Bonum Certa Men Certa

Security Disinformation

Measuring electricity



Summary: Latest OpenSSL FUD and Microsoft's Howard Schmidt's role informing the public about cyber-security risks

OUR complaints about The Register have intensified recently [1, 2, 3, 4] because of poor articles like this one (see the comments).



The Register spreads FUD about OpenSSL (not the first such smear, after comparisons to "communism" too) and Bradley M. Kuhn from the SFLC has responded as follows:

Ok, Be Afraid if Someone's Got a Voltmeter Hooked to Your CPU



Boy, do I hate it when a FLOSS project is given a hard time unfairly. I was this morning greeted with news from many places that OpenSSL, one of the most common FLOSS software libraries used for cryptography, was somehow "severely vulnerable".

I had a hunch what was going on. I quickly downloaded a copy of the academic paper that was cited as the sole source for the story and read it. As I feared, OpenSSL was getting some bad press unfairly. One must really read this academic computer science article in the context it was written; most commenting about this paper probably did not.

First of all, I don't claim to be an expert on cryptography, and I think my knowledge level to opine on this subject remains limited to a little blog post like this and nothing more. Between college and graduate school, I worked as a system administrator focusing on network security. While a computer science graduate student, I did take two cryptography courses, two theory of computation courses, and one class on complexity theory. So, when compared to the general population I probably am an expert, but compared to people who actually work in cryptography regularly, I'm clearly a novice. However, I suspect many who have hitherto opined about this academic article to declare this "severe vulnerability" have even less knowledge than I do on the subject.


There are much bigger problems to worry about, such as the latest news about Windows botnets [1, 2, 3]. The authors of the Windows exploit might not even face a jail sentence, based on this report.

Three Spanish men were arrested last month for allegedly building an international network of more than 12 million hacked PCs that were used for everything from identity theft to spamming. But according to Spanish authorities and security experts who helped unravel the crime ring, the accused may very well never see the inside of a jail cell even if they are ultimately found guilty, due to insufficient cyber crime legislation in Spain.


Regarding this new article about Scott Charney's outrageous remarks [1, 2] (he worked for the US government before Microsoft hired him), Groklaw wrote 3 days ago: "First Microsoft fills the world with security issues and problems, then it wants the public to be taxed to fix them? I think Microsoft needs to fix its own software itself." Microsoft's own negligence [1, 2, 3] ought to have Microsoft bear the bill.

Howard Schmidt, the US Cyber Czar who came directly from Microsoft [1, 2, 3, 4], claims/pretends that there is no problem, even though many firms that include Google were intruded due to an Internet Explorer hole that Microsoft had knowingly ignored for 5 months [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12] (there are more security patches coming shortly). Even Google source code got grabbed. [via]

Operation Aurora continues to be a hot topic inside and outside of security circles. At this week’s RSA Conference in San Francisco many conversations are on the topic of the attacks that hit Google and dozens of other companies in January.


These reports indicate that proprietary source code got nicked from Google. Microsoft also nicks proprietary source code from companies/projects like Plurk [1, 2, 3, 4], which probably puts the Redmond-based company at the same side as the crackers.

"Cyberwar Hype Intended to Destroy the Open Internet," says this report from Wired. [via]

The biggest threat to the open internet is not Chinese government hackers or greedy anti-net-neutrality ISPs, it’s Michael McConnell, the former director of national intelligence.

McConnell’s not dangerous because he knows anything about SQL injection hacks, but because he knows about social engineering. He’s the nice-seeming guy who’s willing and able to use fear-mongering to manipulate the federal bureaucracy for his own ends, while coming off like a straight shooter to those who are not in the know.


And on the other hand, on the same occasion we find that "US urges 'action' needed to fight net attacks," according to the BBC.

Homeland Security secretary Janet Napolitano has admitted there is an urgent need to step up efforts to protect Americans from cyber attacks.


They seem to contradict themselves. Now they claim to be looking for ideas:

Homeland Security wants to pick your brains



[...]

The lucky winners will be invited to an event in Washington DC in late May or early June. They'll get to partner with the department to lead in the planning of the National Cybersecurity Awareness Campaign, due to launch in October.


Over at CNET, Dennis O'Reilly has this new article about "five ways to keep your [Windows] PC free of viruses and Trojans". Here is one of his suggestions.

If you can't give up Windows, you may still be able to install Linux on an old PC or in a partition of your Windows PC. Then you can use that system (or partition) whenever you engage in any sensitive computer activities. You'll find instructions for dual-booting Windows and the Ubuntu version of Linux on the Ubuntu Community Documentation site.


Thumbs up to Dennis.

"Usually Microsoft doesn't develop products, we buy products. It's not a bad product, but bits and pieces are missing."

