Summary: A critical vulnerability lacking any real patch has now an attack code which puts in jeopardy Windows Vista Service Pack 1, Service Pack 2, even Windows 2008 Service Pack 1 (soon 2)
A fully functional exploit for the security vulnerability in the SMB2 protocol implementation has been published. It can be used to discover and attack vulnerable Windows machines remotely. By integrating the exploit into the Metasploit exploit toolkit, attackers have access to a wide range of attack options, ranging from issuing a warning to setting up a convenient backdoor on a user’s system.
Metasploit developer HD Moore said Monday that the exploit works on Windows Vista Service Pack 1 and 2 as well as Windows 2008 SP1 server. It should also work on Windows 2008 Service Pack 2, he added in a Twitter message.
Summary: Richard Stallman to help New Zealand defeat software patents, which are mathematical monopolies based on the New Scientist; reform suffers setbacks and Microsoft is unable to obey patent law
In this insightful discussion, international Free Software advocate Richard Stallman (RMS) will argue that software patents seriously and significantly obstruct software development.
Software patents are patents that cover software ideas. Stallman will argue that they restrict the development of software to the point that the risk of legal action as a result of design decisions is dramatically raised. Stallman will also make the point that patents in other fields restrict factories, but in IT, software patents restrict every computer user and consumer.
Here is a very recent article from the New Scientist, which is a distinguished publication. Therein we find a clear, scientific explanation of why software is mathematics (and should therefore not be patentable).
To prove mathematically that the 7500 lines of its kernel’s code were secure, Gerwin Klein of NICTA and his team first had to come up with a mathematical method to express the code. “In the end, programs are just mathematics, and you can reason about them mathematically,” says Klein.
As we mentioned the other day, the Rick Frenkel (aka Patent Troll Tracker) case [1, 2, 3, 4, 5, 6, 7] is now settled and Law.com offers some more coverage. The sad thing is that those patent trolls managed to gag and perhaps permanently silence their biggest critic. According to Patently-O, on Obama’s agenda there are more intellectual monopolies, not less (no surprise there). Here are some details.
President Obama’s speech today focused on its newly formed “strategy for American innovation” — his “strategy to foster new jobs, new businesses, and new industries by laying the groundwork and the ground rules to best tap our innovative potential. . . .
[...]
Protect intellectual property rights. Intellectual property is to the digital age what physical goods were to the industrial age. We must ensure that intellectual property is protected in foreign markets and promote greater cooperation on international standards that allow our technologies to compete everywhere. The Administration is committed to ensuring that the United States Patent and Trademark Office has the resources, authority, and flexibility to administer the patent system effectively and issue high-quality patents on innovative intellectual property, while rejecting claims that do not merit patent protection.
There is some very strong language here; it is almost propaganda-inspired, as though it was written by patent lawyers to advance their personal agenda. The Director of the USPTO, David Kappos, says that patents are a “20-year monopoly”, which is not the same as referring to patents as a “property”, a “right”, “protection”, or intellect. It’s more of a blockade, but monopolies love those.
I4i Inc. doesn’t want to prevent Microsoft Corp. (MSFT) from selling its flagship Word product, it just wants Microsoft to remove i4i’s technology.
And the closely held Toronto company, which won its patent-infringement case against Microsoft in May, doesn’t appear willing to compromise on this point. “You can never say never,” said i4i Chairman Loudon Owen, regarding a settlement with Microsoft, “but we’re here to build our business and we’re here to compete.”
More information about the i4i case can be found in [1, 2, 3, 4, 5, 6, 7, 8, 9, 10]. It’s an embarrassment to Microsoft and it shows the company’s endless hypocrisy when it comes to software patents. █
“The only patent that is valid is one which this Court has not been able to get its hands on.”
Summary: The latest analyses and moves from Microsoft, which increasingly relies on software patents in its eternal battle against Free software
CARLO Piana, who represents Samba on a legal basis in Europe [1, 2], has just published this long post which explains how Microsoft continues to use software patents and other nefarious means to suppress adoption of Free software. This is particularly important right now because Microsoft has an opportunity to do to the Commission what it did to the US Department of Justice, namely putting its friends in charge (Charlie McCreevy may leave, but the FFII shows that a likely replacement is also a supporter of software patents).
The point is that the current Commission is going to step down in a few weeks, and Commissioner Kroes – who has an incredibly good track record on the Microsoft case – might feel the urgency to close everything behind her, leaving the office empty and her case teams without a case. But at which conditions?
[...]
