Summary: Why the latest “Future of Open Source Survey” — much like its predecessors — isn’t really a survey but just another churnalism opportunity for the Microsoft-connected Black Duck, which is a proprietary parasite inside the FOSS community

THE “Future of Open Source Survey” is not a survey. It’s just Black Duck’s self-promotional (marketing) tripe packaged as a “survey”. This is a common PR tactic, it’s not unique. We wrote about this so-called ‘survey’ in several articles in the past, e.g.:

• Latest Microsoft Openwashing, Including ‘Future Of Open Source’ Survey From Proprietary Software Company With Microsoft Ties
• False Spokespeople for Free Software
• Microsoft in the Future of Open Source Forum
• Microsoft Proxies Controlling the Open Source Message
• Grooming Microsoft as the Voice of Free/Open Source Software
• The Foot in Stallman’s Face: Bill Gates Still Redefines Free Software
• Microsoft Tired of Pretending to be Nice to Free/Open Source Software (FOSS), Microsoft ‘Open’ Technologies Dumped

We now have more of the same churnalism and it comes from the usual ‘news’ networks, in addition to paid press releases. When we first mentioned Shipley 8 years ago he was busy doing one nefarious thing and two years ago we saw him joining the Microsoft-connected Black Duck. He is quoted as saying (CBS) that “the rapid adoption of open source has outpaced the implementation of effective open-source management and security practices. We see opportunities to make significant improvements in those areas. With nearly half of respondents saying they have no formal processes to track their open source, and half reporting that no one has responsibility for identifying known vulnerabilities and tracking remediation, we expect to see more focus on those areas.” Thanks for the FUD, Mr. Shipley. So where do I buy your proprietary software (and software patents-protected) ‘solution’? That is, after all, what it’s all about, isn’t it? The ‘survey’ is an excuse or a carrier (if not Trojan horse) for proprietary software marketing.

Here is similar coverage from IDG and the Linux Foundation, whose writers did little more than repeat the talking points of Black Duck after the press release got spread around. █

–Unknown

“I don’t want a back door. I want a front door.” — Director of the National Security Agency (NSA), exactly one year ago

Summary: The sad irony of the US government taking advice on cybersecurity from a company which it is paying to deliberately weaken security and enable mass eavesdropping on billions of people

Microsoft undoubtedly builds back doors for the NSA (in many of its so-called ‘products’ or services) and yes, based on headlines such as “Obama Names Former NSA Chief, Microsoft and Uber Execs to Cybersecurity Panel” or “Obama appoints tech veterans from Microsoft and Uber to cybersecurity commission”, Obama adds Microsoft to a “Cybersecurity Panel”, where “cybersecurity” basically means “national security”, i.e. back doors in virtually everything digital. Looking at various other reports about this (there were plenty more, some of which focused on Keith Alexander’s role), we cannot help but laugh at the notion of “cybersecurity” coming from those who deliberately weakened security for the sake of domination/imperialism (euphemism “national security”, as if the oppressor risks being occupied or besieged). To quote one article on the subject, “General Keith Alexander (Retired), who headed the NSA during the enormous expansion of its surveillance apparatus — pointed, of course, at you — is the first listed member of the commission. On the one hand, better the devil you know, and what a resumé. On the other, wow.”

“…Obama adds Microsoft to a “Cybersecurity Panel”, where “cybersecurity” basically means “national security”, i.e. back doors in virtually everything digital.”We habitually post in our daily links, under “Security”, various reports about Microsoft’s security failings. We no longer wish to focus on Microsoft (standalone articles), which more and more people realise isn’t really interested in security, privacy etc. especially in light of back-doored and front-doored Vista 10, which — if developed by a small company — would be ruled illegal, malicious software and its developers risk a long jail sentences (being close to government helps here, especially enabling snitches to spy agencies, which in turn empowers the government). █

Summary: Microsoft inadvertently reminds people who had Vista 10 installed on their PC (sometimes downloaded passively against their will) that it is spying on them all the time and a new kind of pressure is being used to create a panic for acceptance of any forced (remotely-imposed) ‘upgrade’ to Vista 10

TECHRIGHTS does not wish to be dragged back into Microsoft bashing (unlike direct attacks on GNU/Linux, usually with the aid of software patents and patent trolls), but readers probably know by now that Microsoft has been turning people who used to be called users or customers into subjects or products, to be spied on and be treated like a commodity whose amount need to be maximised for exploitation in bulk.

With the introduction of Vista 10, the latest and nastiest (more malicious based on rather objective criteria) version of Windows, Microsoft now spies on every person all the time. There is some good analysis [1] and criticism [2] of this self-incriminating propaganda-driven move from Microsoft, which is desperate to convince people whom it forces to move to Vista 10 that this forcing will be for their own good, not just the good of the NSA.

“Vista 10 is not an operating system but spyware pretending to be one.”Using ‘security’ as a reason, Microsoft is now bashing older versions of Windows. Low on resources, Microsoft leaves in tact even known (to the public) back doors in its Web browsers, as covered by Microsoft-friendly sites (as here) and FOSS-centric sites (well, FOSS-centric most of the time). Here is how to put a positive spin on Microsoft’s latest kind of pressure/demand for people to move to the latest trap: “This news has come as a breath of fresh air as it was considered a bane for many web developers, thanks to the endless security holes in the software.”

Well, Web developers whom I know and work with often complain about the latest Internet Explorer and “Edge” (new branding for the same rubbish). They’re more incompatible with even more Web sites, for various different reasons. So this excuse or optimism is misplaced. As soon as next week, based on Microsoft fan sites, Microsoft will have yet another propaganda by which to pressure people to install spyware on their computers. Now is a good time to move to GNU/Linux. Some high-profile journalists are doing so right now because they better understand the underlying reasons (they’re reasonably technical).

Vista 10 is not an operating system but spyware pretending to be one. █

Related/contextual items from the news:

1. Massive Windows 10 Success Has Six Nasty Surprises

   Understandably perturbed by this BetaNews took Microsoft to task on these revelations and asked if it would like to “explain how it came about the information, and why it is being collected in the first place”. Microsoft’s official response: “Thank you for your patience as I looked into this for you. Unfortunately my colleagues cannot provide a comment regarding your request. All we have to share is this Windows blog post.”

   To which BetaNews makes a very fair conclusion: “Microsoft’s spying is intrusive enough to reveal how long you have been using Windows 10, but the company is not willing to be open about the collection of this data.”

   Consequently the next obvious point to ponder is: If Microsoft is happy to disclose this data without saying how it was attained, what else does it access and track without user knowledge? Given Microsoft already admits much of its automatic spying cannot to turned off, just how many more metrics and how much user data is it gathering from every Windows 10 device?

2. Why is Microsoft monitoring how long you use Windows 10?

   The various privacy concerns surrounding Windows 10 have received a lot of coverage in the media, but it seems that there are ever more secrets coming to light. The Threshold 2 Update did nothing to curtail privacy invasion, and the latest Windows 10 installation figures show that Microsoft is also monitoring how long people are using the operating system.

   This might seem like a slightly strange statistic for Microsoft to keep track of, but the company knows how long, collectively, Windows 10 has been running on computers around the world. To have reached this figure (11 billion hours in December, apparently) Microsoft must have been logging individuals’ usage times. Intrigued, we contacted Microsoft to find out what on earth is going on.

   If the company has indeed been checking up on when you are clocking in and out of Windows 10, it’s not going to admit it. I asked how Microsoft has been able to determine the 11 billion hours figure. Is this another invasion of privacy, another instance of spying that users should be worried about? “I just wanted to check where this figure came from. Is it a case of asking people and calculating an average, working with data from a representative sample of people, or it is a case of monitoring every Windows 10 installation?”

Summary: Concerns about OpenSSH and its acceptance of Microsoft (after relatively huge payments), which not only facilitates back door access (with secret code) but is already descending into oblivion anyway

MICROSOFT’S business, as we pointed out this morning, is in a sorry state. The common carrier, Vista 10, is widely rejected, so Microsoft is now trying to force people to download and install it. This is a new kind of aggression from Microsoft. It forcibly gives people software that they don’t ask for and explicitly reject.

“One has to be seriously misinformed to actually believe that effective disk encryption is possible in Windows. There are back doors and it’s intentional.”There are permanent back doors in Vista 10, as leaks about Microsoft’s special relationship with the NSA serve to highlight. The British technology press calls Vista 10 “spyware-as-a-service” and points out that drive encryption in it is permanently broken. One article shows that security not a priority at all in Vista 10 and another states that “Microsoft can be pretty secretive about its spyware-as-a-service Windows 10, but Redmond has now taken its furtiveness to a whole new level.” The clever headline says “Microsoft encrypts explanation of borked Windows 10 encryption”. Well, Microsoft doesn’t make drive encryption that actually works. There are back doors in it, as we explained last year and earlier this year. There are even bits of material related to this in leaks-oriented sites such as Cryptome. One has to be seriously misinformed to actually believe that effective disk encryption is possible in Windows. There are back doors and it’s intentional. We know this, at the very least, based on Edward Snowden’s leaks. The FBI does not even publicly complain about encryption in Microsoft’s products; that’s because the FBI already has a door into everything from Microsoft. Remember CIPAV?

