04.28.16
Posted in Deception, Free/Libre Software, FUD, Marketing, Security at 8:38 am by Dr. Roy Schestowitz
No investigation, just churnalism
Summary: Why the latest “Future of Open Source Survey” — much like its predecessors — isn’t really a survey but just another churnalism opportunity for the Microsoft-connected Black Duck, which is a proprietary parasite inside the FOSS community
THE “Future of Open Source Survey” is not a survey. It’s just Black Duck’s self-promotional (marketing) tripe packaged as a “survey”. This is a common PR tactic, it’s not unique. We wrote about this so-called ‘survey’ in several articles in the past, e.g.:
We now have more of the same churnalism and it comes from the usual ‘news’ networks, in addition to paid press releases. When we first mentioned Shipley 8 years ago he was busy doing one nefarious thing and two years ago we saw him joining the Microsoft-connected Black Duck. He is quoted as saying (CBS) that “the rapid adoption of open source has outpaced the implementation of effective open-source management and security practices. We see opportunities to make significant improvements in those areas. With nearly half of respondents saying they have no formal processes to track their open source, and half reporting that no one has responsibility for identifying known vulnerabilities and tracking remediation, we expect to see more focus on those areas.” Thanks for the FUD, Mr. Shipley. So where do I buy your proprietary software (and software patents-protected) ‘solution’? That is, after all, what it’s all about, isn’t it? The ‘survey’ is an excuse or a carrier (if not Trojan horse) for proprietary software marketing.
Here is similar coverage from IDG and the Linux Foundation, whose writers did little more than repeat the talking points of Black Duck after the press release got spread around. █
Permalink
Send this to a friend
04.14.16
Posted in Microsoft, Security at 10:03 am by Dr. Roy Schestowitz
“Anyone wonder why the Microsoft SQL server is called the sequel server? Is that because no matter what version it’s at there’s always going to be a sequel needed to fix the major bugs and security flaws in the last version?”
–Unknown
“I don’t want a back door. I want a front door.” — Director of the National Security Agency (NSA), exactly one year ago
Summary: The sad irony of the US government taking advice on cybersecurity from a company which it is paying to deliberately weaken security and enable mass eavesdropping on billions of people
Microsoft undoubtedly builds back doors for the NSA (in many of its so-called ‘products’ or services) and yes, based on headlines such as “Obama Names Former NSA Chief, Microsoft and Uber Execs to Cybersecurity Panel” or “Obama appoints tech veterans from Microsoft and Uber to cybersecurity commission”, Obama adds Microsoft to a “Cybersecurity Panel”, where “cybersecurity” basically means “national security”, i.e. back doors in virtually everything digital. Looking at various other reports about this (there were plenty more, some of which focused on Keith Alexander’s role), we cannot help but laugh at the notion of “cybersecurity” coming from those who deliberately weakened security for the sake of domination/imperialism (euphemism “national security”, as if the oppressor risks being occupied or besieged). To quote one article on the subject, “General Keith Alexander (Retired), who headed the NSA during the enormous expansion of its surveillance apparatus — pointed, of course, at you — is the first listed member of the commission. On the one hand, better the devil you know, and what a resumé. On the other, wow.”
“…Obama adds Microsoft to a “Cybersecurity Panel”, where “cybersecurity” basically means “national security”, i.e. back doors in virtually everything digital.”We habitually post in our daily links, under “Security”, various reports about Microsoft’s security failings. We no longer wish to focus on Microsoft (standalone articles), which more and more people realise isn’t really interested in security, privacy etc. especially in light of back-doored and front-doored Vista 10, which — if developed by a small company — would be ruled illegal, malicious software and its developers risk a long jail sentences (being close to government helps here, especially enabling snitches to spy agencies, which in turn empowers the government). █
Permalink
Send this to a friend
01.06.16
Posted in Microsoft, Security, Vista 10, Windows at 7:46 pm by Dr. Roy Schestowitz
Don’t install, just antagonise the bugging
Summary: Microsoft inadvertently reminds people who had Vista 10 installed on their PC (sometimes downloaded passively against their will) that it is spying on them all the time and a new kind of pressure is being used to create a panic for acceptance of any forced (remotely-imposed) ‘upgrade’ to Vista 10
TECHRIGHTS does not wish to be dragged back into Microsoft bashing (unlike direct attacks on GNU/Linux, usually with the aid of software patents and patent trolls), but readers probably know by now that Microsoft has been turning people who used to be called users or customers into subjects or products, to be spied on and be treated like a commodity whose amount need to be maximised for exploitation in bulk.
