Bonum Certa Men Certa

Binary 'Security' Vastly Inferior to Free Software Patching

Summary: The PHP-based WordPress is reported as the cause for ISC's woes, but it was not kept up to date (a very simple and risk-free task) and the victims are actually Microsoft Windows PCs

I could personally relate to this report about a high-profile WordPress site getting cracked as it very closely relates to my job. What's interesting about it is that the victim (or the target) is really Windows, not GNU/Linux.



"So, it looks like the chances are that ISC's problem is limited to Windows PC malware and it hasn't effected BIND or ISC's DNS site," wrote Steven J. Vaughan-Nichols. Microsoft Windows is targeted via the browser. It's just so easy.

"Bind is outdated anyway," told us a reader. "Better replacements have been available for a long time."

According to the first report, "ISC was hacked by way of a WordPress flaw, but there is now an automatic way to secure WordPress sites and (eventually) eliminate the risk of nonpatched systems." This might not help protect from out-of-date or vulnerable extensions to WordPress. It's not an easy task. I have worked with WordPress for over 10 years and with Drupal for close to 5 years (including involvement in the development community), so I can confess that some flaws are inevitable. When it comes to Free software, however, the patching process is vastly superior to that of proprietary software, where many of the flaws are never patched or are silently patched without even informing users.

The whole notion of protecting from bugs at a binary level is ludicrous. Someone who is a programmer from Microsoft spoke to me for hours some days ago and told me that Windows system updates can take a vast amount of time because of lack of modularity. Large blobs that have unknown changes in them are not the way to patch flaws, let alone inform those affected of what is being patched and why.

It is with that in mind that we also approach the binary-level checks for 'security' by UEFI 'secure' boot. It's complete nonsense. It doesn't work and it does not improve security, it just restricts the function of general-purpose computing. Bottomley from Novell continues to support this nonsense based on a Phoronix report that says:

James Bottomley has updated the open-source UEFI Secure Boot Tools for Linux distributions to build against the UEFI 2.4 specification.

UEFI 2.4 has been out for the past year and a half while finally now the UEFI Secure Boot Tools have been updated against the latest spec.


UEFI 'secure' boot is how Microsoft and Intel (Wintel) have complicated Free software use, as we're reminded by a new article where Jamie is nagging about UEFI 'secure' boot when installing a new good flavour of GNU/Linux:

"Any computer that comes with UEFI should now be avoided.""[I]f you are installing PCLinuxOS to a UEFI-firmware system," he writes, "the best thing to do (and the most common and sensible by far, I'm sure) is to simply leave it in Legacy/MBR boot enabled, don't try to switch back to UEFI boot."

Any computer that comes with UEFI should now be avoided. It is possible to avoid such computers and voting with one's wallet can be very effective.

Recent Techrights' Posts

Writing and Coding Isn't Always Enough
Last year we had to assume a role we didn't have before: litigants
Autumn Has Come
Autumn should be exciting in all sorts of ways; it'll also mark our anniversary
 
Gemini Links 01/09/2025: News Corp. WSJ and A Month With NixOS
Links for the day
Slopfarms Already Peaked, They Will Die When Slop Companies Run Out of Money to Borrow
slopfarms will lack an actual "engine"
“Sideloading” Never Killed Anybody
There are many online discussions this week about the misnomer "sideloading"
Slopwatch: Google News as FUD Vector Against Linux and Plagiarism Enhancer, Serial Slopper (SS) Uses LLMs to Googlebomb "Linux"
Slop destroys the Web not just by screwing with search engines and helping plagiarists. It's also responsible for de facto DDoS attacks...
Links 01/09/2025: "Attacks on Science" and China's "Soft Power" Grows
Links for the day
Links 01/09/2025: Fresh Backlash Against Slop and "Norway’s Electricity Crisis is About to Hit Britain"
Links for the day
Links 01/09/2025: Catching Up (Mostly via Deutsche Welle), "Windows TCO" Effect in UK
Links for the day
Gemini Links 01/09/2025: Linguistic Barriers and "Web 1.0 Hosting"
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, August 31, 2025
IRC logs for Sunday, August 31, 2025
The UEFI 9/11 - Part IV - External Interference
They all seem to be playing a role in crushing Software Freedom and self-determination for users
Links 31/08/2025: Baggage Claim Scams, an Insurrectionist’s War on Culture, and a Sudden Robotics Hype
Links for the day
Gemini Links 31/08/2025: Reviewing Netsurf and Slightly Less Historic Ada Design
Links for the day
IBM Has Taken Control of GNOME
Don't expect a successor to be found any time soon
Links 31/08/2025: Google Gmail Data Breach and LF Puff Pieces for Pay
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, August 30, 2025
IRC logs for Saturday, August 30, 2025
This is What Google News Has Become
Moments ago
The Slopfarm WebProNews Has Turned Google News Into a Laughing Stock Full of Plagiarism by Slop
If Google News dies of neglect, that's one thing. It's starting to seem like active neglect by Google is a form of participation.
Do What is Moral, as What's Legal Isn't Always Moral
Do what's objectively moral, no matter the costs and the risks
Slopwatch: Google News Assisting Plagiarism and Anti-Linux FUD, Serial Slopper Rips Off Linux-Centric Journalists
This makes the Web a much worse place and lessens the incentive to do journalism
Links 30/08/2025: NVIDIA Fakes Results to Hide a Bubble Already in Implosion Phase, Data Breaches Galore, Important Win for Workers' Union in Canada
Links for the day
Representing and Speaking for Animals
If I ever choose to take this matter to tribunal with animals-centric NGOs on my side, it'll get some press coverage for sure
The UEFI 9/11 - Part II - Campaign of Censorship and Defamation Against Critics
In dictatorships, humour serves an important role. It's tragic.
In Kazakhstan, Yandex Estimated to be 20 Times Bigger Than Microsoft
Bing is measured as down this month
Shutterstock Not Enough? The Register MS Uses Slop Images in Articles (Seemingly More and More Over Time)
Cost-saving trajectory amid office shutdown?
Gemini Links 30/08/2025: Games, PostmarketOS, and Slop
Links for the day
Links 30/08/2025: Imgur Uproar and Many Ukraine Updates (Mediazona Reports Over 200,000 Russians Died for Putin)
Links for the day
How Not to Build Software
code forges that need a Web browser perhaps fill some 'niche' demand
GAFAM and "MATA"
The use of dark humour there hopefully helps illuminate what a lot of "modern" technology became like and how it interacts with human civilisation (to what ends and whose gain)
Birds Are Not "Pests and Vermin", Privacy is Not a Crime, and GNU/Linux is Not 'Hacking Platform'
I could not help but think of Free software analogies
The Sites Should Be Very Fast Again
That issue is now resolved
Flying in 2025
worse than ever before
Activists, Including Technical Activists, Need Not Pursue Affirmation
Techrights doesn't play or participate in a "popularity contest"
The UEFI 9/11 - Part III - Chaos is Scheduled to Happen Second Thursday of September (No Matter What the Microsofters Tell You)
The clock is ticking
Downplaying the Impact of "UEFI 9/11" is a Losing Strategy
we won't publish much whilst on holiday
Government Sites Should Run Free Software
Not proprietary bloatware with buzzwords
LLM Slopfarms Take No Breaks
When people run sites by bots they don't need to worry about "breaks"
GNOME Having a Meltdown Again
Thanks and farewell to Steven Deobald
Gemini Links 30/08/2025: Low Tech and Hunchbin 1.0.6
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, August 29, 2025
IRC logs for Friday, August 29, 2025