“To make matters insanely dangerous, OpenSSHL “will also have Redmond’s proprietary cryptology interfaces rather than standard open-source implementations of the Secure Sockets Layer” (in other words, compromise of security is almost guaranteed).”To make matters worse, Microsoft is now trying to bring this whole crazy mentality into FOSS projects like OpenSSH (hence into BSD, Linux, Solaris, and so on) — a move which we criticised here before (even quite recently). OpenSSH, according to this article, is getting closer to NIST (the NSA’a back doors facilitator, which recommended ciphers with back doors in them). To make matters insanely dangerous, OpenSSHL “will also have Redmond’s proprietary cryptology interfaces rather than standard open-source implementations of the Secure Sockets Layer” (in other words, compromise of security is almost guaranteed).

“Microsoft needs them more than they need Microsoft, but Microsoft handed them a nice bribe in order to do this (we covered this earlier this year).”What are NIST and Microsoft doing anywhere near SSH? Both of them are proponents and facilitators of back doors? IETF is there too. We already wrote a great deal about its malice over the years. What are OpenSSH developers getting into here? Microsoft needs them more than they need Microsoft, but Microsoft handed them a nice bribe in order to do this (we covered this earlier this year).

Microsoft itself continues to collapse. The people who made Vista 10 marketing gimmicks are being laid off right now. More Microsoft layoffs are being reported this month. Just notice the trend. It is an ever-shrinking company trying to reinvent itself and find a new identity, with a new logo and new CEO, led by Bill Gates (the real boss who amasses all the money, hoarding more and more of it while pretending to run a ‘charity’ in order to get tax breaks, like Mark Zuckerberg).

We are saddened to see the OpenSSH community opening its door (maybe its back door) to a dying company which they neither need nor can trust. █

“In doubt a man of worth will trust to his own wisdom.”

–J.R.R. Tolkien

Summary: The involvement of Microsoft Windows in mission-critical systems (where many lives are on the line) shows extreme negligence and lack of foresight

FRANCE appears to have had problems other than terrorism. Headlines today serve to confirm, with Russia’s acceptance too, that its plane was recently taken down by terrorists, killing about twice as many people as died in Paris on Friday. Days ago the British media ran some scare stories about a French person in a British airport (a lot of misreporting about that, see our daily links for more), but how about basic technological errors? Remember what happened to a Spanair flight and also the poor judgment of British aviation. More planes crash due to technical malfunction than due to terrorism.

“Microsoft seems to be good at nothing these days, perhaps other than back doors and back room deals.”Based on a new report, France is still running mission-critical systems with Windows, even really ancient versions of it, as ancient as 3.1 (see “Windows 3.1 Is Still Alive, And It Just Killed a French Airport” in [1] below). What are they thinking? This is just nuts! It’s not from The Onion and it’s definitely no satire.

Microsoft seems to be good at nothing these days, perhaps other than back doors and back room deals. Recall Microsoft’s new body cameras partnership with TASER, which we mentioned a few times, then see [2,3] below. Conficker, a Windows virus, is now being preinstalled on body cameras. How many lives will likely be sacrificed as a result of this? Police brutality too needlessly kills a lot of people.

“Haven’t Snowden’s leaks shown enough to convince everyone that genuine security is not the goal at Microsoft but actually somewhat of a foe?”Windows is not suitable for anything that requires security because Windows is simply not designed to be secure. It’s designed for “national security” (meaning back doors and bogus encryption that the state can crack). Proprietary software in general is bad, including firmware [4], based on new reports. Microsoft is now silently modifying its patches after it bricked Outlook, which has back doors. To quote the British media: “Many IT managers and normal folks held off on last week’s patching cycle after one Microsoft fix – KB 3097877 – broke several versions of Outlook. The error came in how the software handled fonts, and resulted in the email client crashing as soon as some emails were scrolled through.”

We have already covered this here the other day, in relation to back doors in Microsoft data encryption. It is unthikable and rather unbelievable that some people still get away with putting Windows in mission-critical systems, even in governments and businesses. Haven’t Snowden’s leaks shown enough to convince everyone that genuine security is not the goal at Microsoft but actually somewhat of a foe? █

Related/contextual items from the news:

1. Windows 3.1 Is Still Alive, And It Just Killed a French Airport

   A computer glitch that brought the Paris airport of Orly to a standstill Saturday has been traced back to the airport’s “prehistoric” operating system. In an article published Wednesday, French satirical weekly Le Canard Enchaîné (which often writes serious stories, such as this one) said the computer failure had affected a system known as DECOR, which is used by air traffic controllers to communicate weather information to pilots. Pilots rely on the system when weather conditions are poor.

   DECOR, which is used in takeoff and landings, runs on Windows 3.1, an operating system that came onto the market in 1992. Hardly state-of-the-art technology. One of the highlights of Windows 3.1 when it came out was the inclusion of Minesweeper — a single-player video game that was responsible for wasting hours of PC owners’ time in the early ’90s.

2. Police Body Cameras Shipped with Pre-Installed Conficker Virus

   US-based iPower Technologies has discovered that body cameras sold by Martel Electronics come pre-infected with the Conficker worm (Win32/Conficker.B!inf).

3. Who controls the cop cam?

   At the end of October this year, 14,000 police officials from around the world gathered in a Chicago conference center for the International Association of Chiefs of Police conference. It was equal parts political convention and trade show, with panels on crisis response splitting time with hundreds of small companies selling bomb-disposal robots and guns.

   There were more than a dozen body camera companies on the show floor, but Taser made the biggest splash, constructing a Disney-style amphitheater called the USS Axon Enterprise. The show began with a white-jacketed captain, who announced he had traveled back in time from the year 2055, where lethal force has been eliminated and police are respected and loved by their communities. To explain how to get there, he ran through a history of policing tech. Approaching the present moment, he fell into a kind of disappointed sadness.

4. Badware in the firmware all over the place

   This is really no surprise: embedded system vendors aren’t good at carrying out quality assurance on their firmware images, and their embedded Web server software is what you’d expect from something written in the last 20 minutes of Friday afternoon.

Summary: Unlocking the bogus encryption of the proprietary (secret code) BitLocker is surprisingly trivial, as Ian Haken has just revealed and demonstrated at Black Hat Europe

WE previously showed that BitLocker was not designed for security because of government intervention. Microsoft ‘encryption’ and ‘security’ patches are basically intended for an illusion of security — not real security – because Microsoft sits on zero-day flaws with the NSA. In simple terms, Microsoft ensures that the NSA and its affiliates have ways by which to remotely exploit Microsoft-made software and there is nothing that people can do to protect themselves from this, except deletion of Microsoft-made software.

“There is no patch for this and all BitLocker instances to date are affected.”Microsoft encryption continues to be an utter joke if one takes this article seriously. “A researcher” — one who is not from Microsoft — is said to have “disclosed a trivial Windows authentication bypass that puts data on BitLocker-encrypted laptops at risk.” There is no patch for this and all BitLocker instances to date are affected. Remember COFEE? Microsoft basically assumes that all people are criminals and it shows.

For those who think about relying on patches, caution is advised. Microsoft patches are broken again and users are advised not to apply them. This includes last Tuesday’s security patches, which helped reveal Microsoft’s ‘enterprise’ ‘professional’ ‘quality’:

The El Reg inbox has been flooded with reports of a serious cock-up by Microsoft’s patching squad, with one of Tuesday’s fixes causing killer problems for Outlook.

“We are looking into reports from some customers who are experiencing difficulties with Outlook after installing Windows KB 3097877. An immediate review is under way,” a Microsoft spokesperson told us.

The problem is with software in one of the four critical patches issued in yesterday’s Patch Tuesday bundle – MS15-115. This was supposed to fix a flaw in the way Windows handles fonts, but has had some unexpected side effects for some Outlook users.

“Today I’ve deployed latest Outlook patch to all of my clients, and now Outlook is crashing every 10 minutes and then restarting itself. I tried on fresh Win10, no AV with latest patches applied and here we go, Outlook crashing there too,” complained one TechNet user.

“Come on guys, do you EVER do proper QA before releasing anything Office 2013 related? This is the worst version of Outlook ever. Sorry for negative attitude but this is how things are.”

People should remember that Outlook (Webmail) itself has back doors, so for anything that requires a level of privacy (not just legal work and journalism) Windows must be avoided. Microsoft is a foe of privacy and it’s not an accident. Vista 10 takes privacy violations to a whole new level. █

“Two security researchers have developed a new technique that essentially bypasses all of the memory protection safeguards in the Windows Vista operating system…”

–Dennis Fisher, August 7th, 2008

Summary: Another company whose business model is monetising (and thus often enhancing) fear, uncertainty and doubt (FUD) over Free/Open Source software (FOSS) and this one too comes from Microsoft

THIS trend has grown rather tiresome. Every now and then we see Microsoft’s tentacles reaching out for areas in FOSS where there is an opportunity to badmouth FOSS. They turn Microsoft’s anti-FOSS rhetoric into their business model. They institutionalise it.