With the introduction of Vista 10, the latest and nastiest (more malicious based on rather objective criteria) version of Windows, Microsoft now spies on every person all the time. There is some good analysis [1] and criticism [2] of this self-incriminating propaganda-driven move from Microsoft, which is desperate to convince people whom it forces to move to Vista 10 that this forcing will be for their own good, not just the good of the NSA.
“Vista 10 is not an operating system but spyware pretending to be one.”Using ‘security’ as a reason, Microsoft is now bashing older versions of Windows. Low on resources, Microsoft leaves in tact even known (to the public) back doors in its Web browsers, as covered by Microsoft-friendly sites (as here) and FOSS-centric sites (well, FOSS-centric most of the time). Here is how to put a positive spin on Microsoft’s latest kind of pressure/demand for people to move to the latest trap: “This news has come as a breath of fresh air as it was considered a bane for many web developers, thanks to the endless security holes in the software.”
Well, Web developers whom I know and work with often complain about the latest Internet Explorer and “Edge” (new branding for the same rubbish). They’re more incompatible with even more Web sites, for various different reasons. So this excuse or optimism is misplaced. As soon as next week, based on Microsoft fan sites, Microsoft will have yet another propaganda by which to pressure people to install spyware on their computers. Now is a good time to move to GNU/Linux. Some high-profile journalists are doing so right now because they better understand the underlying reasons (they’re reasonably technical).
Vista 10 is not an operating system but spyware pretending to be one. █
Related/contextual items from the news:
-
Understandably perturbed by this BetaNews took Microsoft to task on these revelations and asked if it would like to “explain how it came about the information, and why it is being collected in the first place”. Microsoft’s official response: “Thank you for your patience as I looked into this for you. Unfortunately my colleagues cannot provide a comment regarding your request. All we have to share is this Windows blog post.”
To which BetaNews makes a very fair conclusion: “Microsoft’s spying is intrusive enough to reveal how long you have been using Windows 10, but the company is not willing to be open about the collection of this data.”
Consequently the next obvious point to ponder is: If Microsoft is happy to disclose this data without saying how it was attained, what else does it access and track without user knowledge? Given Microsoft already admits much of its automatic spying cannot to turned off, just how many more metrics and how much user data is it gathering from every Windows 10 device?
-
The various privacy concerns surrounding Windows 10 have received a lot of coverage in the media, but it seems that there are ever more secrets coming to light. The Threshold 2 Update did nothing to curtail privacy invasion, and the latest Windows 10 installation figures show that Microsoft is also monitoring how long people are using the operating system.
This might seem like a slightly strange statistic for Microsoft to keep track of, but the company knows how long, collectively, Windows 10 has been running on computers around the world. To have reached this figure (11 billion hours in December, apparently) Microsoft must have been logging individuals’ usage times. Intrigued, we contacted Microsoft to find out what on earth is going on.
If the company has indeed been checking up on when you are clocking in and out of Windows 10, it’s not going to admit it. I asked how Microsoft has been able to determine the 11 billion hours figure. Is this another invasion of privacy, another instance of spying that users should be worried about? “I just wanted to check where this figure came from. Is it a case of asking people and calculating an average, working with data from a representative sample of people, or it is a case of monitoring every Windows 10 installation?”
Permalink
Send this to a friend
12.05.15
Posted in BSD, Security, Vista 10, Windows at 7:17 pm by Dr. Roy Schestowitz
New evidence of Microsoft’s advocacy of back doors and of dangers to SSH security
Summary: Concerns about OpenSSH and its acceptance of Microsoft (after relatively huge payments), which not only facilitates back door access (with secret code) but is already descending into oblivion anyway
MICROSOFT’S business, as we pointed out this morning, is in a sorry state. The common carrier, Vista 10, is widely rejected, so Microsoft is now trying to force people to download and install it. This is a new kind of aggression from Microsoft. It forcibly gives people software that they don’t ask for and explicitly reject.