The single biggest issue is patents. The current WSPP agreement does not contain any meaningful provision or license or promise or non-assertion pledge or anything that is useful to Free Software projects. Without that clearance, once everything is over, who is going to stop the patents to be asserted or, worse, merely threatened (call it FUD, patent rattling, whatever)? Microsoft has been very clear to reserve this right. If it is home free with a broad undertaking, there will not be any real pressure against the assertion of the patents, apart the reaction of some friendlier companies and of the OIN. We have seen just a small preview with the TomTom case.
[...]
And the future will bring Silverlight. And the future will bring OOXML mandated by public authorities as if it was an open standard. And by the way, I am still awaiting the first attempted implementation of ISO/IEC IS 29500 (what the standard is called) because Microsoft Office’s file format is not even close to be that, and it is not even ECMA 376. It is a proprietary, undisclosed file format. To add insult to the damage, I start hearing that even those corrections that were hurried in during the Ballot Resolution Meeting to pass the standard like a square pin into a round hole are now rolled back very quietly in JTC1 SC34 – hijacked by Microsoft – because of lack of interoperability with MS Office. Which incidentally confirms my assessment that the implementation is the standard and the standard is the implementation. The process we underwent to approve or disapprove an international standard was merely a sham.
The Commission falsely promised that it would investigate this, but the complexity of such an investigation (requiring a lot of travel all around the world) is the reason it backed off, leaving Microsoft unpunished for criminal activity such as blackmail and bribery.
We recently showed that Microsoft had attempted to have GNU/Linux vendors sued by patent trolls [1, 2, 3, 4, 5, 6]. That was the allegation made by Red Hat and others, including the OIN, which is now releasing details of the patents in question (there are about 20 software patents in total, so this list is not complete). It’s exclusive to The H (London-based apparently) — part of Heise, which is in Germany where software patents are not valid anyway.
What was in this lot of 22 patents that would specifically worry the Linux community? The OIN supplied The H with a list of the patents:
* Encoding a URL into the playback of a media file (5987509, 6499057, 5774666, 6963906)
* Broadcasting video over distributed networks (6005600, 6792468, 7448062)
* Launching a browser and sending it to a URL by clicking an icon (5737560, 5877767, 6072491, 7032185)
* Launching applications through a movie (5745713)
* Colour space conversions (5946113, 6147772)
* Web page annotations (6081829, 6571295)
* Web publishing hypertext (5890170)
* Web publishing and editing with templates (6026433)
* A Method for painting on a computer (5182548)
* Virtual Address Translation (6205531)
* Dynamically generating graphics for the web on the server (6098092)
* Dynamic information clipping service (5649186)
Going back to Samba in Europe, there is absolutely no reason to assume that Microsoft will accept an exclusion of software patents. According to this post, Microsoft may still be working on it. [the emphasis in red is ours]
Basically, the IM mob are desperately trying to con unions into doing their dirty work by pushing out propaganda on intellectual monopolies. I just love the line “The RIAA (Recording Industry Association of America) and IIPA (International Intellectual Property Association) were both very enthusiastic about this proposal”: you bet they are. Their own ham-fisted efforts have backfired so spectacularly that they are desperate for someone else not tainted by their inept approach of punishing consumers to try.
The following is also significant:
The discussion on future work mostly focus on climate change. General Electric and Microsoft were particularly outspoken in highlighting their fear that some current negotiations over green technology and IPR would weaken IPR. They also denounced the inclusion of proposals that limit patentable subject matter and recommend compulsory licenses or licenses of rights.
As well as Microsoft’s usual bleating about not being allowed to patent software in some jurisdictions, it’s interesting to note that both it and General Electric seem to rate the preservation of intellectual monopolies rather higher than the preservation of our planet. Pure evil.
Canadian Law Professors Insist Banning The Sale Of Word Is Good For Society & Innovation
[...]
Again, beyond common sense, the historical evidence suggests that these law professors are simply wrong. Countries with no or weak patent protection have seen tremendous innovation over time. And it’s because it’s competition that’s the mother of innovation, not a lack of competition.
In other interesting news, the arguably-unconstitutional ACTA [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14] is now being criticised even by the UK-IPO, which is surprising. But it’s not ACTA itself which gets the criticism; it’s the secrecy. Glyn Moody writes:
Cracks in the ACTA Wall of Secrecy
[...]
Hitherto, there’s been no suggestion of any dissension within the ACTA ranks; so this comment in a blog post from Jamie Love about a lunch meeting of civil society NGOs held by the UK’s Intellectual Property Office during the WIPO meeting is intriguing:
The UK IP office said it had complained frequently of the secrecy of the ACTA negotiations.