“Another Microsoft guy creates a company that says Free software is not secure and needs some proprietary software ‘medicine’.”Based on a new press release in its various forms/variations [1, 2, 3], we may have yet another OpenLogic or Black Duck in our hands. Another Microsoft guy creates a company that says Free software is not secure and needs some proprietary software ‘medicine’.

SourceClear is not even known (we never heard of it, it seemingly came out of nowhere), it’s a very young firm, and immediately it receives a lot of money and even promotional coverage from the News Corp.-owned Wall Street Journal, which is a Microsoft-friendly publication. The first sentence provides the background one needs to be aware of:

Mark Curphey worked to stamp out software bugs for about a decade as head of the security tools team at Microsoft Corp. and in several other jobs before he realized that the problem was getting worse instead of better.

To quote Gordon B-P: ‘”Worked at MS bugs for a decade” – didn’t do a very good job there then. What makes him think he’ll be able to “secure” OSS?’

Jordan Novet, who is a promoter of Microsoft as we noted the other day, covered this as well, using bug branding such as "Heartbleed", coined by a company which is strongly connected to Microsoft. “It turns out that lots of other [FOSS] libraries have exactly the same issues but have not been reported,” Novet quotes Curphey, whom he describes as “previously a former principal group program manager inside Microsoft’s developer division. [...] SourceClear started in Seattle in 2013…”

“SourceClear started in Seattle in 2013…”
      –Jordan NovetWith OpenLogic, Black Duck, Codenomicon and various other Microsoft-connected (often created by Microsoft people and/or managed by Microsoft people) firms that badmouth FOSS we sure expect SourceClear to be no exception. They serve to distract from the built-in and intentional insecurities of proprietary software such as Windows, including quite famously Vista 10 where back doors are an understatement because everything is recorded and broadcast (total remote surveillance), even without a breach or an access through the back doors.

Microsoft cannot produce secure code because ‘national security’, i.e. many back doors, are a design goal. It helps Microsoft establish a ‘special relationship’ with the state and in fact it just got a contract from a highly notorious company, Taser [1].

Here we are in 2013 onwards — a time when simple bugs in FOSS (a defect affecting one line or two) get all the limelight and receive names, logos etc. whereas Microsoft’s critical zero-day flaws hardly make the headlines. There are many high-impact headlines that make a huge deal of fuss every time a security bug is found in Android (again, just in recent years). We suppose it’s part of a PR campaign in which Microsoft and its partners evidently participate. They are often the ones who come up with the names, logos, and much of the accompanying negative publicity. █

Related/contextual items from the news:

1. Microsoft Helping to Store Police Video From Taser Body Cameras

   Microsoft has joined forces with Taser to combine the Azure cloud platform with law enforcement management tools.

   [..]

   In order to ensure Taser maintains a monopoly on police body cameras, the corporation acquired contracts with police departments all across the nation for the purchase of body cameras through dubious ties to certain chiefs of police.

–Bill Gates

Summary: Microsoft’s war against POSIX/UNIX/Linux APIs culminates with the .NET push and the ‘bastardisation’ of OpenSSH, a Swiss army knife in BSD/UNIX and GNU/Linux secure channels

MICROSOFT will not rest until it regains its once dominant position in computing. It’s not just because of pressure from shareholders but also because of clevery-marketed sociopaths, such as Bill Gates, who are back at the helm and are very thirsty for power.

Microsoft is now pushing .NET into GNU/Linux, having failed to do so with Mono and Xamarin because regular people (end users) and sometimes developers pushed back. How can Microsoft still convince people to embrace the Microsoft APIs (which are heavily patented and not secure)? Openwashing and propaganda.

Jordan Novet, who writes a lot of pro-Microsoft or marketing pieces for Microsoft (for many months now), is formerly a writer of Gigaom, which had received money from Microsoft to embed Microsoft marketing inside articles (without disclosure, i.e. corrupted journalism). Now he acts as a courier of Microsoft marketing, repeating a delusion which we spent a lot of time debunking here (.NET is NOT “Open Source” [1, 2, 3]). To quote Novet:

Microsoft today announced the beginning of a new bug bounty to pay researchers to find security holes in some of the tech giant’s recently open-sourced web development tools.

“How can Microsoft still convince people to embrace the Microsoft APIs (which are heavily patented and not secure)? Openwashing and propaganda.”When Microsoft alludedwto “Open Source” in relation to .NET it sometimes merely piggybacks the reputation of projects it exploits. See the article “Microsoft’s .NET Team Continues Making Progress On An LLVM Compiler” (not GPL). To quote Phoronix: “Earlier this year Microsoft announced an LLVM-based .NET compiler was entering development, LLILC. Six months later, LLILC continues making progress.

“The .NET team has published a six month retrospective of LLILC. It’s a very lengthy read for those interested in low-level compiler details.”

“Microsoft is still working on implementing support for Windows’ crypto APIs rather than OpenSSL/LibreSSL and to address POSIX compatibility concerns along with other issues.”
      –Michael Larabel, PhoronixThis is a potential example of the infamous “embrace, extend, extinguish” approach. As we have shown here before, platform discrimination remains and it is even being extended to existing Free software projects, such as OpenSSH, as we explained yesterday (expect Windows-only ‘features’ and antifeatures). Microsoft APIs are already being phased in — the “extend” phase in E.E.E. (embrace, extend, extinguish). We warned about this months ago [1, 2] and we are now proven right. Even Michael Larabel noticed this and wrote: “Microsoft is still working on implementing support for Windows’ crypto APIs rather than OpenSSL/LibreSSL and to address POSIX compatibility concerns along with other issues.”

So now we have Windows- and Microsoft-specific code right there inside OpenSSH, in spite of Microsoft support of back doors for the NSA et al. Does this inspire much confidence? Repelling Microsoft isn’t about intolerance but about self defence. █

“I once preached peaceful coexistence with Windows. You may laugh at my expense — I deserve it.”

–Be’s CEO Jean-Louis Gassée

Vulnerability (need for money) found in the Church of BSD

Summary: Microsoft is seemingly disrupting the high standards of the OpenSSH project (and by extension OpenBSD and Free/libre software), as its focus on security is ludicrous at best

LAST week, in our daily links, over a dozen links were included about a new revelations of flaws in a hugely popular encryption method. A paper presented by award-winning academics demonstrated a serious weakness. OpenSSH was among the alleged targets, potentially allowing spies to infiltrate, intercept and decrypt communications/data relayed over SSH. The philosophy and principles (UNIX) of OpenSSH had kept it strong for a very long time.

“Knowing the role that social engineering plays in weakening encryption, the last thing one needs right now is PRISM pioneer (first company) and a back doors proponent like Microsoft inside the OpenSSH community.”Those who keep abreast of privacy news (including NSA leaks) will know that there is an aggressive effort to crack SSH. Some ciphers were recently phased out or deprecated as a result. Knowing the role that social engineering plays in weakening encryption, the last thing one needs right now is PRISM pioneer (first company) and a back doors proponent like Microsoft inside the OpenSSH community. As we pointed out earlier this year, OpenSSH is being subjected to E.E.E. (embrace, extend, extinguish) treatment from Microsoft [1, 2] because money talks. Microsoft has a lot of money (despite losses in the billions) and OpenBSD is underfunded, hence desperate for money.

Secure channels and Microsoft Windows are incompatible concepts. It cannot be done because Windows itself has back doors, allowing penetration at root (Administrator) level. Microsoft is now pushing its back-doored, insecure-by-design APIs into the SSH project and also puts people’s keys on boxes with such inherent insecurities. How terrible a recipe is that? Is OpenBSD willing to compromise its credibility and reputation just because Microsoft gave it a ‘generous’ payment (some would call it a bribe)?

According to this update from Microsoft, they now intend to:

Leverage Windows crypto api’s instead of OpenSSL/LibreSSL and run as Windows Service…

People in the comments (not deleted, at least not yet) rightly post complaints. One said: “I don’t think I like that your replacing an open source SSL with a closed source Windows crypto api.”

Another commenter said: “Do I see a trap here?! If the Windows port uses the closed source crypto api is the whole OpenSource OpenSSH-idea then still intact?”

“Microsoft takes something that’s not its own and then ‘bastardises’ it, making it an inferior ‘Windows thing’ which spreads only because of the network effect or illegal bundling.”iophk told us: “How much key code can they replace with dodgy homebrew and still be allowed to use the same name? Without the crypto, it is not the same software and merely a derivative.”