“One has to be seriously misinformed to actually believe that effective disk encryption is possible in Windows. There are back doors and it’s intentional.”There are permanent back doors in Vista 10, as leaks about Microsoft’s special relationship with the NSA serve to highlight. The British technology press calls Vista 10 “spyware-as-a-service” and points out that drive encryption in it is permanently broken. One article shows that security not a priority at all in Vista 10 and another states that “Microsoft can be pretty secretive about its spyware-as-a-service Windows 10, but Redmond has now taken its furtiveness to a whole new level.” The clever headline says “Microsoft encrypts explanation of borked Windows 10 encryption”. Well, Microsoft doesn’t make drive encryption that actually works. There are back doors in it, as we explained last year and earlier this year. There are even bits of material related to this in leaks-oriented sites such as Cryptome. One has to be seriously misinformed to actually believe that effective disk encryption is possible in Windows. There are back doors and it’s intentional. We know this, at the very least, based on Edward Snowden’s leaks. The FBI does not even publicly complain about encryption in Microsoft’s products; that’s because the FBI already has a door into everything from Microsoft. Remember CIPAV?
“To make matters insanely dangerous, OpenSSHL “will also have Redmond’s proprietary cryptology interfaces rather than standard open-source implementations of the Secure Sockets Layer” (in other words, compromise of security is almost guaranteed).”To make matters worse, Microsoft is now trying to bring this whole crazy mentality into FOSS projects like OpenSSH (hence into BSD, Linux, Solaris, and so on) — a move which we criticised here before (even quite recently). OpenSSH, according to this article, is getting closer to NIST (the NSA’a back doors facilitator, which recommended ciphers with back doors in them). To make matters insanely dangerous, OpenSSHL “will also have Redmond’s proprietary cryptology interfaces rather than standard open-source implementations of the Secure Sockets Layer” (in other words, compromise of security is almost guaranteed).
“Microsoft needs them more than they need Microsoft, but Microsoft handed them a nice bribe in order to do this (we covered this earlier this year).”What are NIST and Microsoft doing anywhere near SSH? Both of them are proponents and facilitators of back doors? IETF is there too. We already wrote a great deal about its malice over the years. What are OpenSSH developers getting into here? Microsoft needs them more than they need Microsoft, but Microsoft handed them a nice bribe in order to do this (we covered this earlier this year).
Microsoft itself continues to collapse. The people who made Vista 10 marketing gimmicks are being laid off right now. More Microsoft layoffs are being reported this month. Just notice the trend. It is an ever-shrinking company trying to reinvent itself and find a new identity, with a new logo and new CEO, led by Bill Gates (the real boss who amasses all the money, hoarding more and more of it while pretending to run a ‘charity’ in order to get tax breaks, like Mark Zuckerberg).
We are saddened to see the OpenSSH community opening its door (maybe its back door) to a dying company which they neither need nor can trust. █
“In doubt a man of worth will trust to his own wisdom.”
–J.R.R. Tolkien
Permalink
Send this to a friend
11.17.15
Posted in Microsoft, Security, Windows at 7:32 am by Dr. Roy Schestowitz
“If you (Senator Wellstone) vote against the war in Iraq, the Bush administration will do whatever is necessary to get you. There will be severe ramifications for you and the state of Minnesota.” –Vice President Dick Cheney to Senator Paul Wellstone (D), October, 2002, just days before Wellstone’s death in an airplane accident
Summary: The involvement of Microsoft Windows in mission-critical systems (where many lives are on the line) shows extreme negligence and lack of foresight
FRANCE appears to have had problems other than terrorism. Headlines today serve to confirm, with Russia’s acceptance too, that its plane was recently taken down by terrorists, killing about twice as many people as died in Paris on Friday. Days ago the British media ran some scare stories about a French person in a British airport (a lot of misreporting about that, see our daily links for more), but how about basic technological errors? Remember what happened to a Spanair flight and also the poor judgment of British aviation. More planes crash due to technical malfunction than due to terrorism.
“Microsoft seems to be good at nothing these days, perhaps other than back doors and back room deals.”Based on a new report, France is still running mission-critical systems with Windows, even really ancient versions of it, as ancient as 3.1 (see “Windows 3.1 Is Still Alive, And It Just Killed a French Airport” in [1] below). What are they thinking? This is just nuts! It’s not from The Onion and it’s definitely no satire.