Perhaps if we can get a few more of the insiders moaning about this unnecessary lack of transparency, things will finally start moving.
Facebook has been sued by a software company in Baltimore that claims the social-networking site is violating a two-year-old patent.
WhoGlue Inc., a Canton company with fewer than five employees, filed the lawsuit Monday in the U.S. District Court for Delaware, where Facebook is incorporated.
[...]
It’s unclear whether the patent infringement case that WhoGlue is trying to make against Facebook can be applied to a host of similar social networking sites that use similar technologies for helping their users manage online interactions.
Summary: Beyond the Halloween Documents (Comes vs Microsoft exhibits)
TODAY’s Comes vs Microsoft post is a particularly long one, so we attempted to shorten it so as to keep the signal high and leave the details aside for separate inspection by those who are curious and have more time to spare.
“The authenticity of them was confirmed when the Comes vs Microsoft case produced exhibits for the broad public to access.”Many regulars are probably aware of the Halloween Documents. Eric Raymond (ESR) has a complete mirror of the text with commentary, so we will not replicate the documents, which have already been out there for years. The authenticity of them was confirmed when the Comes vs Microsoft case produced exhibits for the broad public to access.
Interestingly enough, Bill Gates said about these reports (Halloween documents): “The two documents in here from Vinod are the ones I want the board to see.” He was referring to Halloween Documents I and II. Here is Halloween Document I as text and as PDF. Here is Halloween Document II as text and as PDF.
Background
The documents which Gates referred to are already in ESR’s Web site (as plain text), so there is no point repeating the process of posting them publicly. However, to highlight some particular bits from them, here are some portions from the above. Microsoft explains that:
OSS is a concern to Microsoft for several reasons:
1. OSS projects have achieved “commercial quality”
2. OSS projects have become large-scale & complex
3. OSS has a unique development process with unique strengths/weakness
Microsoft later adds that “to understand how to compete against OSS, we must target a process rather than a company.”
Then come the issues of APIs, e.g.:
Linux and other OSS advocates are making a progressively more credible argument that OSS software is at least as robust – if not more – than commercial alternatives. [...] [E]vangelization of API’s in a closed source model basically defaults to trust, OSS API evangelization lets the developer make up his own mind.
The strategy in general:
Beating Linux
In addition to the attacking the general weakness of OSS projects (e.g. Integrative / Architectual costs), some specific attacks on Linux are:
* Beat UNIX
* All the standard product issues for NT vs. Sun apply to Linux
* Fold extended functionality into commodity protocols / services and create new protocols
* Linux’s homebase is currently commodity network and server infrastructure. By folding extended functionality (e.g. Storage+ in file systems, DAV/POD for networking) into today’s commodity services, we raise the bar & change the rules of the game.
That was about 10 years ago. As we noted before, Bill Gates once wrote: “What we are trying to do is use our server control to do new protocols and lock out Sun and Oracle specifically.”
How can Microsoft capture some of the rabid developer mindshare being focused on OSS products?
Some initial ideas include:
* Provide more extensibility – The Linux “enthusiast developer” loves writing to / understanding undocumented API’s and internals. Documenting / publishing some internal API’s as “unsupported” may be a means of generating external innovations that leverage our system investments.
It says “Documenting / publishing some internal API’s as “unsupported”…”
Does that sound familiar? As we shall show later, Microsoft also speaks frankly about “undocumentation”.
Here is embrace & extend in action:
OSS projects have been able to gain a foothold in many server applications because of the wide utility of highly commoditized, simple protocols. By extending these protocols and developing new protocols, we can deny OSS projects entry into the market.
From Halloween Document II we pull the following (thanks to Jason):
The Linux community is very willing to copy features from other OS’s if it will serve their needs. Consequently, there is the very real long term threat that as MS expends the development dollars to create a bevy of new features in NT, Linux will simply cherry pick the best features and incorporate them into their codebase.
The effect of patents and copyright in combatting Linux remains to be investigated.
Today’s main exhibit ties the above documents together and we believe that there is no copy of it anywhere else (as text), so Wallclimber kindly contributed her time to process the text, which we then analysed. Wallclimber says that this “strategy” document outlines exactly what they’ve done to Novell. “I especially got a kick out of the “fatal flaws”,” she added. Here is the original exhibit (PX08175, 1999)[PDF] and several points of interest that are extracted from the full text, which can be found at the bottom.
This short document is titled “Our Linux Strategy” and it was authored by Vinod Valloppillil.
Watch number 1 and number 2 in the list, then think about the loadable module [1, 2, 3, 4, 5, 6, 7], which added Microsoft hooks to Linux (hypercalls).