Well, that’s just how E.E.E. has historically worked. Microsoft takes something that’s not its own and then ‘bastardises’ it, making it an inferior ‘Windows thing’ which spreads only because of the network effect or illegal bundling.

iophk has also pointed out to us that Roger A. Grimes, who works for Microsoft and IDG (news publisher) at the same time (clearly a conflict of interests), presents a false dichotomy, “freedom or security” (right there in the headline). Computer security is never the goal at Microsoft; they want back doors for so-called ‘national security’ (i.e. state power with remote access to citizens’ PCs).

“The first rule of zero-days is no one talks about zero-days,” reads this new headline (remember that Microsoft wilfully enables NSA access through zero-days).

“If Microsoft cannot honour Free software and respect the APIs of OpenBSD, OpenSSH, OpenSSL etc. then maybe it’s time to tell Microsoft to take back its ‘bribe’ money and go away, leaving OpenSSH alone (and secure).”Microsoft’s E.E.E. tactics are becoming a big threat not just to GNU/Linux but also to BSD and Free software as a whole. Microsoft now tries to become a GNU/Linux host, despite its known record of scanning every single file (claiming to do so because of child pornography) and colluding with the government for warrantless access to data stored on servers.

The E.E.E. against GNU/Linux is perhaps best demonstrated by this new article about how Microsoft tries to take over Big Data (a lot of data, sometimes incredibly sensitive) on GNU/Linux servers. “Last month Microsoft did something extraordinary,” says the author, “something which demonstrates how completely the company has changed since its third CEO, Satya Nadella, took over.”

Satya Nadella just turned the company into more of a surveillance company, as Vista 10 serves to remind us. He continues to attack GNU/Linux in many ways (including patent extortion) while saying that Microsoft "loves Linux' (a lie as big as a lie can get).

If Microsoft cannot honour Free software and respect the APIs of OpenBSD, OpenSSH, OpenSSL etc. then maybe it’s time to tell Microsoft to take back its ‘bribe’ money and go away, leaving OpenSSH alone (and secure). Almost every distribution of GNU/Linux comes with OpenSSH. Microsoft is a wolf in sheep’s clothing and it has no room inside FOSS until it quits attacking FOSS and collaborating with abusive espionage agencies like GCHQ and the NSA. █

Yours truly feeding the ducks
near home earlier this year (summer)

Summary: Red Hat’s cooperation with Black Duck serves to legitimise a terrible business model, wherein fear of FOSS is being accentuated and proprietary software ‘solutions’ are being offered

YESTERDAY we became aware of Red Hat turning to Microsoft’s friend, Black Duck. It happened with little prior warning and announced with the press release calling it a “[c]ollaboration to help developers, customers and partners build and run trusted, secure applications with Red Hat container technologies” (as if these are inherently less secure than some proprietary software).

What the articles fail to mention is that Black Duck’s former top manager is from Red Hat and he came back to Red Hat after his stint at this FUD firm (see the old press release titled “Black Duck Software CEO Tim Yeaton Rejoins Red Hat to Lead Newly-Formed Infrastructure Group”). Well, the doors basically revolved, twice even. Maybe that’s why Red Hat came to Black Duck, legitimising what is effectively a parasite inside the FOSS world.

“What the articles fail to mention is that Black Duck’s former top manager is from Red Hat and he came back to Red Hat after his stint at this FUD firm…”We have already found some puff pieces about, saying little more than the press release. One of them says that “Red Hat has collaborated with Black Duck Software to establish a secure and trusted model for containerized application delivery by providing verification that application containers are free from known vulnerabilities and include only certified content. This validation is a major step forward in enabling enterprise-ready application containers, and builds upon the strengths of each company – Red Hat’s position in container technologies and solutions, including its platform and certification strategy, and Black Duck’s position as the provider of comprehensive identification and earliest notification technologies of open source vulnerabilities.”

In its marketing, Black Duck would have us believe that FOSS is terrible at security, even though proprietary software has back doors ‘baked in’ intentionally. NSA et al don’t ‘break into’ Windows any more than Microsoft does; they’re allowed access, by design, intent, and agenda. Days ago we showed how marketers from Black Duck had claimed that it can cost $25,000 to fix a bug in FOSS.

As of early this morning, this new relationship received press coverage from Serdar Yegulalp (writing for IDG), Sean Michael Kerner for QuinStreet and Steven J. Vaughan-Nichols for CBS. The way Vaughan-Nichols put it, “Red Hat and Black Duck want to make sure that when you run a container, it’s really the container you want to run and not a rogue package.”

“In many ways, Black Duck is successful as a marketing company, much like polygraph merchants (among other popular scams like homeopathy).”It sounds good on the surface, but is a proprietary dependence healthy in the long term? Based on Vaughan-Nichols, this isn’t a short-term engagement. “In the long run,” he explains (writing from Red Hat’s town), “the companies plan to include Black Duck technologies as a component of Red Hat’s container certification.”

There are some lazy publications that ended up throwing the self-promotional promotional press release around. The Indian English-speaking press sort of rewrote the press release to make it look more original. Where are the sceptics? Where is the genuine reporting? All we see are puff pieces that relay claims made in a press release.

In many ways, Black Duck is successful as a marketing company, much like polygraph merchants (among other popular scams like homeopathy). █

Personal Computer (PC)? Microsoft software acts more like an impersonal covert listening device.

Summary: Why any remnant of the perception of Windows security is simply misguided and unjustified, as recent stories serve to demonstrate

IT IS WIDELY known by now that Microsoft and the NSA collude or secretly cooperate so as to enable remote access into Windows and other Microsoft software/services, such as Skype. Microsoft appeases its government not just by lobbying but also by habitual snitching that helps preserve (sometimes enhance) power. Some say that this is how (and when) the antitrust case got scuttled and those who pardoned Microsoft moved on to secretive FISC/FISA courts (see the curious judges overlap). When they talk about security they mean “national security” and when they utter the word trust they mean “the government [or a corporation] trusting computer users.” It’s all in reverse. Back doors are “security” and “trust” is distrust. Windows is a digital surveillance apparatus on computers with cameras, microphone, etc. (no need for anything sophisticated and expensive like laser microphones).

“Windows is a digital surveillance apparatus on computers with cameras, microphone, etc. (no need for anything sophisticated and expensive like laser microphones).”Malvertising, or Windows malware for financial gain [1], made it into the news earlier this week. “Microsoft Infects Windows Computers With Malvertising” [2] was the headline from FOSS Force and it turned out that Outlook, which sports back doors, remains defective without remedy even on UNIX platforms [3]. The problem isn’t just Windows but Microsoft’s proprietary software as a whole. Who does this whole chaos serve if not an imperial espionage operations? Some are rushing to spin this and they are blaming computers as a whole [4], but obviously there is something to be said about Microsoft making its software deliberately NOT secure. Even file formats are still acting as back door enablers [5] (“In 2015, your Windows PC can be owned by opening a spreadsheet”). We already know, based on many news reports, about FBI (or equivalents) sending malicious files to surveillance targets who foolishly use Windows.

Come on, let’s not pretend that Windows can even be made secure. The objective of the operating system is not security. “Our products just aren’t engineered for security,” a Windows manager once stated publicly. That was before the NSA leaks and after Microsoft and the NSA had reportedly colluded to put back doors inside Windows (1999). █

Related/contextual items from the news:

1. Daily Mail readers should be worried about the Angler exploit kit

   MY, HASN’T THE ANGLER EXPLOIT GROWN? The overseas malware security threat has been caught flashing its side boob at the Daily Mail and affecting UK citizens with a foreign security threat.

   [...]

   “Malvertising has been one of the main infection vectors and continues to affect large publishers and ad networks through very distinct campaigns, very much like a whack-a-mole game,” Malwarebytes said.

   “In addition to spreading via compromised websites, Angler leverages malvertising thanks to several different threat actors who use clever ways to go undetected as long as possible or are able to quickly adapt and get back on their feet if one of their schemes gets too much attention and is disrupted.”

2. Microsoft Infects Windows Computers With Malvertising

   I thought about ignoring this one and letting it slide, but it’s too priceless, too typically Microsoft, not to pass on. It seems that Redmond has been inadvertently infecting Windows computers with ransomware through its MSN website. Not to worry, however. The company is happy to hand you a tool to remove the malware, which is akin to locking the door after the horse is gone, as your files will by then be locked up tighter than a waterproof safe.

   The news came yesterday, via ZDNet, that Microsoft has “upgraded its malicious software removal tool to tackle TeslaCrypt, or Tescrypt as it calls it.”

   TeslaCrypt, a ransomware trojan, became big news early this year when it was found to be targeting computers with a variety of computer games installed. The malware evidently looks for file extensions associated with 40 or so games and encrypts them. The list of games infected includes such popular titles as Call of Duty, World of Warcraft, Minecraft and World of Tanks. From there, the scenario is all too familiar. To unencrypt, users must pay up — the going price is the equivalent of $500 in Bitcoins — to receive the decrypt key.

   While media mainly focused on the gaming aspect of TeslaCrypt, lulling non-gaming Windows users in to a false sense of security, it appears that the trojan also targets financial and tax software.

