Bonum Certa Men Certa

Security Disinformation

Measuring electricity



Summary: Latest OpenSSL FUD and Microsoft's Howard Schmidt's role informing the public about cyber-security risks

OUR complaints about The Register have intensified recently [1, 2, 3, 4] because of poor articles like this one (see the comments).



The Register spreads FUD about OpenSSL (not the first such smear, after comparisons to "communism" too) and Bradley M. Kuhn from the SFLC has responded as follows:

Ok, Be Afraid if Someone's Got a Voltmeter Hooked to Your CPU



Boy, do I hate it when a FLOSS project is given a hard time unfairly. I was this morning greeted with news from many places that OpenSSL, one of the most common FLOSS software libraries used for cryptography, was somehow "severely vulnerable".

I had a hunch what was going on. I quickly downloaded a copy of the academic paper that was cited as the sole source for the story and read it. As I feared, OpenSSL was getting some bad press unfairly. One must really read this academic computer science article in the context it was written; most commenting about this paper probably did not.

First of all, I don't claim to be an expert on cryptography, and I think my knowledge level to opine on this subject remains limited to a little blog post like this and nothing more. Between college and graduate school, I worked as a system administrator focusing on network security. While a computer science graduate student, I did take two cryptography courses, two theory of computation courses, and one class on complexity theory. So, when compared to the general population I probably am an expert, but compared to people who actually work in cryptography regularly, I'm clearly a novice. However, I suspect many who have hitherto opined about this academic article to declare this "severe vulnerability" have even less knowledge than I do on the subject.


There are much bigger problems to worry about, such as the latest news about Windows botnets [1, 2, 3]. The authors of the Windows exploit might not even face a jail sentence, based on this report.

Three Spanish men were arrested last month for allegedly building an international network of more than 12 million hacked PCs that were used for everything from identity theft to spamming. But according to Spanish authorities and security experts who helped unravel the crime ring, the accused may very well never see the inside of a jail cell even if they are ultimately found guilty, due to insufficient cyber crime legislation in Spain.


Regarding this new article about Scott Charney's outrageous remarks [1, 2] (he worked for the US government before Microsoft hired him), Groklaw wrote 3 days ago: "First Microsoft fills the world with security issues and problems, then it wants the public to be taxed to fix them? I think Microsoft needs to fix its own software itself." Microsoft's own negligence [1, 2, 3] ought to have Microsoft bear the bill.

Howard Schmidt, the US Cyber Czar who came directly from Microsoft [1, 2, 3, 4], claims/pretends that there is no problem, even though many firms that include Google were intruded due to an Internet Explorer hole that Microsoft had knowingly ignored for 5 months [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12] (there are more security patches coming shortly). Even Google source code got grabbed. [via]

Operation Aurora continues to be a hot topic inside and outside of security circles. At this week’s RSA Conference in San Francisco many conversations are on the topic of the attacks that hit Google and dozens of other companies in January.


These reports indicate that proprietary source code got nicked from Google. Microsoft also nicks proprietary source code from companies/projects like Plurk [1, 2, 3, 4], which probably puts the Redmond-based company at the same side as the crackers.

"Cyberwar Hype Intended to Destroy the Open Internet," says this report from Wired. [via]

The biggest threat to the open internet is not Chinese government hackers or greedy anti-net-neutrality ISPs, it’s Michael McConnell, the former director of national intelligence.

McConnell’s not dangerous because he knows anything about SQL injection hacks, but because he knows about social engineering. He’s the nice-seeming guy who’s willing and able to use fear-mongering to manipulate the federal bureaucracy for his own ends, while coming off like a straight shooter to those who are not in the know.


And on the other hand, on the same occasion we find that "US urges 'action' needed to fight net attacks," according to the BBC.

Homeland Security secretary Janet Napolitano has admitted there is an urgent need to step up efforts to protect Americans from cyber attacks.


They seem to contradict themselves. Now they claim to be looking for ideas:

Homeland Security wants to pick your brains



[...]

The lucky winners will be invited to an event in Washington DC in late May or early June. They'll get to partner with the department to lead in the planning of the National Cybersecurity Awareness Campaign, due to launch in October.


Over at CNET, Dennis O'Reilly has this new article about "five ways to keep your [Windows] PC free of viruses and Trojans". Here is one of his suggestions.