Microsoft seems to be good at nothing these days, perhaps other than back doors and back room deals. Recall Microsoft’s new body cameras partnership with TASER, which we mentioned a few times, then see [2,3] below. Conficker, a Windows virus, is now being preinstalled on body cameras. How many lives will likely be sacrificed as a result of this? Police brutality too needlessly kills a lot of people.
“Haven’t Snowden’s leaks shown enough to convince everyone that genuine security is not the goal at Microsoft but actually somewhat of a foe?”Windows is not suitable for anything that requires security because Windows is simply not designed to be secure. It’s designed for “national security” (meaning back doors and bogus encryption that the state can crack). Proprietary software in general is bad, including firmware [4], based on new reports. Microsoft is now silently modifying its patches after it bricked Outlook, which has back doors. To quote the British media: “Many IT managers and normal folks held off on last week’s patching cycle after one Microsoft fix – KB 3097877 – broke several versions of Outlook. The error came in how the software handled fonts, and resulted in the email client crashing as soon as some emails were scrolled through.”
We have already covered this here the other day, in relation to back doors in Microsoft data encryption. It is unthikable and rather unbelievable that some people still get away with putting Windows in mission-critical systems, even in governments and businesses. Haven’t Snowden’s leaks shown enough to convince everyone that genuine security is not the goal at Microsoft but actually somewhat of a foe? █
Related/contextual items from the news:
-
A computer glitch that brought the Paris airport of Orly to a standstill Saturday has been traced back to the airport’s “prehistoric” operating system. In an article published Wednesday, French satirical weekly Le Canard Enchaîné (which often writes serious stories, such as this one) said the computer failure had affected a system known as DECOR, which is used by air traffic controllers to communicate weather information to pilots. Pilots rely on the system when weather conditions are poor.
DECOR, which is used in takeoff and landings, runs on Windows 3.1, an operating system that came onto the market in 1992. Hardly state-of-the-art technology. One of the highlights of Windows 3.1 when it came out was the inclusion of Minesweeper — a single-player video game that was responsible for wasting hours of PC owners’ time in the early ’90s.
-
US-based iPower Technologies has discovered that body cameras sold by Martel Electronics come pre-infected with the Conficker worm (Win32/Conficker.B!inf).
-
At the end of October this year, 14,000 police officials from around the world gathered in a Chicago conference center for the International Association of Chiefs of Police conference. It was equal parts political convention and trade show, with panels on crisis response splitting time with hundreds of small companies selling bomb-disposal robots and guns.
There were more than a dozen body camera companies on the show floor, but Taser made the biggest splash, constructing a Disney-style amphitheater called the USS Axon Enterprise. The show began with a white-jacketed captain, who announced he had traveled back in time from the year 2055, where lethal force has been eliminated and police are respected and loved by their communities. To explain how to get there, he ran through a history of policing tech. Approaching the present moment, he fell into a kind of disappointed sadness.
-
This is really no surprise: embedded system vendors aren’t good at carrying out quality assurance on their firmware images, and their embedded Web server software is what you’d expect from something written in the last 20 minutes of Friday afternoon.
Permalink
Send this to a friend
11.14.15
Posted in Microsoft, Security at 9:58 am by Dr. Roy Schestowitz
It doesn’t even look tough
Summary: Unlocking the bogus encryption of the proprietary (secret code) BitLocker is surprisingly trivial, as Ian Haken has just revealed and demonstrated at Black Hat Europe
WE previously showed that BitLocker was not designed for security because of government intervention. Microsoft ‘encryption’ and ‘security’ patches are basically intended for an illusion of security — not real security – because Microsoft sits on zero-day flaws with the NSA. In simple terms, Microsoft ensures that the NSA and its affiliates have ways by which to remotely exploit Microsoft-made software and there is nothing that people can do to protect themselves from this, except deletion of Microsoft-made software.
“There is no patch for this and all BitLocker instances to date are affected.”Microsoft encryption continues to be an utter joke if one takes this article seriously. “A researcher” — one who is not from Microsoft — is said to have “disclosed a trivial Windows authentication bypass that puts data on BitLocker-encrypted laptops at risk.” There is no patch for this and all BitLocker instances to date are affected. Remember COFEE? Microsoft basically assumes that all people are criminals and it shows.