   Ho hum. Life as usual in the Windows world, eh?

   Trouble is, Microsoft began to notice a major uptick in detections of TelsaCrypt in late August, with the numbers rising from less than 1,000 detections daily to more than 3,500. This coincided with a report from the security company Malwarebytes, which detailed on August 27 a major ad based malware campaign using major news websites — including MSN.com — as drive-by delivery platforms.

3. Microsoft update for Outlook 2011 on El Capitan doesn’t fix problems

   APPLE ROLLED OUT the latest official version of its Mac operating system last week, but the update crashes Microsoft Outlook. Microsoft has since rolled out an update designed to fix the problem, but it does not appear to have worked.

   Microsoft released the Office for Mac 2011 14.5.6 update in response to hundreds of complaints that its email software constantly crashes on the latest Mac OS X El Capitan.

   “This update provides the following fixes to improve Mac OS X El Capitan compatibility. The hang situation that occurs during an account sync operation in Microsoft Outlook for Mac 2011 is fixed,” Microsoft claimed.

4. Cybercrime costs us dearly:study

5. In 2015, your Windows PC can be owned by opening a spreadsheet

   Microsoft and Adobe have pushed out their scheduled monthly security updates, with familiar names like IE and Flash once again getting critical fixes.

   For Redmond, the October update brings fixes for 33 CVE-listed security vulnerabilities. The updates include a cumulative fix for Internet Explorer and patches to address critical flaws in Windows VBScript/Jscript for Windows Vista/Server 2008 and Windows Shell. Office, the Windows kernel, and Windows Edge also received fixes.

Summary: The terrible security (by design) of Microsoft Windows is causing all sorts of very serious and collectively expensive issues

NOW that Rianne and I are back from vacation (Manchester Airport is shown above) we are amused to see even Dan Goodin, a selective basher of Free software, covering this latest blunder from Microsoft (affecting Vista 7). Sosumi dropped this pointer last night in the #techrights IRC channel and since then the word has been spreading rather quickly. Dan Goodin finally writes about the Microsoft Windows botnet (Windows Update, for a change) and Microsoft rushes to do ‘damage control’ by going after journalists. To quote Goodin:

“Microsoft said a highly suspicious Windows update that was delivered to customers around the world was the result of a test that wasn’t correctly implemented.

“We incorrectly published a test update and are in the process of removing it,” a Microsoft spokesperson wrote in an e-mail to Ars. The message included no other information.”

Yeah, whatever. It’s hard to refute something like that, but it may as well be a lie. It would be hard to prove what actually happened unless someone from the inside (like a whistleblower) got contacted. It’s all secretive and proprietary. Here is what the British media (Goodin’s former employer) wrote: “The Register poked Microsoft about the issue, and a spokesman told us: “We incorrectly published a test update and are in the process of removing it.”

“How that sort of thing happens, though, we’re not totally clear on. The bizarre update has certainly confused a load of Windows users, who hit the support forums in search of answers.

“Beginning with Windows 10, Microsoft has begun touting a new strategy of “Windows as a service,” where updates are continuous and automatic, and only enterprise customers are given the option of refusing them.”

When the Microsoft botnet (commandeered by the NSA and not just Microsoft, which grants the NSA access) goes awry we should all be reminded of the importance of software freedom. Windows Update, with automatic invocation in particular, is a truly terrible thing (even in Free software). Not only state-sanction spies but crackers too can exploit it, through back doors for example.

The monopolist knows that people are increasingly worried about all this remote control-like functionality. Microsoft Peter now comments [1] on mass surveillance (even on keystrokes) in Vista 10 after Microsoft admitted that mass surveillance is very much intentional, not a glitch. People inside Microsoft told me that it’s only getting worse (at development stages) and bound to get worse by the next release of Windows.

In other news, proprietary Windows and proprietary RAR now facilitate remote access by secret agencies (see this discussion). To quote Net Security: “A critical vulnerability has been found in the latest version of WinRAR, the popular file archiver and compressor utility for Windows, and can be exploited by remote attackers to compromise a machine on which the software is installed.”

The press hardly covered this. Instead it got obsessed with “XOR DDOS”. Weak passwords are to blame, not GNU/Linux, but all the headlines name “Linux”. There are finally some decent articles about it, not FUD from Microsoft boosters and insecurity firms (looking to sell their services).

Another bit of FUD came from The Inquirer last week (mentioned in our daily links). The Inquirer changed the headline after falsely accusing/blaming Linux, merely because the acronym XFS was mentioned (purely Windows in this case, not related to the Linux file system). Here are some articles about it [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14]. In short, lots of ATMs are being exploited not because of Linux but because they don’t use Linux. This is because of Windows. What kind of company STILL uses Windows in ATMs and banking in general? This is a platform of botnets and back doors, it’s simply unfit for purpose. Guess who pays the price for clueless technologists who put Windows in banks (which can receive bailout from taxpayers)? Just imagine where we would be if airplanes ran Windows… █

Related/contextual items from the news:

1. Microsoft reaffirms privacy commitment, but Windows will keep collecting data

   The second category is personalization data, the things Windows—and especially Cortana—knows regarding what your handwriting looks like, what your voice sounds like, which sports teams you follow, and so on. Nothing is changing here. Microsoft says that users are in control, but our own testing suggests that the situation is murkier. Even when set to use the most private settings, there is unexpected communication between Windows 10 and Microsoft. We continue to advocate settings that are both clearer and stricter in their effect.

Summary: SunGard, which is a Microsoft shop, is clearly failing to provide what it calls mission-ciriticaal [sic] solutions

IT HAS been an exceptionally long time since we last heard from or wrote about the London Stock Exchange (LSE) [1, 2, 3, 4, 5] because now that it runs a lot of Free software, including GNU/Linux at the very core, it is so stable that the architecture is not newsworthy. It’s uneventful. There are, however, some who still insist on using Windows in mission-critical systems. They are paying a high price for this, first at acquisition and later when things go awry, repeatedly even.

Not only the LSE moved to GNU/Linux (dumping Microsoft after many severe problems and a huge bill). Wall Street is famously GNU/Linux-powered after many years with UNIX (it never relied on Windows), but there are private firms that rely on Microsoft and they have just paid a very high price for that. “Bank of New York Mellon Corp.,” says the Wall Street media, “is still working to provide closing prices for certain mutual funds and exchange-traded funds after a technology used to generate net asset values broke down on Monday.”

“Computer Glitch rocks the Mutual Fund Industry,” wrote to us a reader, pointing to more articles about the collateral impact (it’s disrupting the market as a whole). “There’ll be no mention of the Microsoft connection,” he noted. So far he has been right. Nobody calls out Windows. Here is Microsoft’s page about the “Microsoft and SunGard Alliance”. To quote parts of it: “As is demonstrated by the IntelliMatch Operational Control Windows 8, SunGard is innovating utilizing Microsoft technology to ubild mission-ciriticaal [sic] solutions for the global financial services community”

Yes, mission-ciriticaal [sic] (not our typo) is what it’s really for. They can’t even deal with English, so how about real-time systems with trillions of transactions? Based on Google’s cache, the page has contained this typo for quite some time. SunGard is a joke and it relies on Microsoft’s amateurish software.

Having looked for stronger evidence of Windows being the cause, a reader told us, sarcastically: “If it wasn’t Windows they would be singing it to the rafters. On the other hand maybe it was a pretext to shutdown trading as the market was in the middle of another panic selling. Remember when a whole days trades was ‘lost’ on the NY stock exchange. The computers recovered just at the end of day trading.”

“There are many reasons why no firm should ever use Windows, as Stuxnet serves to remind anyone who is still wilfully ignorant. This is especially true for financial firms, law firms, politicians, and journalists.”There are many reasons why no firm should ever use Windows, as Stuxnet serves to remind anyone who is still wilfully ignorant. This is especially true for financial firms, law firms, politicians, and journalists. They don’t need to be “foreign” to be targetted, they just need to be viewed as “hostile” towards some of those who are presently in Power. The government wishes to meddle and disrupt opposition or risk to Power. That’s a universal problem.

The author at TechDirt [1], as well as others [2], neglect to mention right now that CIPAV, which the FBI turns out have used to disrupt journalists based on the explosive revelations below, specifically targets Microsoft Windows, a platform with back doors. █

Related/contextual items from the news:

1. AP Sues FBI Over Impersonating An AP Reporter With A Fake AP Story

   Last fall, we wrote about how the FBI had set up a fake AP news story in order to implant malware during an investigation. This came out deep in a document that had been released via a FOIA request by EFF, and first noticed by Chris Soghoian of the ACLU. The documents showed the FBI discussing how to install some malware, called a CIPAV (for Computer and Internet Protocol Address Verifier) by creating a fake news story…

2. Associated Press sues FBI over fake news story

   The Associated Press filed a lawsuit (PDF) this morning, demanding the FBI hand over information about its use of fake news stories. The case stems from a 2007 incident regarding a bomb threat at a school. The FBI created a fake news story with an Associated Press byline, then e-mailed it to a suspect to plant malware on his computer.