1. Embrace Linux: MS APIs / Linux kernel — release an MS version of Linux and/or release key MSFT platform technologies on Linux (e.g. parts of Win32, app server, etc.)
Pros: Ride the wave & try to evangelize Win32 Cons: Dramatically evangelizes Linux & may risk MSFT IP due to GPL license issues Fatal Flaw:
– Impossible to make this revenue neutral with Windows biz.
– Doesn’t protect the “crown jewel” IP from being targeted at a later date
2. Embrace Linux: Linux APIs / MS Kernel — try to get Linux API’s on Windows — get more hardcore about POSIX subsystem on NT to capture Linux app base
Pros: Capture some of the Linux dev mindshare by making it easy to bring Linux apps to NT Cons: Hurts Win32 evangelization Fatal Flaw:
– There are no Linux apps that we covet.
Also think about Mono, Moonlight, and OOXML.
Prior to that, Valloppillil states:
This document discusses both our strategy and our plans for competing with Linux. To understand the strategy it is important to remember the following:
- Linux isn’t most importantly a product/feature; it’s a philosophy change
- Linux has no new specific features to co-opt
– Unlike the NC: the NC touted TCO benefits, and thus we introduced ZAK/ZAW
– Unlike the Internet: the Internet was loaded with technology changes, and thus we invested in browser technologies and reexamined all our existing products
The core strategic thrust of Linux is NOT an attack against some product/feature weakness of Microsoft. It’s an attack at the base of the commercial software industry – Intellectual Property.
Previous threats to Microsoft (the NC, Java, etc.) have been about replacing Microsoft’s IP with another company’s IP that claimed some new benefit (e.g. TCO). What differentiates Linux is that OSS attempts to extricate Intellectual Property all together.
Cons: ISVs getting hooked on undocumented API’s, support costs, etc.
So, “undocumented API’s” are an option, eh? Microsoft admits their existence.
Watch what Microsoft thought about Wine back when it was a lot less mature and capable:
– Microsoft is an IP company. Like the rest of the software industry, >90% of our IP valuation stems from Trade Secrecy of the source code. Open Source is mutually exclusive with Trade Secrecy. This plan would instantly make the various Win32 clones (e.g. http//www winehq.com) an order of magnitude more capable.
More compelling stuff from Microsoft:
2. Innovating, Creating New IP
(Re-)recognize that we are an IP company and that in our networked world, functionality delivered via protocols is steadily replacing functionality which was once delivered via APIs Thus, innovation must occur both internal to our products, but also between computers.
Windows clients must always be able to communicate with Linux servers (and vice-versa). However, there MUST be additional value created when a Windows machine is touching another Windows machine. NOT doing this is akin to giving away the Win32 APIs. Every group defining protocols needs to remember this.
Also:
We must innovate and keep our great advancements to ourselves. The fine balance between protecting/financing our innovations and interoperability will get more difficult overtime But, it is relatively easy today.
Notice the following:
4. Compete with Linux Head-On
BED marketing is currently making the transition towards engaging Linux as a tier-1 competitor in the server & client markets. There are still some decisions to be made here (and headcounts to fill) to ensure that on a tactical basis, NT out markets Linux Some of the core deliverables include white papers, benchmarks, etc. More peripheral questions / issues include reclaiming retail shelf-space from Linux, etc We need engagement throughout the company (e g, retail) on this. Finally, getting the word out on NT’s architectural advantages over Linux is an imperative.
Then it says:
Open Source development is the greatest cloning machine of all time. Consequently, we must recognize that “Trade Secrecy” of source code will provide increasingly minimal protection over time and that aggressive patent procurement is our only investment defense. Additionally, strong patent procurement is a key enabler which allows us to publish more of our source code to leverage evangelization benefits (the patent application process is, in a manner of speaking, a form of source publication)
Initiatives (NOT discussed further in this paper) are underway to understand the options in this space.
“The following are all underway,” eh? What would that be? Those lawsuits Jim Allchin spoke about [1, 2]?
“The two [Halloween] documents in here from Vinod are the ones I want the board to see.” –Bill GatesIt is worth remembering that all these documents are spread with Bill Gates’ oversight and endorsement, just like the AstroTurfing which he loves. At the time, when these documents leaked, Microsoft tried to portray the AstroTurf as an act it had nothing to do with; a lead participant, James Plamondon, insistingly denied this, saying that Bill Gates was a supporter of the tactics all along. His colleague Marshall Goldberg confirmed this in an internal presentation.
