investigation of issues?
Exposing Corruption and Crimes Against Women Isn't a Crime, It's an Imperative
When evil and greedy people are so desperate to silence you it typically gives you more motivation - not less - to do more of the same
EPO Likely Breaking the Law Yet Again, This Time by Using Slop for Patents (to Lower Costs While Producing Monopolies That Cause Ruinous Lawsuits)
Nobody authorised this
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, April 12, 2025
IRC logs for Saturday, April 12, 2025
Links 12/04/2025: Tariffs Standoffs and Spam 'Articles' About Patents
Links for the day
Gemini Links 12/04/2025: Isle Release 0.0.4 (Alpha) and Pokemon
Links for the day
Links 12/04/2025: Science and "DEI" Dismantled Further in the US
Links for the day
Links 12/04/2025: "Part of the Problem" and "Facebook Is Just Craigslist Now"
Links for the day
New EPO Leaks: Replacing Patent Examiners and Classifiers With Deficient Bots (Without Even Asking for Permission)
Any consultation about it? Any media coverage? No.
The Consensus is Changing and Web Sites View LLMs as Evil, a Malicious Force of Plagiarism and a Source of DDoS
It's not about "AI" but about plagiarism of sorts
Slopwatch: Lots of Fake Articles About "Linux" Infect the Web, Google News Still Promotes These as 'News'
people who go to a site like google.com or Google News or even social control media (where users get links from Google) will be directed to read slop, i.e. pure garbage.
Gemini Links 12/04/2025: Sigrblot and Conway Calamity
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, April 11, 2025
IRC logs for Friday, April 11, 2025