   The AP sent a Freedom of Information Act request to the FBI last year seeking documents related to the 2014 sting. It also seeks to know how many times the FBI has used such a ruse since 2000. The FBI responded to the AP saying it could take two years or more to gather the information requested. Unsatisfied with the response, the Associated Press has taken the matter to court.

Summary: A look at a strange suggestion, signed by Sabine Pfeiler (above) and Otto Seidl, who suggest going back to Microsoft which is basically a spyware company now

THE enormous long-term cost of Microsoft Windows, deferred and inevitably incurred due to blackmail and espionage (possibly more expensive then dealing with script kiddies/crackers alone), was detailed in the previous post. No nation other than the US (not even other Five Eyes nations) should procure proprietary software from the United States. Britain has just repeated this error [1] and some Microsoft fans in Germany apparently want to revert back to making this error, having already undone this error (dumping proprietary software, including Microsoft, in Munich).

We wish to start with some rather exciting news. Thankfully enough, Russia is now following China’s footsteps and may ban Vista 10 (China also banned Office in government, not just Vista 8, recognising that it’s a collective Trojan horse from the NSA). Last year or the year before that Russia had already taken first steps towards banning Windows by banning x86 in government (Wintel) and days ago it went further. Citing Russian media, Linux Veda writes: “The vice speaker of Russia’s State Duma, Nikolai Levichev, has written to Prime Minister Dmitry Medvedev asking for the Russian government to ban the use of Windows 10 amongst Russian civil servants. Levichev is concerned that Microsoft may allow US agencies to access data collected from Russian officials.”

Based on countless leaks from the NSA (many mention Russia by name), the above is undoubtedly being done. To think otherwise would be willful ignorance. Germany too is a target (political and industrial espionage), as recently demonstrated by Wikileaks, not just Snowden’s leaks and subsequent unattributed leaks.

It then leads us to our main topic, which is bogus stories from Microsoft propaganda sites, distorting the stories that were originally published in Germany about a week ago. We have a misleading headline about just two people, making them sound like the whole city of Munich. These people are Sabine Pfeiler and Otto Seidl.

Microsoft propaganda sites will latch onto anything and anyone, as they have been doing for years, never leaving Munich alone because it has become an embarrassment to Microsoft and a winning example/trophy for GNU/Linux on the desktop. What Microsoft does in Munich right now is definitely not sitting on its hands and accepting defeat. There is lobbying that is difficult for outsiders to see, but evidence occasionally comes out, as we have shown here over the years (we wrote dozens of articles about this). Partner companies, not just moles or lobbyists, are involved in this. Munich is constantly under attack.

A European reader of ours helped us understand what is happening in Munich right now. “Two ‘softers,” he said, is what it boils down to. “Annoying that they get any press at all. [...] it does look like only two ‘softers and not two independent people. More can be done to bring up the games that Microsoft continues to play against competitors, especially FOSS. Too many are falling for that “another chance” tactic, one that’s been used every few years for decades.”

We tried to find out more, for instance anything suspicious in the professional background of the troublemakers. Microsoft recently blackmailed members of the British Parliament, as it had previously done in Norway and other places (if you do what we say, we’ll do this thing for your area, but if you don’t, we’ll punish you). There are plenty of bribes and blackmail examples; Microsoft is full of those.

Our reader tracked down the original PDF. It is signed by these two people:

Sabine Pfeiler, Stadtrat
Otto Seidl, Stadtrat

“Your German is certainly better than mine,” said the reader, “but there are probably these two. They’re both in office through 2020. The main argument that the laptops have no programs for text editing, Skype, Office etc does not hold water. LibreOffice and even nasty ol’ unsafe Skype are available for GNU/Linux on x86, though the latter has not been approved by the IT dept there. But the Tech Republic article does say they are using Intel processors and that LibreOffice is on them.

“Seidl had in 2014 defended LiMux against mayor Dieter Reiter and Josef Schmid. However, I think that something is fishy, but cannot find anything with just a cursory search.”

“Microsoft just remotely modifies Vista 10 and won’t explain how, why, and when.”Vista 10 is an unacceptable risk, especially for government, and German has been more strict than most nations about digital control over its computing (even UEFI 'secure boot' is verboten). Vista 10 can add back doors, bug doors, delete files, add files etc. and it won’t even tell the user. We covered this the other day, noting that RMS (Richard Stallman) was right all along. This is why Microsoft will consider doing almost anything (even blackmail and bribes) to get its way here, enabling the Trojan horse to slip inside the whole of Germany. The NSA would certainly like for this to happen.

According to Manish Singh, “[i]f you’re having trouble deciphering what exactly Microsoft is bundling in Windows 10 updates, it is not your fault. Moreover, it is about to get worse. Microsoft has confirmed that it might choose to not offer a detailed changelog with new Windows 10 updates.”

Microsoft just remotely modifies Vista 10 and won’t explain how, why, and when. It is virtually as though one’s own computer is rented or leased. Even the British media took note. Simon Sharwood spoke to Microsoft and then reported that “Microsoft has explained its policy about how much information it will offer on the content of Cumulative Updates to Windows 10.”

Remember that for most users it will be impossible to even deny automatic updates. Microsoft Peter, not only Microsoft sceptics, reminds us right now that Microsoft has no plans to tell us what’s in Windows patches. Vista 10 already has back doors (and worse, it turns networks into botnets), but the point is, additional ones can be added at any time, silently. What would happen at times of war? Germany simply mustn’t consider going back to Windows and more cities should now follow Munich’s lead, maybe adopting much of the same Free software that Munich developed over the years.

Have politicians actually been following what’s happening right now? BND collusion with the NSA makes it simpler to blackmail German politicians, this we know for sure… █

Related/contextual items from the news:

1. UK government signs new deal with Oracle

   The UK’s Crown Commercial Service (CCS) yesterday revealed that it would be teaming up with software giant Oracle, in a three-year partnership which will see the two collaborate to deliver services to public sector bodies including the National Health Service (NHS).

   Just weeks after the government announced that it would be cutting back on its use of Oracle software, the new deal instead extends the existing agreement signed in 2012 and aims to bring new cost-saving solutions. The CCS has promised the that the signing of the Oracle memorandum of understanding (MoU) will “deliver additional savings for the taxpayer.”

–Brian Valentine, Microsoft executive

Summary: Another news overview, detailing high-profile examples of high-cost Windows deployments (including the cost of litigation and settlement)

THE “IRS hack [is] far larger than first thought,” according to this new report. It’s no secret that the IRS is a Microsoft Windows shop (which was warned about security breaches as far back as 6 years ago), so it makes one wonder if Windows was to blame here, as in the OPM breach, the Sony breach, and most recently the Ashley Madison breach (not to mention Stuxnet in Iran). Based on our information, all these high-profile breaches one way or another involve Microsoft reliance. The corporate media failed to call out Windows, but a little bit of research often helps boil it down to Microsoft’s NSA-accessible (through back doors) platforms.

“The parent company can now be sued into bankruptcy. It’s the (hidden) high cost of Windows.”Below is a new story which shows how Argentina targets [1] a large number of dissidents for surveillance using a fake “confidential document [that] was intended to infect a Windows computer.” GNU/Linux users needn’t worry about such things. Then of course there is the latest high-profile breach, the one affecting tens of millions of members of Ashley Madison (including almost ten thousand members of the military, including high-ranked ones), some of whom are suing [2] (what’s the price of a failed marriage or blackmail?). The parent company can now be sued into bankruptcy. It’s the (hidden) high cost of Windows. According to [3], “Security Was An Afterthought” at Ashley Madison. Well, that’s quite evident. Ashley Madison is hardly even hiding it (DMCA rampage is not a substitute) and it has been made ever more obvious by the fact that they were using Microsoft Windows.

Microsoft and security are mutually exclusive, unlike Microsoft and insecurity. No secure application can be mounted on top of a base with back doors. It ought to be crystal clear after Snowden’s many revelations. █

Related/contextual items from the news:

1. Inside the Spyware Campaign Against Argentine Troublemakers

   Alberto Nisman, the Argentine prosecutor known for doggedly investigating a 1994 Buenos Aires bombing, was targeted by invasive spy software downloaded onto his cellular phone shortly before his mysterious death. The software masqueraded as a confidential document and was intended to infect a Windows computer.

2. Canadians are suing Ashley Madison because a lack of prophylactic protection

   A BRACE OF LAW FIRMS ARE BEHIND A class action lawsuit against Ashley Madison because it did not do enough to protect personal and private information.

   The class action case, from two Canadian law firms, argues that the hookup stations failed users by not protecting their information and for not deleting it after a fee had been paid to ensure its deletion. It seeks $578m.

   According to the New York Post the lawyers want some satisfaction for a cluster of punters who are currently wearing outraged expressions and regretting joining a site that does what it does in the way that it does it.