Likewise, when it comes to the Halloween Documents, Microsoft tried to dismiss this as “an engineer’s individual assessment of the market at one point in time.” The exhibits clearly show Bill Gates distributing this material quite enthusiastically to chief people at Microsoft. It means that Microsoft simply lied to save face.
At the end of the document we find out what’s already “underway” at Microsoft:
The following are all underway:
1. Ramp-up / staff Linux competitive marketing efforts.
2. Ramp-up source licensing initiatives. DRG/MSDN is the owner for the umbrella but all component teams must begin evaluating what codebases would benefit the platform if they were evangelized via less restrictive licensing.
3. More proactively & aggressive secure patent rights to MSFT innovations that will be significant to the OSS fight. Development teams must shift mindsets from source code secrecy towards patents as the primary means of securing our key innovations.
4 [on-going] Create new IP in base scenarios – file sharing, management, etc.
“Ramp-up / staff Linux competitive marketing efforts” sounds like potential reference to more AstroTurfing, which is a reality. The remainder has a lot to do with patents, which we now know are used against GNU/Linux. The document as a whole is worth reading, assuming one has the patience. It’s properly formatted below. █
Appendix: Comes vs. Microsoft – exhibit PX08175, as text
OBAMA IS DOING IT AGAIN (using Silverlight). He did this before [1, 2] and he did not learn any lessons from the big backlash. Microsoft was accused by Adobe for paying to achieve this, but then again, we also know that Obama and Microsoft are not all that distant, so incentives may not be needed. In fact, Microsoft’s money is already polluting this game [1, 2].
Microsoft announced today that the presidential inauguration team has chosen Microsoft’s Silverlight browser extension application to play host for streamed online content of inaugural events.
This presidential inauguration is partly funded by Microsoft, too [1, 2]. The more things “Change”, the more they stay the same. █
The Web was created to become (and remain) a fully transparent framework that is built using open components. There were some threats in the past to its openness, namely ‘objectification’ in HTML (embedded media players, Shockwave, etc.) and disobedient companies that ‘extended’ things in a variety of undocumented ways (e.g. ActiveX, IE-specific/Office-esque ‘HTML’).
Back in December, not so long after the anti-Ogg fiasco, we said we would significantly reduce the use of YouTube (Flash) for videos, but this promise has been hard to keep as ripping tools (YouTube -> Ogg) continued to break. Where does that leave us all?
We have explained before why Microsoft’s Silverfish [sic] is more harmful than Flash, but all in all, both are harmful. Mozilla too is now warning about them. [thanks to an anonymous reader for the headsup]
ZDNet.co.uk is reporting that at the Internet World Conference in London, Nitot warned that companies like Adobe and Microsoft might have an agenda with their Flash and Silverlight technologies. Even though at the moment these technologies are free to download, this might change in the future. “But maybe they have an agenda,” Nitot said, “they’re not here for the glory; they’re here for the money.” He also warns for the dangers of these companies withholding products from certain markets. As examples, he mentions Internet Explorer for the Mac/UNIX, and Adobe’s refusal to provide up-to-date binaries of Flash.
The reader who E-mailed this to us called it “decomodization [sic] of web standards.” This isn’t the first time that Mozilla talks about this serious issue publicly [1, 2]. The significance here is rather high especially if you consider the role of the Web browser, which many continue to consider the ‘new O/S’, at least in the sense of its presence and role (not the technical sense).
While the current generation of browsers and SAAS applications offers plenty of choice but some security concerns, the next generation could turn this on its head, providing greater security but less choice. That’s because we are quickly moving to a type of Web application that will no longer be delivered to a general-purpose Web browser but will instead be deployed to something dedicated to that specific SAAS application.
This is the world of single-site browsers and rich Internet applications.
In this world, users don’t open a Web browser and then use a bookmark or link to access their important Web applications. Instead, these Web applications are installed and deployed almost as if they were desktop applications. Users launch them from their Start menu or desktop, and the SAAS application runs in its own single-purpose browser window.
So, as you can probably see, Web-based applications are not going away any time soon. The question to ask is, how will they be built? Will they be based on open standards? Open source code maybe? Or will there be proprietary blocks controlled by a single company (semi- or seamlessly-integrated a la WPF)? It is no secret that Ajax is seen as a competitor to Adobe and Microsoft, for example. As such, the news about Sony mixing Java and Flash is not too encouraging.
Sony Ericsson is planning to offer developers the opportunity to embed Flash Lite applications inside J2ME midlets, in the hope that two mobile phone application platforms will prove better than one.
Flash, however, is not the greatest issue at hand, especially when combined with GPL-bound programming.