For those who think about relying on patches, caution is advised. Microsoft patches are broken again and users are advised not to apply them. This includes last Tuesday’s security patches, which helped reveal Microsoft’s ‘enterprise’ ‘professional’ ‘quality’:
The El Reg inbox has been flooded with reports of a serious cock-up by Microsoft’s patching squad, with one of Tuesday’s fixes causing killer problems for Outlook.
“We are looking into reports from some customers who are experiencing difficulties with Outlook after installing Windows KB 3097877. An immediate review is under way,” a Microsoft spokesperson told us.
The problem is with software in one of the four critical patches issued in yesterday’s Patch Tuesday bundle – MS15-115. This was supposed to fix a flaw in the way Windows handles fonts, but has had some unexpected side effects for some Outlook users.
“Today I’ve deployed latest Outlook patch to all of my clients, and now Outlook is crashing every 10 minutes and then restarting itself. I tried on fresh Win10, no AV with latest patches applied and here we go, Outlook crashing there too,” complained one TechNet user.
“Come on guys, do you EVER do proper QA before releasing anything Office 2013 related? This is the worst version of Outlook ever. Sorry for negative attitude but this is how things are.”
People should remember that Outlook (Webmail) itself has back doors, so for anything that requires a level of privacy (not just legal work and journalism) Windows must be avoided. Microsoft is a foe of privacy and it’s not an accident. Vista 10 takes privacy violations to a whole new level. █
“Two security researchers have developed a new technique that essentially bypasses all of the memory protection safeguards in the Windows Vista operating system…”
–Dennis Fisher, August 7th, 2008
Permalink
Send this to a friend
10.27.15
Posted in Free/Libre Software, FUD, Microsoft, Security, Vista 10 at 6:33 pm by Dr. Roy Schestowitz
Another Black Duck in the making? Security FUD from a firm established by champions of back doors.
Summary: Another company whose business model is monetising (and thus often enhancing) fear, uncertainty and doubt (FUD) over Free/Open Source software (FOSS) and this one too comes from Microsoft
THIS trend has grown rather tiresome. Every now and then we see Microsoft’s tentacles reaching out for areas in FOSS where there is an opportunity to badmouth FOSS. They turn Microsoft’s anti-FOSS rhetoric into their business model. They institutionalise it.
“Another Microsoft guy creates a company that says Free software is not secure and needs some proprietary software ‘medicine’.”Based on a new press release in its various forms/variations [1, 2, 3], we may have yet another OpenLogic or Black Duck in our hands. Another Microsoft guy creates a company that says Free software is not secure and needs some proprietary software ‘medicine’.
SourceClear is not even known (we never heard of it, it seemingly came out of nowhere), it’s a very young firm, and immediately it receives a lot of money and even promotional coverage from the News Corp.-owned Wall Street Journal, which is a Microsoft-friendly publication. The first sentence provides the background one needs to be aware of:
Mark Curphey worked to stamp out software bugs for about a decade as head of the security tools team at Microsoft Corp. and in several other jobs before he realized that the problem was getting worse instead of better.
To quote Gordon B-P: ‘”Worked at MS bugs for a decade” – didn’t do a very good job there then. What makes him think he’ll be able to “secure” OSS?’
Jordan Novet, who is a promoter of Microsoft as we noted the other day, covered this as well, using bug branding such as "Heartbleed", coined by a company which is strongly connected to Microsoft. “It turns out that lots of other [FOSS] libraries have exactly the same issues but have not been reported,” Novet quotes Curphey, whom he describes as “previously a former principal group program manager inside Microsoft’s developer division. [...] SourceClear started in Seattle in 2013…”
“SourceClear started in Seattle in 2013…”
–Jordan NovetWith OpenLogic, Black Duck, Codenomicon and various other Microsoft-connected (often created by Microsoft people and/or managed by Microsoft people) firms that badmouth FOSS we sure expect SourceClear to be no exception. They serve to distract from the built-in and intentional insecurities of proprietary software such as Windows, including quite famously Vista 10 where back doors are an understatement because everything is recorded and broadcast (total remote surveillance), even without a breach or an access through the back doors.
Microsoft cannot produce secure code because ‘national security’, i.e. many back doors, are a design goal. It helps Microsoft establish a ‘special relationship’ with the state and in fact it just got a contract from a highly notorious company, Taser [1].