3. ‘Security Was An Afterthought,’ Hacked Ashley Madison Emails Show

   It’s already clear that, despite handling very sensitive data, Ashley Madison did not have the best security. Hackers managed to obtain everything from source code to customer data to internal documents, and the attackers behind the breach, who call themselves the Impact Team, made a mockery of the company’s defenses in an interview.

Summary: New reports serve to show that Ashley Madison’s data which got leaked includes complete dump of corporate Windows passwords

TWO months ago we wrote about the Office of Personnel Management (OPM) breach and Microsoft Windows. It’s quite unusual for large, high-profile breaches to involve anything but Microsoft, but the media rarely call out Windows, not even when Stuxnet is clearly all about Windows (not surprisingly because Microsoft aids the NSA and the NSA developed Stuxnet) and the Sony were reportedly the fault of a leaky Window server, irrespective of who infiltrated it (an entirely separate question).

Another day, another crack. Because OPM contains the personal details of many rich and powerful people. OPM still dominates the news to some degree (although Windows is rarely mentioned) and now it’s Ashley Madison [1,2]. A lot of people, including very high-profile people, can now be publicly shamed and/or blackmailed.

“Well done, Microsoft. Instead of helping just the NSA (and by extension Five Eyes) hoard weapons of blackmail against billions of people the company has now got weapons of blackmail scattered all around the Web, targeting many millions of people.”According to this report, the leak “included a full domain dump of corporate passwords (NTLM hashes) of the Windows domain of the company” (hello Microsoft!).

“According to security experts, including Krebs,” wrote Gordon in IRC, “it’s definitely a legit dump” and there are articles that explain why. “The database dump,” to quote this one report, “appears to be legitimate and contains usernames, passwords, credit card data (last four), street addresses, full names, and much much more. It also contains an extensive amount of internal data which looks like the hackers had maintained access to their environment for a long period of time.”

Ashley Madison’s owners are in panic because a lot of lawsuits may be imminent. They are trying to DMCA sites that share the data, but history teaches that this is a futile effort. They now pay the price of using Windows and many people (perhaps dozens of millions) pay the price of relying on a company that uses Windows.

Well done, Microsoft. Instead of helping just the NSA (and by extension Five Eyes) hoard weapons of blackmail against billions of people the company has now got weapons of blackmail scattered all around the Web, targeting many millions of people. Microsoft leads to a form of global anarchy by making its software flawed by design and leaky by intention. It’s that same dumb mentality that leads some politicians to demands of back doors only for the “Good Guys” (them). █

Related/contextual items from the news:

1. Remember How The DMCA ‘Stopped’ The Release Of Ashley Madison Cheaters Data? About That…

   And… it took longer than expected, but less than a month later, the data file has leaked online, and you can bet that lots of people — journalists, security researchers, blackmailers and just generally curious folks — have been downloading it and checking it out.

   Maybe, next time, rather than claiming copyright, the company will do a better job of protecting its systems.

2. Data from hack of Ashley Madison cheater site dumped online [Updated]

   Gigabytes worth of data taken during last month’s hack of the Ashley Madison dating website for cheaters has been published online—an act that could be highly embarrassing for the men and women who have used the service over the years.

   A 10-gigabyte file containing e-mails, member profiles, credit-card transactions and other sensitive Ashley Madison information became available as a BitTorrent download in the past few hours. Ars downloaded the massive file and it appeared to contain a trove of details taken from a clandestine dating site, but so far there is nothing definitively linking it to Ashley Madison. User data included e-mail addresses, profile descriptions, addresses provided by users, weight, and height. A separate file containing credit card transaction data didn’t include full payment card numbers or billing addresses.

   [...]

   “We have now learned that the individual or individuals responsible for this attack claim to have released more of the stolen data,” they wrote in an e-mail to Ars. “We are actively monitoring and investigating this situation to determine the validity of any information posted online and will continue to devote significant resources to this effort. Furthermore, we will continue to put forth substantial efforts into removing any information unlawfully released to the public, as well as continuing to operate our business.”

“Our products just aren’t engineered for security.”

–Brian Valentine, Microsoft executive

Summary: Microsoft Windows continues to be inherently insecure, at the very least because Microsoft worked to make intrusion possible by shady agencies that operate outside the law (much like cyber gangs)

IT IS no secret that Microsoft works closely with the NSA and other Five Eyes agencies. It is also no secret that Stuxnet was developed by those agencies and targets Microsoft Windows. After it had targeted Iran it sort of ‘spilled out’ and caused many billions in damages all around the world (we covered examples). Having gotten out of hand, Microsoft’s back doors for espionage agencies were soon exploited also by the “bad guys” (not that espionage agencies can be described as “good guys”). There is no substitute for absolute, scientifically-verifiable security and strong encryption. People who sell “Golden Key” dreams are non-technical war-loving liars. Based on this new article (Dan Goodin finally targets Microsoft for a change, having repeatedly bashed just Free software), a new Windows “exploit is reminiscent of those used to unleash Stuxnet worm.” To quote Goodin: “The vulnerability is reminiscent of a critical flaw exploited around 2008 by an NSA-tied hacking group dubbed Equation Group and later by the creators of the Stuxnet computer worm that disrupted Iran’s nuclear program. The vulnerability—which resided in functions that process so-called .LNK files Windows uses to display icons when a USB stick is plugged in—allowed the attackers to unleash a powerful computer worm that spread from computer to computer each time they interacted with a malicious drive.”

“GNU/Linux is designed for security from the ground up and if one does not believe it, one can freely scrutinise the code.”Any design that lets a USB device trigger commands at such high levels is a design that’s clearly not designed by security professionals. Many other issues tied to this design have been reported for over a decade and Microsoft is not fixing it. According to last year’s explosive report, titled “N.S.A. Devises Radio Pathway Into Computers”, the NSA “relies on a covert channel of radio waves that can be transmitted from tiny circuit boards and USB cards inserted surreptitiously into the computers.”

The media may go on about how Microsoft no longer delivering security patches is an issue, but as Microsoft tells the NSA about holes before patching them, what difference does it make? All versions of Windows, no matter how up to date they are, are vulnerable. It’s not an accident. “Both Microsoft and HP were insistent companies that hadn’t refreshed [Windows Server 2003] after 14 July,” said the report, “are exposing themselves to all sorts of security attacks, and that up-to-date patches and firmware are needed.”

No, their first mistake is that they use Windows anything (never mind Windows Server, irrespective of the version too). Windows is not designed to be secure. It has back doors and front doors. GNU/Linux is designed for security from the ground up and if one does not believe it, one can freely scrutinise the code. █

“The continuous and broad peer-review enabled by publicly available source code supports software reliability and security efforts through the identification and elimination of defects that might otherwise go unrecognized by a more limited core development team.”

–CIO David Wennergren, Department of Defense (October 2009)

–Steve Ballmer

Summary: The media continues to mock Vista 10 ‘features’ (and by extension Microsoft) for their gross privacy violations while Microsoft boosters try to create an illusion that Microsoft wants to improve security, despite creating back doors for rogue government agencies

BASED on some of the very latest Web statistics, the adoption rate of Vista 10 is very poor, especially when one considers the cost. Vista 10 surprised many people when it was served to the public (final release) with all the surveillance built in, as if every user (or buyer) is a beta tester of Microsoft, expected to endlessly send input to Microsoft for debugging purposes (even keystrokes!). What started with some blogs and privacy groups ranting about Vista 10 is now a major story in much of the media.

“You know that Vista 10 is broken when people (both developers and non-developers) desperately try to ‘fix’ it, as is widely reported in the media right now.”WND, a GOP-centric site, complains about Vista 10 and goes with the headline “Windows 10 spies on emails, images, credit cards, more”. Linux Veda says that “Microsoft are abusing their users and we could do with a useful tool to restrict this.”

You know that Vista 10 is broken when people (both developers and non-developers) desperately try to ‘fix’ it, as is widely reported in the media right now. Some people reportedly abandon it (to go back to older Windows or upgrade to GNU/Linux). Since Vista 10 is proprietary software, there is no way to fix it or even ensure it does not send personal data to Microsoft (silently, with or without encryption). One can only hope, especially when adjusting settings using Microsoft’s own handles.

Twitter’s Microsoft spam (paid for by Microsoft) now reaches shamelessly high levels, for they append “sponsored” Microsoft propaganda even to hashtag pages, calling it “top news” and linking to Bing shortcuts, posted by Microsoft’s professional buddies. We have already complained about how Twitter was helping Microsoft promote Vista 10 (these two companies have been working together for a long time [1, 2, 3, 4, 5]).