Remember the Library of Congress and the plan to push aside Web standards? Microsoft, unlike Adobe, has more reasons to do it because it can stifle online competition (notably Google) and platform competition in this way. The other day we mentioned the poor reporting from Ina fried, who uses very deceiving headlines to promote Microsoft in a fanboyish fashion. It completely ruins CNET, rendering its credibility almost worthless (and worse than it has ever been).
In the same vein, we have received the following thoughts from a different knowledgeable reader: “I’m seeing some fresh activity from old astroturfer accounts. The volume is prodigious compared to weeks or months back. The style has changed, suggesting new staff behind the accounts and the ‘quality’ of the trolls has improved. It’s still bad but better put together than before.
“Microsoft literally paid a government department millions of dollars to abandon Web standards and exclude Microsoft’s competitors.”“If I were to take a wild guess I would think that it is to draw attention away from several other things like attacking KDE 4 from the inside, spreading silverfish infestations, and touring the governments again in prep for the summer.
Look back at the Library of Congress story, which we have already mentioned in [1, 2, 3, 4, 5, 6, 7]. Microsoft literally paid a government department millions of dollars to abandon Web standards and exclude Microsoft’s competitors.
Another reader points out that “refusing OGG/Vorbis/Theora as HTML5 standard was a real shame. (Thank you for nothing, Nokia).” Remember that the guy from Nokia who was partly responsible for this is actually a former Microsoft employee.
“And yet another demonstration that software/business models/pure idea patents are a really bad idea,” concludes this reader. █
Surprisingly enough, some people remain shocked that Microsoft is collaborative when it comes to political, police-related and federal snooping. Robert Scoble even argued with me about this roughly 3 years ago, denying that such an issue even exists. At the sight of yesterday’s pick from Slashdot many such skeptics and deniers have finally come to realise this:
Microsoft has developed a small plug-in device that investigators can use to quickly extract forensic data from computers that may have been used in crimes.
Forget about passwords, security on the network and so forth. It’s enough to only be a suspect and the rules are bound to be misused (they usually are). No warrants are even necessary. Not so long ago, an animal activist received demands for divulging a PGP key, using laws that were introduced to combat terrorism (and justified in this way).
“If SLES/SLED achieves binary compatibility with Windows, it gets harder to trust what’s being delivered out of the box.”The example above is just one among many anti-features, to borrow the phrase used frequently (maybe even coined) by the Free Software Foundation. Microsoft’s customers happen to be the governments, media companies, developers, OEMs and other parties that are certainly not the end users. Features are provided to the real customers, who are rarely actual users of the personal computer.
Why is this subject brought up again? Well, it is already known that there have been interactions between the government and SUSE and the same goes for Apple with Mac OS X. It’s hardly a secret because it’s too difficult to keep it a secret.
Many people will tell you that you can look at and carefully study the source code in GNU/Linux to verify no back doors exist (and then check also the compiler, the computer chip used to run and compile the program, et cetera). It’s all possible, assuming sufficient transparency at the bottom layers exists, along with that trust which comes with it (threat of leaks is accompanied by openness).
Questions arise, however, as soon as you consider what Novell does with Microsoft. Novell gets access to Microsoft source code and it also incorporates some code which simply cannot be studied. Moreover, it relies a great deal on Microsoft protocols, which themselves can have back doors included (a back door as part of the ‘standard’, as shown in the citations at the very bottom). If SLES/SLED achieves binary compatibility with Windows, it gets harder to trust what’s being delivered out of the box.
Some of the reports below were briefly and partly mentioned also in [1, 2, 3]. It’s worth highlighting the problem again, using just references. Here it goes.
For the first time, the giant software maker is acknowledging the help of the secretive agency, better known for eavesdropping on foreign officials and, more recently, U.S. citizens as part of the Bush administration’s effort to combat terrorism.”
Microsoft has added the random-number generator Dual_EC-DRBG to Windows Vista, as part of SP1. Yes, this is the same RNG that could have an NSA backdoor.
It’s not enabled by default, and my advice is to never enable it. Ever.
The kernel meets The Colonel in a just-published Microsoft patent application for an Advertising Services Architecture, which delivers targeted advertising as ‘part of the OS.’
The adware framework would leave almost no data untouched in its quest to sell you stuff. It would inspect “user document files, user e-mail files, user music files, downloaded podcasts, computer settings, computer status messages (e.g., a low memory status or low printer ink),” and more. How could we have been so blind as to not see the marketing value in computer status messages?
Here is another possible shocker (depending on one’s expectations really):
Are you using Windows Vista? Then you might as well know that the licensed operating system installed on your machine is harvesting a healthy volume of information for Microsoft. In this context, a program such as the Windows Genuine Advantage is the last of your concerns. In fact, in excess of 20 Windows Vista features and services are hard at work collecting and transmitting your personal data to the Redmond company.