--Arno Edelmann, Microsoft's European business security product manager

Comments

Recent Techrights' Posts

Comparing U.E.F.I. to B.I.O.S. (Bloat and Insecurity to K.I.S.S.)
By Sami Tikkanen
New 'Slides' From Stallman Support (stallmansupport.org) Site
"In celebration of RMS's birthday, we've been playing a bit. We extracted some quotes from the various articles, comments, letters, writings, etc. and put them in the form of a slideshow in the home page."
Thailand: GNU/Linux Up to 6% of Desktops/Laptops, According to statCounter
Desktop Operating System Market Share Thailand
António Campinos is Still 'The Fucking President' (in His Own Words) After a Fake 'Election' in 2022 (He Bribed All the Voters to Keep His Seat)
António Campinos and the Administrative Council, whose delegates he clearly bribed with EPO budget in exchange for votes
Adrian von Bidder, homeworking & Debian unexplained deaths
Reprinted with permission from Daniel Pocock
 
GNOME GUADEC 2022 & Debian Albanian women trafficked to Mexico?
Reprinted with permission from the Free Software Fellowship
Sainsbury's: It Takes Us Up to Two Days to Respond to Customers Upon Escalation (and Sometimes Even More Than Two Days)
It not only does groceries but also many other things, even banking
People Don't Just Kill Themselves (Same for Other Animals)
And recent reports about Boeing whistleblower John Barnett
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Monday, March 18, 2024
IRC logs for Monday, March 18, 2024
Suicide Cluster Cover-up tactics & Debian exposed
Reprinted with permission from Daniel Pocock
Gemini Links 19/03/2024: A Society That Lost Focus and Abandoning Social Control Media
Links for the day
Matthias Kirschner, FSFE: Plagiarism & Child labour in YH4F
Reprinted with permission from Daniel Pocock
Linux Foundation Boasting About Being Connected to Bill Gates
Examples of boasting about the association
Alexandre Oliva's Article on Monstering Cults
"I'm told an earlier draft version of this post got published elsewhere. Please consider this IMHO improved version instead."
[Meme] 'Russian' Elections in Munich (Bavaria, Germany)
fake elections
Sainsbury's to Techrights: Yes, Our Web Site Broke Down, But We Cannot Say Which Part or Why
Windows TCO?
Plagiarism: Axel Beckert (ETH Zurich) & Debian Developer list hacking
Reprinted with permission from Daniel Pocock
Links 18/03/2024: Putin Cements Power
Links for the day
Flashback 2003: Debian has always had a toxic culture
Reprinted with permission from Daniel Pocock
Sainsbury’s Epic Downtime Seems to be Microsoft's Fault and Might Even Constitute a Data Breach (Legal Liability)
one of Britain's largest groceries (and beyond) chains
[Meme] You Know You're Winning the Argument When...
EPO management starts cursing at everybody (which is what's happening)
Catspaw With Attitude
The posts "they" complain about merely point out the facts about this harassment and doxing
'Clown Computing' Businesses Are Waning and the Same Will Happen to 'G.A.I.' Businesses (the 'Hey Hi' Fame)
decrease in "HEY HI" (AI) hype
Free Software Needs Watchdogs, Too
Gentle lapdogs prevent self-regulation and transparency
Matthias Kirschner, FSFE analogous to identity fraud
Reprinted with permission from Daniel Pocock
Gemini Links 18/03/2024: LLM Inference and Can We Survive Technology?
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, March 17, 2024
IRC logs for Sunday, March 17, 2024
Links 17/03/2024: Microsoft Windows Shoves Ads Into Third-Party Software, More Countries Explore TikTok Ban
Links for the day
Molly Russell suicide & Debian Frans Pop, Lucy Wayland, social media deaths
Reprinted with permission from Daniel Pocock
Our Plans for Spring
Later this year we turn 18 and a few months from now our IRC community turns 16
Open Invention Network (OIN) Fails to Explain If Linux is Safe From Microsoft's Software Patent Royalties (Charges)
Keith Bergelt has not replied to queries on this very important matter
RedHat.com, Brought to You by Microsoft Staff
This is totally normal, right?
USPTO Corruption: People Who Don't Use Microsoft Will Be Penalised ~$400 for Each Patent Filing
Not joking!
The Hobbyists of Mozilla, Where the CEO is a Bigger Liability Than All Liabilities Combined
the hobbyist in chief earns much more than colleagues, to say the least; the number quadrupled in a matter of years
Jim Zemlin Says Linux Foundation Should Combat Fraud Together With the Gates Foundation. Maybe They Should Start With Jim's Wife.
There's a class action lawsuit for securities fraud
Not About Linux at All!
nobody bothers with the site anymore; it's marketing, and now even Linux
Links 17/03/2024: Abuses Against Human Rights, Tesla Settlement (and Crash)
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, March 16, 2024
IRC logs for Saturday, March 16, 2024
Under Taliban, GNU/Linux Share Nearly Doubled in Afghanistan, Windows Sank From About 90% to 68.5%
Suffice to say, we're not meaning to imply Taliban is "good"
Debian aggression: woman asked about her profession
Reprinted with permission from Daniel Pocock
Gemini Links 17/03/2024: Winter Can't Hurt Us Anymore and Playstation Plus
Links for the day