Much of Microsoft’s ‘damage control’ (notably in Twitter) is just linking to articles which suggest ‘fixes’, as if privacy in Vista 10 can be easily sorted out. The ToryGraph says that “Microsoft is collecting user account information, credit card details and passwords,” but then goes gentle/soft on Microsoft. An article by Steven J. Vaughan-Nichols refers to those concerned about privacy violations in Vista 10 as “paranoid”. TechRadar, which so often delivers Microsoft spin, tries to advise readers, not by telling them to steer away from Vista 10 but rather to ‘fix’ it. A better article came from Andrew Orlowski, who called Vista 10 “a clumsy, 3GB keylogger.” In his article titled “Microsoft vacates moral high ground for the data slurpers’ cesspit” (showing if not emphasising Microsoft’s hypocritical attacks on Google) Orlowski wrote: “A funny thing happened while I was reinstalling Windows 8 over Windows 10 yesterday morning. There in front of me, halfway through the installation process, were two full, clear pages of privacy toggles. Every toggle was set to not send private information to Microsoft, or anyone else.

“Microsoft has turned users of Windows into useds, or products.”“In addition, Windows 8 created a local user account by default – and didn’t demand I maintain a constant, umbilical connection to Microsoft’s servers. Windows 8 was configured for maximum privacy. Now compare this to the indiscriminate data slurp that Microsoft calls Windows 10. It’s basically a clumsy, 3GB keylogger.

“It’s often said that with data protection and privacy, we’re like lobsters: we don’t notice the water getting warmer and warmer, until we’re boiled alive. So it’s been with Windows. Windows 8.1 didn’t show you clear choices or screens with privacy toggles anymore, but invited you to agree to either “Express Settings” for privacy (wow: cool, convenient) or “Customise” them (there be monsters). It respected your local user account, but then bullied you into switching to the umbilical when you accessed the Store. Windows 10 makes the Customise option so small it looks like the trademark notice, and even then, the defaults are set to send everything to Microsoft, and only allow you to control the data slurp partially. Local user accounts are so buggy in Windows 10 that you’ll probably switch to always-being-slurped anyway.”

“It’s time we owned our own data,” says this new article, quoting what it called a “Silicon Valley truism.”

“If you’re not paying, you’re the product” is the truism. Microsoft has turned users of Windows into useds, or products. Microsoft is intensifying its relationship with the NSA while many other companies try to distance themselves from the NSA. Microsoft does not strive to offer security at all, despite its empty claims to the contrary (like a show trial involving data in Ireland). IDG's Microsoft boosters and Microsoft staff (Microsoft MVP J. Peter Bruzzese in this particular case) prop up the illusion of Microsoft as advocate of “security”, but it is just Microsoft marketing shrewdly disguised as “articles”, or Microsoft MVPs acting like external staff (watch this Microsoft advocacy site having a go too). Vista 10 ought to end any pretense that Microsoft cares about security.

Remember that Microsoft did not fix a serious Windows flaw for 3 months, despite Google urging Microsoft to fix it. The above ‘articles’ (from Microsoft mouthpieces) are just part of the publicity stunt. Microsoft is not bothering to fix critical flaws that it knows about and tells the NSA about (essentially giving back door access to all versions of Windows, as usual). Vista 10 takes all this to unprecedented new levels and lets spies track Windows users in real time (even their keystrokes!). It also harvests passwords, including encryption keys (supposedly for 'recovery'). █

–Steve Ballmer, Microsoft’s CEO at the time

Summary: Corporate media helps stigmatise Free/Open Source software as unsuitable for commercial use and once again it uses the ‘security’ card

SEVERAL days ago in our daily links we includes two articles that used the term “commercial software” (to mean proprietary software). Both cited Synopsys. It is amazing that even in 2015 there are some capable of making this error, maybe intentionally. Commercial software just means software that is used commercially. A lot of it is Free/Open Source software (the corporate media prefers the term “Open Source” to avoid discussion about the F word, “freedom”).

“Commercial software just means software that is used commercially.”Yesterday we found yet another headline which repeats the same formula (as if they all received the same memo), calling proprietary software “commercial software”, thereby reinforcing the false dichotomy and the stigma of Free software. “Looking at our Java defect density data through the lens of OWASP Top 10,” says Synopsys, “we observe that commercial software is significantly more secure than open source software.”

Another article from yesterday reminded us that Free software takes security very seriously and top/leading Free software projects are widely regarded (even by Coverity) as more secure than proprietary counterparts. Oddly enough, Synopsys links to a “Coverity Scan Open Source Report 2014″, not 2015, and the report is behind walled gardens, so it is hard to check if these headlines tell the whole story or just part of it. The analysis itself is done by proprietary software, whose methods are basically a secret. Go figure…

We recently saw some very gross distortions where security issues in proprietary software got framed as a Free software issues. As we have repeatedly demonstrated and stressed over the past years and a half, there seems to be a campaign of FUD, ‘branding’, and logos (the latest being targeted at Android/MMS) whose goal is to create or cement a damaging stereotype while always ignoring back doors and even front doors in proprietary software (now out in the open because of the British Prime Minister and the ringleader of the FBI). █

Summary: Vista 10 to bring new ways for spies (and other crackers) to remotely access people’s computers and remotely modify the binary files on them (via Windows Update, which for most people cannot be disabled)

MICROSOFT never cared about security. A former Windows manager, Brian Valentine, said explicitly that Microsoft products “just aren’t engineered for security.” Last year we also showed how back in the 1990s Bill Gates and his staff had already collaborated quite intimately with the NSA, well before Snowden’s NSA and GCHQ leaks helped confirm this (with hard evidence and subsequently media reports).

The Apache Software Foundation (ASF), which is unfortunately headed by a guy from Microsoft, is going into bed with the NSA right now, despite the negative publicity that may accompany/come with such a move. Microsoft, much to our surprise, is still working with the NSA on Windows, and it does this also for Vista 10. One new article about Microsoft’s purchase of an Israeli (i.e. spy-friendly as we explained says ago) company says that “[a] big reason for this is the company’s collaboration with the National Security Agency (NSA).”

“Yes, Microsoft still keeps the NSA in the picture.”Microsoft is still thinking that enough people foolishly believe NSA collaboration is ‘for security’ rather than for ‘national security’, i.e. back doors. A Windows-powered site reminded us some days ago that NSA “worked with Microsoft on security aspects of the Windows 7 operating system and later for Windows 8 and 10.”

Yes, Microsoft still keeps the NSA in the picture. This actually surprised us because it’s a PR disaster. Why does Microsoft still want to be seen working in cahoots/collusion with the NSA? In proprietary software, back doors or “national security”, i.e. not real security, are the cause of many costly issues. Software is designed to be penetrable rather than secure. Is there anyone who still honestly thinks that Vista 10 won’t have back doors? Microsoft never stopped its relationship with the NSA and it is obviously still working with the NSA, despite knowing the negative publicity this can bring. A Darwin Award goes out to anyone who still thinks that Microsoft is not helping the NSA exploit its software (because “national security” and other such excuses), despite the Snowden-provided documents that show exactly that.

Earlier today the developer of GNU Telephony wrote that at Microsoft “they created the perfect environment for such demands to be met, forced updates is a front door for govt malware and spying” [and indeed, as The Register revealed last week, they had even removed the ability to stop/block these updates in most “editions”. Over ten years ago it was reported on the Web that even when you toggle off automatic updates Microsoft still does it.]

Looking back at news only a few days old, HP has reported 4 new vulnerabilities in Internet Explorer, and not for the first time. To quote IDG: “HP’s Zero Day Initiative (ZDI) doesn’t cut much slack with its 120-day disclosure policy. When ZDI knocks on your door and says you have a security hole, you get 120 days to fix it or risk full public disclosure. That’s what happened — again. With ZDI and Microsoft — again. Over Internet Explorer — again.”

“The only way to avoid MSIE is to ditch Windows since it is built-in and impossible to remove” iophk said to us. Will Hill wrote: “There are still vendor supplied IE6 specific software that will not work outside of IE. One of my vendors at work told me one of their pieces of software might work with IE8 but no other browser, including the IE 11 that Microsoft had shoved onto most of the computers. This just highlights the fact that vendors who use Microsoft don’t care about their customers and that Microsoft does not care about anyone.”

“In proprietary software, back doors or “national security”, i.e. not real security, are the cause of many costly issues.”Going only 3 days back, there is this news that Hacking Team helps governments take over Microsoft Windows through back/bug doors, exploiting fonts. “Unpatched systems,” wrote Paul Hill, “can be affected if the user opens a document of webpage that contains an embedded OpenType font file. As the font drivers in Microsoft systems runs in kernel mode it means that an attacker could gain access to the entire system with the ability to add and remove programs and create new user accounts with admin privileges.”

Windows recently suffered from other font-related holes, and not for the first time, either. It’s an easy access point for the NSA into Windows (Microsoft tells the NSA before patching such holes). All versions of Windows are vulnerable and they have all been found vulnerable (without fixes) for decades.

What will the world look like after this back doors ‘leader’ and ‘champion’, Microsoft, is gone for good? Well, we need to ensure that NSA partners like Red Hat [1, 2, 3, 4, 5] don’t compromise GNU/Linux, too. Social engineering, bribes, blackmail, anonymous patches, etc. are the classic tricks of this trade. █