Microsoft makes no secret about the fact that Windows Vista is gathering information. End users have little to say, and no real choice in the matter. The company does provide both a Windows Vista Privacy Statement and references within the End User License Agreement for the operating system. Combined, the resources paint the big picture over the extent of Microsoft’s end user data harvest via Vista.
There are plenty of unanswered questions about the FBI spyware that, as we reported earlier this week, can be delivered over the Internet and implanted in a suspect’s computer remotely.
This hope was important because earlier this year the German Government had introduced similar language into Section 202c StGB of the computer crime laws, which would have made the mere possession of (creates, obtains or provides access to, sells, yields, distributes or otherwise allows access to) tools like John, Kismet, KisMAC, Nessus, nmap, and the ability to Google effectively a crime.
Austria has become one of the first countries to officially sanction the use of Trojan Horse malware as a tactic for monitoring the PCs of suspected terrorists and criminals.
[...]
Would-be terrorists need only use Ubuntu Linux to avoid the ploy. And even if they stuck with Windows their anti-virus software might detect the malware. Anti-virus firms that accede to law enforcement demands to turn a blind eye to state-sanctioned malware risk undermining trust in their software, as similar experience in the US has shown.
In his speech towards the end of the national conference of the Junge Union, the youth organization of the ruling conservative Christian Democratic Union (CDU), in Berlin the Federal Minister of the Interior Wolfgang Schäuble has again come out in favor of allowing authorities to search private PCs secretly online and of deploying the German Armed Forces in Germany in the event of an emergency.
Hushmail, a longtime provider of encrypted web-based email, markets itself by saying that “not even a Hushmail employee with access to our servers can read your encrypted e-mail, since each message is uniquely encoded before it leaves your computer.”
But it turns out that statement seems not to apply to individuals targeted by government agencies that are able to convince a Canadian court to serve a court order on the company.
This appears to be more than a mere argument in support of the constitutionality of a Congressional email privacy and access scheme. It represents what may be the fundamental governmental position on Constitutional email and electronic privacy – that there isn’t any. What is important in this case is not the ultimate resolution of that narrow issue, but the position that the United States government is taking on the entire issue of electronic privacy. That position, if accepted, may mean that the government can read anybody’s email at any time without a warrant.
“You can download attack tools from the Internet, and even script kiddies can use this one,” said Mick.
Mick found the IP address of his own computer by using the XP Wireless Network Connection Status dialog box. He deduced the IP address of Andy’s computer by typing different numerically adjacent addresses in that IP range into the attack tool, then scanning the addresses to see if they belonged to a vulnerable machine.
Using a different attack tool, he produced a security report detailing the vulnerabilities found on the system. Mick decided to exploit one of them. Using the attack tool, Mick built a piece of malware in MS-DOS, giving it a payload that would exploit the flaw within a couple of minutes.
A group of researchers headed by Dr. Benny Pinkas from the Department of Computer Science at the University of Haifa succeeded in finding a security vulnerability in Microsoft’s “Windows 2000″ operating system. The significance of the loophole: emails, passwords, credit card numbers, if they were typed into the computer, and actually all correspondence that emanated from a computer using “Windows 2000″ is susceptible to tracking. “This is not a theoretical discovery. Anyone who exploits this security loophole can definitely access this information on other computers,” remarked Dr. Pinkas.
Editors Note: I believe this “loophole” is part of the Patriot Act, it is designed for foreign governments. Seriously, if you care about security, privacy, data, trojans, spyware, etc., one does not run Windows, you run Linux.
In relation to the issue of sharing technical API and protocol information used throughout Microsoft products, which the states were seeking, Allchin alleged that releasing this information would increase the security risk to consumers.
“It is no exaggeration to say that the national security is also implicated by the efforts of hackers to break into computing networks. Computers, including many running Windows operating systems, are used throughout the United States Department of Defense and by the armed forces of the United States in Afghanistan and elsewhere.”
The following two articles are much older and some have doubted their arguments’ validity.
A careless mistake by Microsoft programmers has revealed that special access codes prepared by the US National Security Agency have been secretly built into Windows.
[...]
The first discovery of the new NSA access system was made two years ago by British researcher Dr Nicko van Someren. But it was only a few weeks ago when a second researcher rediscovered the access system. With it, he found the evidence linking it to NSA.
A careless mistake by Microsoft programmers has shown that special access codes for use by the U.S. National Security Agency (NSA) have been secretly built into all versions of the Windows operating system.