If you can't give up Windows, you may still be able to install Linux on an old PC or in a partition of your Windows PC. Then you can use that system (or partition) whenever you engage in any sensitive computer activities. You'll find instructions for dual-booting Windows and the Ubuntu version of Linux on the Ubuntu Community Documentation site.


Thumbs up to Dennis.

"Usually Microsoft doesn't develop products, we buy products. It's not a bad product, but bits and pieces are missing."

--Arno Edelmann, Microsoft's European business security product manager

Comments

Recent Techrights' Posts

Common Mistake: Believing Social Control Media Will Document Your Writings/Thoughts and Search Engines Like Google Will Help You Find These
Many news sites wrongly assumed that posting directly to Twitter would be acceptable
The Manchester Bees and This Hot Summer
We have had a fantastic week so far this week
Gemini Protocol Enters Its Seventh Year, Growth Has Accelerated!
Maybe in June 20 2026 there will be over 3,500 active capsules?
Mastodon and the Fediverse Have an Issue: Liability for Content (Even in Other Instances) and Costs
self-hosting is the only logical path forward
Why Microsoft and Its 'Hey Hi' (Slop) Frenzy Fail While Sinking in Deep, Growing Debt
Right now, like Twitter around the time it was sold to MElon, "open" "hey hi" is a big pile of debt with a lot to pay for that debt (interest payments)
Europe is Leaving Microsoft, the Press Coverage Isn't Sufficiently Helpful
The news is generally positive, but the press coverage leaves so much to be desired
Slopwatch: Linuxsecurity, BetaNews, and Linux Journal
slippery slope
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, June 19, 2025
IRC logs for Thursday, June 19, 2025
Gemini Links 20/06/2025: Gemini Protocol Turns 6!
Links for the day
Links 19/06/2025: Ghostwriting Scam and Fentanylware (TikTok) Buying Time
Links for the day
Microsoft's Windows is a Niche Operating System in Africa
African nations aren't a large contributor to Microsoft's income, but if many African nations move away from Windows, then the monopoly is at risk
Gemini Links 19/06/2025: Unix Primitivism, Zine Club, and Gemini Protocol Turns 6 at Midnight
Links for the day
Links 19/06/2025: WhatsApp Identified as Assassination 'Crosshairs', Patreon Now Rips Off People Even More
Links for the day
"Told You So": Another Very Large Wave of Microsoft Layoffs Now Confirmed in Mainstream Media
So we were right to believe the rumours, based on the credibility of prior such rumours
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, June 18, 2025
IRC logs for Wednesday, June 18, 2025
Gemini Links 18/06/2025: Magit and Farming
Links for the day
Slopwatch: BetaNews is Now a Slopfarm (Like Linuxsecurity) and Google News is Overwhelmed by Slopfarms
The Web is bad
Links 18/06/2025: SCOTUS Decision on Fentanylware (TikTok) Still Ignored, 4.5-Day Work Weeks
Links for the day
Links 17/06/2025: Windows TCO and G7 Rifts
Links for the day
The Right to Know and the Freedom to Report on Crime (at the Higher Echelons)
I'd like to do the same thing for the next 20 years
BetaNews Appears to Have Fired All Of Its Staff
Even serial sloppers
After the Web Becomes Slopped to Death
A lot of people are rightly fed up with the "modern" Web
Gemini Protocol Turns 6 on Friday
Active (online) Gemini capsules are estimated by Lupa at over 3,000
Like Most Social Control Media, Microsoft LinkedIn is Collapsing
One reason for Microsoft acquisitions is debt-loading, i.e. offloading and burying its debt
Microsoft is Losing Its Richest Clients
Unlike some very poor countries, Germany and the EU are a considerable source of income to Microsoft
Proprietary Means Not Secure
Proprietary software tends to rely on secrecy, not good design
Slop in 'AI' Clothing is a Passing Fad, We'll Get Past It (Like Blockchain Before That)
Many people cheat in exams using slop and there are professionals that try using slop as a "shortcut"
GNOME Does Not Campaign Against Microsoft, KDE Does
It's good to see that KDE is still active in promotion of Free software - a term that it uses
Slopwatch: BetaNews, Linuxsecurity, and Other Prolific Slopfarms
name and shame the sites that establish such proliferation of slop
Gemini Links 18/06/2025: Birch Lake and Loon Pond
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, June 17, 2025
IRC logs for Tuesday, June 17, 2025