Here we are in 2013 onwards — a time when simple bugs in FOSS (a defect affecting one line or two) get all the limelight and receive names, logos etc. whereas Microsoft’s critical zero-day flaws hardly make the headlines. There are many high-impact headlines that make a huge deal of fuss every time a security bug is found in Android (again, just in recent years). We suppose it’s part of a PR campaign in which Microsoft and its partners evidently participate. They are often the ones who come up with the names, logos, and much of the accompanying negative publicity. █
Related/contextual items from the news:
-
Microsoft has joined forces with Taser to combine the Azure cloud platform with law enforcement management tools.
[..]
In order to ensure Taser maintains a monopoly on police body cameras, the corporation acquired contracts with police departments all across the nation for the purchase of body cameras through dubious ties to certain chiefs of police.
Permalink
Send this to a friend
10.22.15
Posted in BSD, Free/Libre Software, GNU/Linux, Microsoft, Mono, Patents, Security, Servers, Standard at 7:26 am by Dr. Roy Schestowitz
“What we are trying to do is use our server control to do new protocols and lock out Sun and Oracle specifically”
–Bill Gates
Summary: Microsoft’s war against POSIX/UNIX/Linux APIs culminates with the .NET push and the ‘bastardisation’ of OpenSSH, a Swiss army knife in BSD/UNIX and GNU/Linux secure channels
MICROSOFT will not rest until it regains its once dominant position in computing. It’s not just because of pressure from shareholders but also because of clevery-marketed sociopaths, such as Bill Gates, who are back at the helm and are very thirsty for power.
Microsoft is now pushing .NET into GNU/Linux, having failed to do so with Mono and Xamarin because regular people (end users) and sometimes developers pushed back. How can Microsoft still convince people to embrace the Microsoft APIs (which are heavily patented and not secure)? Openwashing and propaganda.
Jordan Novet, who writes a lot of pro-Microsoft or marketing pieces for Microsoft (for many months now), is formerly a writer of Gigaom, which had received money from Microsoft to embed Microsoft marketing inside articles (without disclosure, i.e. corrupted journalism). Now he acts as a courier of Microsoft marketing, repeating a delusion which we spent a lot of time debunking here (.NET is NOT “Open Source” [1, 2, 3]). To quote Novet:
Microsoft today announced the beginning of a new bug bounty to pay researchers to find security holes in some of the tech giant’s recently open-sourced web development tools.
“How can Microsoft still convince people to embrace the Microsoft APIs (which are heavily patented and not secure)? Openwashing and propaganda.”When Microsoft alludedwto “Open Source” in relation to .NET it sometimes merely piggybacks the reputation of projects it exploits. See the article “Microsoft’s .NET Team Continues Making Progress On An LLVM Compiler” (not GPL). To quote Phoronix: “Earlier this year Microsoft announced an LLVM-based .NET compiler was entering development, LLILC. Six months later, LLILC continues making progress.
“The .NET team has published a six month retrospective of LLILC. It’s a very lengthy read for those interested in low-level compiler details.”
“Microsoft is still working on implementing support for Windows’ crypto APIs rather than OpenSSL/LibreSSL and to address POSIX compatibility concerns along with other issues.”
–Michael Larabel, PhoronixThis is a potential example of the infamous “embrace, extend, extinguish” approach. As we have shown here before, platform discrimination remains and it is even being extended to existing Free software projects, such as OpenSSH, as we explained yesterday (expect Windows-only ‘features’ and antifeatures). Microsoft APIs are already being phased in — the “extend” phase in E.E.E. (embrace, extend, extinguish). We warned about this months ago [1, 2] and we are now proven right. Even Michael Larabel noticed this and wrote: “Microsoft is still working on implementing support for Windows’ crypto APIs rather than OpenSSL/LibreSSL and to address POSIX compatibility concerns along with other issues.”
So now we have Windows- and Microsoft-specific code right there inside OpenSSH, in spite of Microsoft support of back doors for the NSA et al. Does this inspire much confidence? Repelling Microsoft isn’t about intolerance but about self defence. █
“I once preached peaceful coexistence with Windows. You may laugh at my expense — I deserve it.”
–Be’s CEO Jean-Louis Gassée
Permalink
Send this to a friend
« Previous entries Next Page » Next Page »
Content is available under CC-BY-SA