There are many more citations like these available, shall any be necessary.
In summary, welcome to the twenty-first century, the age when every ‘binaries-boosted’ GNU/Linux distribution should be taken with a grain of salt (not to mention the NSA and SELinux).
Governments ‘wish’ to ‘give’ you control and to offer you privacy, but it’s often just an illusion. The government is an exception to this condition, rule or semi-true promise.
The stories above hopefully illustrate just why Free software is so important (even to national security, assuming you live outside the United States). That’s why those who support back doors-free computing will often be labeled “terrorists”, or those who defend “terrorists”. It’s a straw man really. It’s means for introducing new laws and using the “T” word as an excuse for virtually everything. Here is a discomforting thought:
Do you imagine that any US Linux distributor would say no to the US government if they were requested (politely, of course) to add a back-door to the binary Linux images shipped as part of their products? Who amongst us actually uses the source code so helpfully given to us on the extra CDs to compile our own version? With Windows of course there are already so many back-doors known and unknown that the US government might not have even bothered to ask Microsoft, they may have just found their own, ready to exploit at will. What about Intel or AMD and the microcode on the processor itself?
Back doors needn’t be incorporated only at software-level. Mind the following articles too:
Shamir said that if an intelligence organization discovered such a flaw, security software on a computer with a compromised chip could be “trivially broken with a single chosen message.” The attacker would send a “poisoned” encrypted message to a protected computer, he wrote. It would then be possible to compute the value of the secret key used by the targeted system.
Trouble with Design Secrets
“Millions of PCs can be attacked simultaneously, without having to manipulate the operating environment of each one of them individually,” Shamir wrote.
You could then argue that Sun has some GPL-licensed processors, but who is to check the physical manufacturing process to ensure the designs, which comprise many millions of transistors, are consistently obeyed? This, however, is a lot more complex and far-fetched. How about back doors in standards?
Which is why you should worry about a new random-number standard that includes an algorithm that is slow, badly designed and just might contain a backdoor for the National Security Agency.
Gratis (protocols) versus Free as in “free samples”
“The world has established complete sets of open standards for a variety of things, but Microsoft has dodged them as a matter of principle…”There are many misinterpretations in the press at the moment. Microsoft has just released some documentation and some reporters foolishly equate that to openness, which certainty it is not. The world has established complete sets of open standards for a variety of things, but Microsoft has dodged them as a matter of principle and created its own separate set of proprietary substitutes or extensions. Just as a quick reminder consider:
“We want to own these standards, so we should not participate in standards groups. Rather, we should call ‘to me’ to the industry and set a standard that works now and is for everyone’s benefit. We are large enough that this can work.”
By the way, if you are by any chance trying to figure out Microsoft’s policy toward standards, particularly in the context of ODF-EOXML, that same Microsoft page is revelatory, Microsoft’s answer to what the memo meant when it said that Microsoft could extend standard protocols so as to deny Linux “entry into the market”:
Q: The first document talked about extending standard protocols as a way to “deny OSS projects entry into the market.” What does this mean?
A: To better serve customers, Microsoft needs to innovate above standard protocols. By innovating above the base protocol, we are able to deliver advanced functionality to users. An example of this is adding transactional support for DTC over HTTP. This would be a value-add and would in no way break the standard or undermine the concept of standards, of which Microsoft is a significant supporter. Yet it would allow us to solve a class of problems in value chain integration for our Web-based customers that are not solved by any public standard today. Microsoft recognizes that customers are not served by implementations that are different without adding value; we therefore support standards as the foundation on which further innovation can be based.
Just Do It Like Microsoft, They’ll Talk About Patent Tax Later
The foolish articles that you can find on the Web include this one, which luckily enough only refers to this as “interoperability”.
It probably won’t satisfy the company’s critics, but Microsoft has released another 14,000+ pages of interoperability information for its “high-volume products”.
“Interoperability” is pretty much a dead word because Microsoft has had it redefined, just as it redefined many other things. The above disclosure is merely part of the "taxoperability" program, which is about doing things the Microsoft way and paying for the privilege, rather than just using open and free standards. It’s all about software patents, where interoperability is just a weasel word.
I showed Bruce Schneier, chief security technology officer for BT, the End to End Trust documents and he said “it feels general and like marketing hype.” The notion that the world needs centralized authentication “is just silly,” he added.
Basically, Microsoft has used its trusted computing efforts, such as inserting identity rights management into Office 2003, to lock people into using its products, Schneier said.
“Microsoft has used this as an anti-competitive tool,” he said.
Send this to a friend 
Content is available under CC-BY-SA